Fatal attraction: Latest "delivery notice" trojan spews forth
The incoming message claims that DHL attempted delivery of a package on March 14 and instructs recipients to click on a link to print out an invoice needed to retrieve the package from the DHL office.
Users who fall for the ploy and click on the link, instead download a malicious trojan, Troj/Agent-JJP, onto their computer. The file, contained inside dhl_n756512[dot]zip, establishes connections to remote hosts via port 80. The hackers are then able to download a cocktail of further malware, as well as initialize phoney security alerts in Internet Explorer, delivering pop-up advertisements for rogue security apps.
"It's actually very similar to what we've seen before," said Graham Cluley, senior technology consultant at Sophos, a Boston-based vendor of multiple threat protection, in an email to SCMagazineUS.com on Friday. "It's just a new variant of the trojan horse that some computer users may not be stopping with their particular anti-virus. It stood out for us today simply because we have seen it in such high quantities."
The spam arrives with the subject line: "DHL Tracking number," but each recipient receives their own randomly generated reference number.
Sam Masiello, vice president of information security at MX Logic, an Englewood, Colo.-based provider of managed email and web security services, has also been tracking fake invoice email over the past few months. "All three of the major shipping companies (UPS, FedEx and DHL) have been targeted by spammers with similar 'fake invoice' scam emails being sent out to look like they are from the shippers," he wrote in an email to SCMagazineUS.com on Friday.
Shipping companies haven't been the only targets in these types of scams, he added. Several major airlines (Delta, Continental, United, Lufthansa and Northwest Airlines) have been targeted where recipients of the email were thanked for purchasing their ticket online, and then attached to the email they would find either a copy of their receipt or a boarding pass.
"In either case, the attachment was a piece of malware that would open a backdoor to the user's PC and would download malicious code from the internet," said Masiello.
These trojans are your typical "open a backdoor, download software, and use the PC to send out more spam" types of trojans, he said. "There aren't additional payloads, such as keyloggers, that can be used for further identity or information theft, for example. They aren't using some of the newer technologies that botnets, like Conficker, are using to help make their networks more resilient to infiltration and takedown."
Each new variant is modified enough from the previous ones so that the anti-virus engines must generate new signatures for them, but their basic structure is the same, Masiello told SCMagazineUS.com.
"Chances are that this is a professional, financially motivated hacker or gang of hackers who is using a botnet to spam out these malicious emails en masse," Sophos' Cluley told SCMagazineUS.com. "They are relying on the curiousity of users, who may not be able to resist opening the attachment to find out what's going on. And, of course, if they do that, they will become infected and at the mercy of the hackers."
As to what can be done to stop the invasion, Cluley said: "Keep your anti-virus software up-to-date, ensure you have a secure firewall and the latest patches and – most of all – take a large spoonful of common sense with your breakfast each morning."
Computer users should always be extremely suspicious of unsolicited email attachments, he said. "This is a classic trick used by hackers, and sadly it fools too many people on a regular basis," he said.
MX Logic's Masiello added that it is important for users to remember that whether it is a shipping company, airline or anyone else that sends transactional types of emails, those carriers send those emails using specifics of the transaction (not using general terms, as in the cases of these scams) and send such emails in a specific format.
"If someone who receives these emails either did not conduct business with the company that is being spoofed in these messages or does not recognize the format of the email they are being sent, they should delete it immediately," Masiello advised.