A Sample of the "DHL Ship Notification Service" Malicious Email
From: "Express Mail" firstname.lastname@example.org
Date: May 3, 2013, 11:32:13 PM EST
Subject: Ship Notification Service
Reply-To: "Express Mail" email@example.com
If the links are not working, please move message to "Inbox" folder.
DHL PACK STATION
DHL Ship Shipment Notification
On May 1, 2013 a shipment label was printed for delivery.
The shipment number of this package is 77390249.
To get additional info about this shipment use any of these options:
1) Click the following URL in your browser:
Get Shipment Info
2) Enter the shipment number on tracking page:
For further assistance, please call DHL Customer Service. For International Customer Service, please use official DHL site.
This message was created by DHL Ship, a product of DHL, at the request of the sender. No authentication of email address has been performed.
Deutsche Post DHL 2013 DHL International GmbH. All rights reserved.
Clicking on any of the links in this email message will take the recipients to the following website:
- www.dupreezvanwyk .co.za/ images/index.php?info=845_1340062607
It appears that the website was hacked and the malicious web page "/images/index.php" was placed on it. The page will automatically download the zip file "Shipping-Detail.zip" that contains the malicious Trojan horse "Shipping Detail.exe".
The file "Shipping Detail.exe" was scanned at http://virustotal.com and the following antirvirus software detected the Trojan horse:
- Antivirus - Threat
- Avast - Win32:Crypt-OQO [Trj]
- ByteHero - Trojan.Malware.Obscu.Gen.004
- ESET-NOD32 - a variant of Win32/Kryptik.AYMJ
- Fortinet - W32/Kuluoz.ABY!tr.dld
- GData - Win32:Crypt-OQO
- Kaspersky - Trojan-Downloader.Win32.Dofoil.pog
- Malwarebytes - Trojan.Downloader
- McAfee - Artemis!F27B3B05B52B
- McAfee-GW-Edition - Heuristic.BehavesLike.Win32.Suspicious-BAY.K
- Sophos - Mal/Weelsof-D
- VIPRE - Trojan.Win32.Kuluoz.b (v)
Recipients of the malicious email message should delete it and should not attempt to open the attachment. Recipients of email notifications from an organization are asked to go directly to that organization's website and view the information from there, instead of clicking on the links in it. Therefore, recipients of email messages similar to the one above should always go directly to DHL's website at http://www.dhl.com/ and track their shipment from there.
Check the comment section below for additional information, share what you know, or ask a question about this article by leaving a comment below. And, to quickly find answers to your questions, use our search
Note: Some of the information in samples on this website may have been impersonated or spoofed.
Comments, Questions, Answers, or Reviews
To protect your privacy, please do not post or remove sensitive information in or from your comments, questions, or reviews. NB: We will use your IP address to display your approximate location to other users when you make a post. That location is not enough to find you.
Your comment, answer, or review will be set as anonymous because you are not signed in. An anonymous comment, answer, or review cannot be edited or deleted, therefore, review it carefully before posting. Sign-in.
Show More Comments (7)
Write Your Comment, Question, Answer, or Review