This afternoon, a Purewire employee received an email that claimed to be from UPS:
From: United Parcel Service of America [mailto:firstname.lastname@example.org]
Sent: Friday, May 29, 2009 2:48 PM
To: < redacted >@purewire.com
Subject: Postal Tracking #VERFP82389JC2GF
We were not able to deliver postal package you sent on the 14th of May in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.
Your United Parcel Service of America
The email was accompanied by a zip file attachment that (according to the email) was an “invoice”. The file in the archive even had a Microsoft Excel icon.
However, the file was not an Excel document, but a malicious executable. If the user’s operating system was configured with default settings (as in the picture above), they would not have known the file actually ended in .exe.
This email (and the corresponding file) is an example of a social engineering attack, which attempts to trick the user into compromising their system. If an unsuspecting user attempted to “view” the above file, they would actually infect their system with bot malware. In this case, the bot uses HTTP to communicate with a Command and Control (C&C) server located in the Ukraine:
and then proceeds to download additional malware:
which can be used for any number of illicit purposes. Business professionals should be increasingly weary of suspicious emails that conveniently relate to their work (e.g., sending packages as part of their day-to-day activities), as these kinds of attacks have been specifically created for them.
PWSS customers are protected from the above threat even if they are infected, as all C&C communications are blocked by the service.