- Jan 24, 2011
- 9,378
According to Belgian email security provider MX Lab the rogue emails bear a subject of "Post Express Service. Package is available for pickup! NR1535" and come from a spoofed address.
The message contained within is consistent with traditional package delivery failure alerts that have been used by malware distributors before.
"Your package has been returned to the Post Express office. The reason of the return is 'Incorrect delivery address of the package'.
"Attached to the letter mailing label contains the details of the package delivery. You have to print mailing label, and come in the Post Express office in order to receive the packages."
The emails are signed by "Post Express Service," but the only service with that name that we could identify is located in Serbia.
It wouldn't be far fetched for cybercriminals to target Serbian users, especially with Trend Micro recently reporting that the highest number of SpyEye infections are located in Poland and not US or UK, as one would expect.
The archive attached to the rogue emails is called Post_Express_Label_85211.zip (the number can differ), and contains an executable file.
The exe currently has an below average detection rate on Virus Total, with only 16 of 43 antivirus engines picking it up as malicious.
Source
The message contained within is consistent with traditional package delivery failure alerts that have been used by malware distributors before.
"Your package has been returned to the Post Express office. The reason of the return is 'Incorrect delivery address of the package'.
"Attached to the letter mailing label contains the details of the package delivery. You have to print mailing label, and come in the Post Express office in order to receive the packages."
The emails are signed by "Post Express Service," but the only service with that name that we could identify is located in Serbia.
It wouldn't be far fetched for cybercriminals to target Serbian users, especially with Trend Micro recently reporting that the highest number of SpyEye infections are located in Poland and not US or UK, as one would expect.
The archive attached to the rogue emails is called Post_Express_Label_85211.zip (the number can differ), and contains an executable file.
The exe currently has an below average detection rate on Virus Total, with only 16 of 43 antivirus engines picking it up as malicious.
Source
