UPS_Invoice email trojan variant claims to be from Customs Service

In the last hour I found in my inbox a variation on the UPS_Invoice trojans of last week. This new email claimed to be from “Customs Service” with the subject “Customs – We have received a parcel for you” and the following text:

Good afternoon,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,

Rolland Hanna

Your Customs Service

This content was so close to the UPS_Invoice one that it seems obvious it originates from the same source.

Read more of this post

Follow up post about UPS_Invoice trojan

I’ve now had a chance to take a slightly closer look at the four copies of this Trojan Agent HFU that I received in the last 24 hours, as discussed in my previous post here. I’ve posted some details of file names and sizes along with MD5 hashes for people to be able to compare their versions against.

Read more of this post

UPS_Invoice.exe trojan received by email

This lunchtime I received an email as follows:

From: United Parcel Service [someone@not_ups.com]

Subject: UPS Paket N2410170593

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS

Attachment: UPS_Invoice_317.zip

Of course this was extremely suspicious. I had no recent dealings with UPS, the email clearly did not really come from them anyway (it was not even spoofed to appear to be from their domain), and why on earth would they need to send me a file, let alone a zipped one? The misspelling in the subject also smelled of an automated message (although Paket is the correct spelling for the German word for packet). I smelled malware and wanted to find out more.

Read more of this post