“Shipping Confirmation” Malware on the Rise

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

fraudemail_cropAs autumn approaches, the world typically sees an increase in the number of online shopping trips, as people take advantage of bargains from late-year sales, and prepare for various holidays. And, right on cue, we’re also seeing an increase in the number of Trojans distributed in the guise of “shipping confirmation” email messages. And these Trojans are packing a triple threat of backdoors designed to steal logins and take command of infected PCs.

The Trojan arrives attached to a vaguely-worded email message thanking the recipient for their order of a high-ticket item. Previous versions of this same kind of message were crafted as though the message source was one of the major shippers, such as FedEx, UPS, DHL, or the US Postal Service, and the message (purportedly) contains tracking information.

fraudemail_fileBut these new versions appear to come directly from an online retailer, with attached files in the form of a zip archive containing an executable with an icon that makes it look like an Office document, such as an Excel spreadsheet. These email messages also imply that the document contains tracking information, but they give the user an extra nudge to open the file by telling the user to “print the label to get your package.”

Um, wait, what? Why would I need to print a label to receive a package? That makes no sense whatsoever. Do the malware authors think we’re dumb, or what? No, don’t answer that, because we’re not dumb. They’re using psychology against us.

The effectiveness of a trick like this comes from the wide range of possible reasons someone might have to justify opening the attachment when they see this kind of email drop in. Whether you want to claim a gift you think you’ve received from someone, you’re worried you might be a victim of fraud, want to be helpful and tell the retailer that they got the wrong email address, want to claim this mistaken order for an expensive gift as your own, or just be nosy and want to see what someone else ordered from a store, the initial reaction of many people is going to be the same: Open the file and take a look inside.

Wrong move. Once you’ve done that, it unleashes its payload on your PC. And this payload is a doozy: It includes three separate backdoors, Trojan-Backdoor-Progdav (aka Zeus, one of the most widely distributed backdoors on infected computers); Trojan-Backdoor-Stinkbreath (aka BredoLab); and Trojan-Glecia, a browser-hijacking keylogger which appeared for the first time earlier this year (and refers to itself in the Registry as “Microsoft Online Helper!“). With helpers like these, who needs enemies?

The installation of any of these permits the person behind this scheme remotely operate your computer (to engage in other criminal activity, send spam, and/or steal passwords); All three on a single computer is a recipe for disaster. In effect, the malware distributor behind this is ramping up to earn some serious holiday income—at your expense.

The installers we’ve seen aren’t actual Excel spreadsheets performing some sort of novel exploit against Office applications; Typically, it’s just a regular application, with a .exe extension, with the file modified to use an Excel document icon. That is about the oldest trick in the Social Engineering book, dating back to Windows 9x days. But since many people, even in the Windows Vista era, still don’t have their computer set up to view file extensions, it’s easy to be fooled. To make sure you can see file extensions on your PC, choose the Folder Options item from the Tools menu in any Explorer window. Click the View tab, uncheck the “Hide extensions for known file types” option, then click OK.

Bottom line, you should never open any attachment you’re not expecting to receive, and you should never open any executable program that’s been attached to an email, period. The bad guys behind this scheme want to make this a fantastically lucrative holiday for themselves, no matter what it costs you. Don’t give them the satisfaction, or the opportunity.
wordpress blog stats

7 thoughts on ““Shipping Confirmation” Malware on the Rise

  1. Pingback: Twitter Trackbacks for “Shipping Confirmation” Malware on the Rise « Webroot Threat Blog [webroot.com] on Topsy.com

  2. Pingback: A Look Back at the Worst Infections of 2009 « Webroot Threat Blog

  3. Pingback: Cover Your Assets on Data Privacy Day « Webroot Threat Blog

  4. Pingback: This PC Will Self-Destruct in Ten Seconds « Webroot Threat Blog

  5. Pingback: Trojan Masquerades as iTunes Gift or Résumé « Webroot Threat Blog

  6. Never new that about malware being a seasonal thing! Good to know about these phony attachments that are really trojans. One fo the reasons I stick to amazon for most of my stuff!

  7. Pingback: Hey Malware Guy: Just What the Heck Am I Supposed to Do With This? « Webroot Threat Blog

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s