Taking delivery of an unexpected package containing gifts is one of the joys of the holiday season. Missing a package delivery is one of the frustrations of the season. So, an email headed "Failed Package Delivery" is a good way for scam artists and malware distributors to get your attention. In this post I examine a recent example of the "failed package delivery" malware attack.
Take a look at this email that showed up in my Inbox a couple of days ago. The subject was Important Notice: Failed package delivery! and the sender appeared to be Canada Post using the email address tracking at canadapost.ca.
The spelling and formatting were quite professional (possibly copied from an actual notice that Canada Post sends to customers). The instructions included two URLs.
Clicking the first URL took me to the Canada Post website and a form that I needed to complete to arrange for a second delivery attempt.
The second URL looked just as legitimate as the first but was in fact deceptive. Some simple HTML coding was used to display the destination as canadapost.ca while masking the true destination, an IP address that appears to belong to a shared hosting service in Houston, Texas. Of course, some users who click on this link will get a warning from their email application, such as the one seen here from the aging but trusty Eudora.
The link was not to a web page but to a .pif file, the name of which was created by prefixing the receipt number in the email with the letters trk. In this case the name was trkRB090827415HK.pif which could seem plausible to a consumer who is eager to get his holiday package and unaware of what a .pif file can do when opened.
Veteran users of Windows will know that a program information file (PIF) is generated "when you create a shortcut to, or modify the properties of, an MS-DOS-based program" (Microsoft Windows XP documentation). In other words, a PIF file can be crafted to run a program when a user tries to open it. The program that runs when you try to open this bogus Canada Post receipt is a Trojan which will then try to download other malware to your computer (ESET detects this malware as Win32/TrojanDownloader.Agent.QXN).
Many computer users today have several layers of protection in place to prevent malware spreading like this, including deceptive URL detection and antimalware programs. However, not everyone is using these precautions and the professional styling of this attack, combined with a message that leverages the excitement of the holiday season, make this a potent attack vector. Consumers and CISOs alike should be alert for similar attacks abusing package delivery services like the U.S. Postal Service, UPS, and Fedex.
Author Stephen Cobb, ESET