Public Service Announcement: Recent Trojan from spoofed DHL E-Mail Address

Be advised, some E-mail service providers are receiving reports that a mass E-mail campaign using a spoofed DHL E-Mail Address are reaching some corporate mail servers. Myriad Supply also received a security advisory notice from some of our partners. Below is an excerpt about the Trojan/E-mail in some detail from the security advisory:


The messages have their “From” field spoofed to appear as originating from an DHL email address. The subject is “DHL Tracking Number ########” (where # stands for a random letter or digit) and unlike most spam, the content of these emails is relatively well-spelled. The message, signed by DHL Delivery Services, reads: “Hello! The courier company was not able to deliver your parcel by your address. You may pickup the parcel at our post office personally. The shipping label is attached to this email. Please print this label to get this package at our post office. The attached archives are called DHL_INVOICE23.zip and contain a trojan installer. “The file in the ZIP archive uses a double file extension in the form of DHL_INVOICE_23.xls____________________.exe,” an Avira [a Security Software company] researchers explain. This naming scheme as well as the file Excel document icon, have the purpose of deceiving the users into believing that they are actually opening a document. The series of underscores pushes the .exe extension out of the view when the archive file is opened in an unpacking program. At the same time the .exe part will not be visible in Windows Explorer either, since file extensions are hidden by default.

For now, be VERY wary of E-mails from DHL address, and do not open any attachment or links in the E-Mail. If you use DHL service, go to DHL’s official tracking page at: http://www.dhl-usa.com/en/express/tracking.shtml for your tracking.