Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

Home    About    New Articles    RSS Feed    eBook    Contact
Bookmark and Share

Error in Shipping Address Trojan Email

Email, purporting to be from a parcel delivery service claims that a package could not be delivered due to a shipping address error and instructs the recipient to open an attachment to print out a shipping label (Full commentary below).

Attachment contains a malicious computer trojan

Example:(Submitted, October 2009)
Subject: DHL Services. You should get the parcel NR.41121


The courier company was not able to deliver your parcel by your address. Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox.

Thank you,
DHL Delivery Services.

This email, which purports to be from international shipping and delivery company, DHL, claims that a parcel could not be delivered to the recipient due to an error in the shipping address. It instructs the recipient to open an email attachment that supposedly contains a shipping label which the recipient can then use to pick up the parcel in person at a post office.

However, the message is not from DHL and the claim that the delivery of a parcel failed due to an address error is untrue. There is no parcel. In fact, the message is simply a trick designed to fool recipients into installing a trojan on their computer. Those who open the attached file, in the erroneous belief that they can thus access a shipping label for their "parcel", will actually be launching a copy of the Bredolab Trojan. Once installed, the trojan is able to download and install other malware components such as keyloggers and password stealers and allow Internet criminals to control the compromised computer from afar.

Users should be very cautious of any emails that claim a delivery has been delayed and that they should open an attachment to view a shipping label, a delivery invoice or other details about the supposed delivery. If you receive an email that makes such a claim, do not open any attachments that may arrive with the message. Do not click on any links in the email. As well as delivering malicious payloads via email attachments, malware distributors may also attempt to trick users into clicking a link in an email that downloads a trojan from a malicious website.

Very similar malware emails may name delivery services other than DHL. In fact, Internet criminals have used similar tactics in the past. In 2008, a widely distributed series of malware emails claimed that a package supposedly being handled by United Parcel Service (UPS) could not be delivered due to an address error. Attachments that came with these bogus UPS emails also contained a trojan.

Internet users should also be aware that the Bredolab Trojan is being delivered via emails unrelated to parcel delivery services. As shown in the example below, some Bredolab malware emails claim to be confirmation messages supposedly pertaining to a product recently purchased via the Internet. As with the DHL variant, attachments to the emails contain the Bredolab Trojan:
Dear Customer!

Thank you for placing your order at our internet store. Your order: Sony VAIO VGC-LV290J, was sent at your address. The tracking number of your postal parcel is indicated in the document attached to this letter. Please, print out the postal label for receiving the parcel.
Online store.
Other versions, which falsely claim to be from social networking website Facebook, try to trick recipients into opening an attachment which supposedly contains a new Facebook password. Again, the attachments actually harbour copies of the Bredolab Trojan.

Not Able to Deliver UPS Package Malware Email
Bredolab Trojan Being Spread Through Fake Emails
Facebook Password Reset Confirmation Trojan Email

Last updated: 29th October 2009
First published: 29th October 2009

Write-up by Brett M. Christensen