Threat Outbreak Alert: Fake DHL Express Tracking Notification E-mail Messages on April 22, 2013
Threat Type:
IntelliShield: Threat Outbreak Alert
IntelliShield ID:
26262
Version:
19
First Published:
2012 June 27 20:46 GMT
Last Published:
2013 April 23 13:42 GMT
Port:
Not Available
Urgency:
Possible Use
Credibility:
Confirmed
Severity:
Mild Damage
Version Summary:
Cisco Security Intelligence Operations has detected significant activity on April 22, 2012.
Description
Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a DHL Express tracking notification for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view detailed information. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID4294 and RuleID4294KVR) may contain the following files:
The Online-Details-DHL.exe file in the DHL_ONLINE_SHIPPING_PREALERT_8990647UZAHNKWD.zip attachment has a file size of 174,752 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x88FC9226728D41632476B2F892EA20FF
The ONLINE-DHL-Details.exe file in the DHL_ONLINE_SHIPPING_PREALERT_2QJ5CQG8DH.zip attachment has a file size of 110,080 bytes. The MD5 checksum is the following string: 0xEEB84BF27B30A0C21D33813970BB8099
The DHL-Delivery.exe file in the DHL_DELIVERY_ADDITIONAL_MESSAGE_FROM_SHIPPER-awb_007226349.zip attachment has a file size of 49,152 bytes. The MD5 checksum is the following string: 0x7BE2CC8528661D3B2B10F80B32C93E14
The DHL-ONLINE-PREALERT.exe file in the DHL_ONLINE_SHIPPING_PREALERT_406NFJBI3E.zip attachment has a file size of 142,336 bytes. The MD5 checksum is the following string: 0x0B5E2FF2D004B3AD895941FE4D8BAA7C
The DHL_DELIVERY_ADDITIONAL_MESSAGE_FROM_SHIPPER.exe file in the DHL_DELIVERY_ADDITIONAL_MESSAGE_FROM_SHIPPER-AWBN313539568.zip attachment has a file size of 223,744 bytes. The MD5 checksum is the following string: 0xF8AE2FBD5519749720D77AF960FB026C
The DHL-DELIVERY_MESSAGE_07312012.exe file in the DHL-DELIVERY_MESSAGE_awb001694078.zip attachment has a file size of 270,703 bytes. The MD5 checksum is the following string: 0x447B5A42DE36C2007B77428484242A7D
The DHL-DELIVERY-MESSAGE-07312012.exe file in the DHL-DELIVERY_MESSAGE_awb375367350.zip attachment has a file size of 84,480 bytes. The MD5 checksum is the following string: 0x430416FECFE65B5FB9792A0562DFDC6C
The DHL-Online-Notification.exe file in the DHL-Online-Notification_awb013821447.zip attachment has a file size of 98,304 bytes. The MD5 checksum is the following string: 0xF22B3D48FB7A6562B19C149BC25DB561
The DHL-EXPRESS-DELIVERY-NOTIFICATION.exe file in the DHL-EXPRESS-DELIVERY-NOTIFICATION-6842123155.zip attachment has a file size of 43,008 bytes. The MD5 checksum is the following string: 0x70F9CDF452A631C317462CBCD7D7920C
The DHL-Express-Delivery-Notification_13_Aug_2012.exe file in the Express-Delivery-Notification-13_Aug_12_0OL043K3E7.zip attachment has a file size of 143,872 bytes. The MD5 checksum is the following string: 0xDF9E701E44F7BB5A2B284FFD0EAFA30C
The DHL_Online_ProView_monitor-082012.exe.exe file in the DHL_ProView_monitor_shipment_AWB6927529508.zip attachment has a file size of 66,560 bytes. The MD5 checksum is the following string: 0x7257FA656F4F037699EACCFF71C7D683
The DHL-Express-Online_Notification.exe file in the Express-Online_Notification_awb2494366834.zip attachment has a file size of 49,664 bytes. The MD5 checksum is the following string: 0xA5EE67C08618DAFB4A5D53B17E43E2FB
The DHL-Express-Delivery-Notification-Aug2012.exe file in the DHL-Express-Delivery-Notification-Aug20124WXRERTGXC.zip attachment has a file size of 51,200 bytes. The MD5 checksum is the following string: 0x909D94C19D2B535AAA12991E7D9F3179
The DHL_Billing_Notification.exe file in the DHL_Billing_NotificationIN050270300.zip attachment has a file size of 61,440 bytes. The MD5 checksum is the following string: 0xA393C059E5269784B58EE1742F50555A
The RuleID4294 09-13-2012 Grave_3503eb4fee4a8ac410052d0b80d32165_DHL-Redelivery-Confirmation.exe file in the DHL-Redelivery-Confirmation245797512757.zip attachment has a file size of 63,488 bytes. The MD5 checksum is the following string: 0x3503EB4FEE4A8AC410052D0B80D32165
The DHL doc.exe file in the DHL doc.zip attachment has a file size of 54,272 bytes. The MD5 checksum is the following string: 0xC1EA6B700B78317C3104F3D2712B82C0
The Postetikett_Deutsche_Post_AG.exe file in the Postetikett_Deutsche_Post_AG.zip attachment has a file size of 58,880 bytes. The MD5 checksum is the following string: 0x86C0BD399ADDD50B8F2E45A9102346F3
A variant of the DHL doc.exe file in the DHL doc.zip attachment has a file size of 60,416 bytes. The MD5 checksum is the following string: 0x89A0C2B5BC60D03D20E2BB2C3BE6A2A3
A third variant of the DHL doc.exe file in the DHL doc.zip attachment has a file size of 48,640 bytes. The MD5 checksum is the following string: 0x66A71E4794053669C81B9EA7860908A1
The DHL_IT_ID3473466_234.exe file in the DHL_IT_ID72330_120.zip attachment has a file size of 52,224 bytes. The MD5 checksum is the following string: 0x1CC4F18576D53CD193066A181B14621C
The DHL_REPORT_ID_JDHFJNDGHDF7485.exe file in the DHL_REPORT_ID_JDHFJNDGHDF7485.zip attachment has a file size of 48,128 bytes. The MD5 checksum is the following string: 0x47D6C5EAF83E53C3223D0306E5B23727
The Uw recentste DHL factuur.pdf.exe file in the Uw recentste DHL_factuur.zip attachment has a file size of 128,000 bytes. The MD5 checksum is the following string: 0x936DAA7DC3591D7D8D56E9FB29043C3B
The DHL-LABEL-ID-2456-8344-5362-5466.exe file in the DHL-LABEL-ID-2456-8344-5362-5466.zip attachment has a file size of 57,344 bytes. The MD5 checksum is the following string: 0x85F908A5BD0ADA2D72D138E038AECC7D
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: DHL Express Tracking Notification ID J32C5AU1BV7959
Message Body:
Hello Dear,
DHL Express Tracking Notification: Wed, 27 Jun 2012 09:01:44 -0300
Custom Reference: 83977380-WZ5TYO0OM
Tracking Number: H1JU-3682043868
Pickup Date: Wed, 27 Jun 2012 09:01:44 -0300
Service: AIR/GROUND
Pieces: 1
Wed, 27 Jun 2012 09:01:44 -0300 - Processing complete successfully
PLEASE REFER TO ATTACHED FILE FOR DETAILED INFORMATION.
Shipment status may also be obtained from our Internet site in USA under hxxp://track.dhl-usa.com or Globally under http://www.dhl.com/track
Please do not reply to this email. This is an automated application used only for sending proactive notifications.
Thanks in advance,
DHL 2012 DHL International Inc.
DHL WORLDWIDE EXPRESS
INBOUND SHIPMENT ADVISORY
The following 1piece(s) have been sent via DHL Worldwide Express on Tue, 31 Jul 2012 08:56:16 +0800
via AWB# 825114936
If you wish to track this(these) shipment(s) please contact your local
DHL customer service office or visit the DHL Web Site at
http://www.dhl.com
If you have a Web-enabled mail reader, click the link below to view shipment tracking
details:
hxxp://www.dhl.co.uk/content/gb/en/express/tracking.shtml?brand=DHL&AWB=230147365
SHIPMENT CONTENTS:
Documents
SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE
ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE
Thank you for requesting DHL Worldwide Express for your delivery needs
DHL WORLDWIDE EXPRESS<
INBOUND SHIPMENT ADVISORY
The following 1piece(s) have been sent via DHL Worldwide Express on Tue, 31 Jul 2012 08:35:19 +0000
via AWB# 879424137
If you wish to track this(these) shipment(s) please contact your local
DHL customer service office or visit the DHL Web Site at
http://www.dhl.com
If you have a Web-enabled mail reader, click the link below to view shipment tracking
details:
hxxp://www.dhl.co.uk/content/gb/en/express/tracking.shtml?brand=DHL&AWB=336505287
SHIPMENT CONTENTS:
Documents
SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE
ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE
Thank you for requesting DHL Worldwide Express for your delivery needs
Or
Subject: DHL Online Advisory AWB 339142615
Message Body:
DHL WORLDWIDE EXPRESS
INBOUND SHIPMENT ADVISORY
The following 1piece(s) have been sent via DHL Worldwide Express on Tue, 31 Jul 2012 13:42:45 +0100
via AWB# 592370737
If you wish to track this(these) shipment(s) please contact your local
DHL customer service office or visit the DHL Web Site at
http://www.dhl.com
If you have a Web-enabled mail reader, click the link below to view shipment tracking
details:
http://www.dhl.co.uk/content/gb/en/express/tracking.shtml?brand=DHL&AWB=776621131
SHIPMENT CONTENTS:
Documents
SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE
ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE
Thank you for requesting DHL Worldwide Express for your delivery needs
Or
Subject: DHL Express Shipping Prealert Advisory
Message Body:
DHL WORLDWIDE EXPRESS
INBOUND SHIPMENT ADVISORY
The following 1piece(s) have been sent via DHL Worldwide Express on Tue, 14 Aug 2012 17:05:00 -0300
via AWB# 0420933298
SHIPMENT CONTENTS:
Documents
SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE
ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE
If you wish to track this(these) shipment(s) please contact your local
DHL customer service office or visit the DHL Web Site at
hxxp://www.dhl.com.au
If you have a Web-enabled mail reader, click the link below to view shipment tracking
details:
http://www.dhl.com.au/content/au/en/express/tracking.shtml?brand=DHL&AWB=1430458300
DHLFDs online tracking is the fastest way to find out where your shipment is. No need to call Customer Service when we can offer you real-time details of your shipmentFDs progress as it speeds through the DHL Network on the way to its destination
Thank you for requesting DHL Worldwide Express
Or
Subject: DHL Online Advisory AWB 6244256402
Message Body:
DHL WORLDWIDE EXPRESS
INBOUND SHIPMENT ADVISORY
The following 1piece(s) have been sent via DHL Worldwide Express on Tue, 21 Aug
2012 14:48:22 +0800
via AWB# 2341284076
If you wish to track this(these) shipment(s) please contact your local
DHL customer service office or visit the DHL Web Site at
Or
Message Body:
Caro cliente,
Il corriere della nostra societa’ non e’ riuscito a consegnare il pacco a Suo indirizzo.
Motivo: L’errore nell’indirizzo della consegna.
Lei potra’ personalmente ricevere il pacco presso Suo ufficio postale.
Alla presente lettera e’ allegato il documento postale.
Lei ha da stampare questo documento per poter ricevere il pacco nell’ufficio postale.
La ringrazio.
DHL Italiano.
Or
Subject: DHL delivery report
Message Body:
Web Version | Update preferences | Unsubscribe
DHL notification
Our company’s courier couldn’t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: London
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global
?»?Sehr geehrte Kundin!
herzlichen Dank f??r Ihre Bestellung bei OTTO. N?¤here? Informationen? zu? Ihrer? Bestellung? finden? Sie? im? Anhang.
Freundlich gr????t Sie
Ihr OTTO-Online-Team
Sie sind mit folgender E-Mail-Adresse registriert: erik-andreas.pieperdd@ruhr-uni-bochum.de
_________________________
OTTO-Kundencenter ?· Wandsbeker Str. 3-7 ?· 41801 Hamburg
Telefon 0180 5212695* ?· service@otto.de
Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt IronPort systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. E-mail that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.
The security vulnerability applies to the following combinations of products.
Primary Products:
IntelliShield
Threat Outbreak Alert
Original Release Base
Associated Products:
N/A
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
