A wild malware rollercoaster – over 500% increase

The UPS name is once again being used to spread vast amounts of email-attached malware. The last week has seen an extraordinary increase – over 5.5 times the average level before the outbreak. The attack closely resembles the large outbreak reported on at the end of March.

There are numerous versions of the email text – some examples: 

Good afternoon!

Dear Client , Recipient’s address is wrong

Please fill in attached file with right address and resend to your personal manager

With best regards , Your USPS .com Customer Services

Good afternoon!

Dear User , Delivery Confirmation: FAILED

Please print out the invoice copy attached and collect the package at our department

With respect to you , Your UPS Services

GOOD AFTERNOON!

Dear Client , We were not able to delivery the postal package

Please fill in attached file with right address and resend to your personal manager

With Respect , Your UPS .COM

ATTENTION!

DEAR CLIENT , RECIPIENT’S ADDRESS IS WRONG

PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT

With best wishes , Your USPS .us Customer Services

These emails also come with a range of subjects such as:

  • USPS Attention 060532
  • USPS: DELIVER CONFIRMATION – FAILED 17592718
  • USPS id. 182407
  • USPS DELIVERY CONFIRMATION 7264145
  • From USPS 4009717
  • Your USPS id. 44531036
  • USPS ATTENTION 44123265

In the previous attack the filenames were quite limited – unlike this attack – some examples:

  • “ups_NR9Yl2673.zip”
  • “Ups_NR5pY500268590.zip”
  • “UPS_NR5Da3052.zip”
  • “MyUps_NR9hN8574.zip”
  • “MYUPS_NR5gX736615890.zip”

Reminder: In the last series of attacks the subjects were changed to use the DHL brand a few days after the initial attack.