Parcel Delivery Malware
Home Malware DHL Notification Malware Email

DHL Notification Malware Email

by Brett M. Christensen

Outline

Emails purporting to be from international mail delivery service DHL claim that a parcel has been sent to the recipient or that a parcel could not be delivered due to an addressing error. The messages advise the recipient to open an attached file to view a parcel tracking number and access more information about the delivery or print out a delivery label.

Brief Analysis

The emails are not from DHL. The attachments contain malware that, once installed, can connect to malicious websites, download additional malware components and steal personal information from the infected computer.

Examples

Subject: DHL delivery report

DHL notification

Our company’s courier couldn’t make the delivery of parcel.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
DHL Global

 

DHL Malware

 

Detailed Analysis

These crudely rendered malware messages purport to be from international mail delivery service DHL. One version of the message notifies the recipient that a parcel has been sent to his or her address and is expected to arrive within seven business days. It advises the recipient to open an attached file to retrieve a tracking number for the parcel along with more information about the delivery.

A later version claims that a parcel sent to the recipient could not be delivered due to an apparent addressing error. The message advises the user to open an attached file and print out a postal label to resolve the issue and collect the parcel. It warns that, if the parcel is not collected within 15 days, DHL will start charging a daily fee for storage.

However, the emails are certainly not from DHL and the attachments do not contain delivery information or address labels. Instead, the attachments harbour malware. Opening the attachment can install a trojan that can subsequently make connections to malicious websites and download additional malware modules. The malware can collect information from the infected computer and relay it back to Internet criminals. 
Many recipients will quickly suspect that the message is not from DHL because of the very poor spelling and grammar. Moreover, DHL is very unlikely to contact customers via an unsolicited, generic email that contains delivery information in an attached file. DHL is regularly targeted by criminals intent on distributing malware. The names of other well-known delivery companies, including UPS and FedEx have also been repeatedly used by malware distributors.

Another such malware attack consisted of emails purporting to be from Post Express.

If you receive one of these fake DHL emails, or a similar message claiming to be from another delivery company, do not open any attachments that it contains. Note also that some versions may try to trick recipients into clicking links that lead to compromised websites that also contain malware.

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,
Hoax-Slayer