Email purporting to be from “Post Express Support”, claims that a package sent by the recipient has been returned because of incorrect delivery details. The email instructs the recipient to open an attached file to print out a mailing label.
The email is not from Post Express or any legitimate postal delivery service. The claim that a package has been returned is untrue. The attachment does not contain a mailing label as claimed. In fact, opening the attachment can install a trojan on the user’s computer.
Subject: Post Express Service. Your package delivered! NR6776
Your package has been returned to the Post Express office.
The reason of the return is “Incorrect delivery address of the package”
Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the Post Express office in order to receive the packages.
Thank you for your attention.
Post Express Support
According to emails purporting to be from “Post Express Support”, the recipient’s package has been returned to the Post Express Office because delivery details were incorrect. The message instructs the recipient to open an attached file, supposedly in order to print out a mailing list that can be taken to the Post Express Office so that the package can be collected.
However, the email is certainly not from “Post Express” or any other legitimate package delivery service. And the claim that a package has been returned is nothing more than a ruse designed to trick recipients into opening the attached file. The attachment does not contain a mailing label as claimed in the message. Instead, opening the attached file can install a trojan on the user’s computer. Once installed, the trojan can send information to malicious servers and may download other malware.
The tactic used in this attack is nothing new. Criminals have used the returned or failed package delivery ruse a number of times in the past as a means of distributing malware. Another version that has been used and reused since at least 2008, claimed that a package being delivered by United Parcel Service (UPS) had not been delivered due to addressing problems. In 2010, another very similar version claimed that the returned package had been sent by FedEx. In both versions, an attachment to the emails that supposedly contained a mailing label, in fact, carried dangerous malware.
The scammers rely on the fact that many recipients may open the attachment out of simple curiosity or concern, even if they were not actually expecting a package delivery. This canny social engineering trick is likely to be repeatedly used and reused by criminals intent on distributing malware.
Users should be very cautious of any unsolicited emails that claim that a package delivery has failed or been returned. No legitimate delivery company is likely to send notice of a failed delivery via an unsolicited email with an attached mailing label file.