Home Malware Post Express ‘Incorrect Delivery Address’ Malware Emails
Malware

Post Express ‘Incorrect Delivery Address’ Malware Emails

written by Brett M. Christensen February 9, 2011
Red Malware key on Computer Keyboard

Outline

Email purporting to be from “Post Express Support”, claims that a package sent by the recipient has been returned because of incorrect delivery details. The email instructs the recipient to open an attached file to print out a mailing label. 

Brief Analysis

The email is not from Post Express or any legitimate postal delivery service. The claim that a package has been returned is untrue. The attachment does not contain a mailing label as claimed. In fact, opening the attachment can install a trojan on the user’s computer.

Example

Subject: Post Express Service. Your package delivered! NR6776

Dear client

Your package has been returned to the Post Express office.
The reason of the return is “Incorrect delivery address of the package”

Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the Post Express office in order to receive the packages.

Thank you for your attention.
Post Express Support

 

Detailed Analysis

According to emails purporting to be from “Post Express Support”, the recipient’s package has been returned to the Post Express Office because delivery details were incorrect. The message instructs the recipient to open an attached file, supposedly in order to print out a mailing list that can be taken to the Post Express Office so that the package can be collected.

However, the email is certainly not from “Post Express” or any other legitimate package delivery service. And the claim that a package has been returned is nothing more than a ruse designed to trick recipients into opening the attached file. The attachment does not contain a mailing label as claimed in the message. Instead, opening the attached file can install a trojan on the user’s computer. Once installed, the trojan can send information to malicious servers and may download other malware.

To enhance your privacy and security and offer you a better user experience, Hoax-Slayer is now ad-free! Can you help us stay online?

Learn more...

The tactic used in this attack is nothing new. Criminals have used the returned or failed package delivery ruse a number of times in the past as a means of distributing malware. Another version that has been used and reused since at least 2008, claimed that a package being delivered by United Parcel Service (UPS) had not been delivered due to addressing problems. In 2010, another very similar version claimed that the returned package had been sent by FedEx. In both versions, an attachment to the emails that supposedly contained a mailing label, in fact, carried dangerous malware.

The scammers rely on the fact that many recipients may open the attachment out of simple curiosity or concern, even if they were not actually expecting a package delivery. This canny social engineering trick is likely to be repeatedly used and reused by criminals intent on distributing malware.

Users should be very cautious of any unsolicited emails that claim that a package delivery has failed or been returned. No legitimate delivery company is likely to send notice of a failed delivery via an unsolicited email with an attached mailing label file.

 

Since you’ve read this far…

…can I ask you for a big favour?

To enhance your privacy and security and offer you a better user experience, Hoax-Slayer is now ad-free. To keep the site online, I now rely on voluntary contributions from site visitors along with commissions from a few trusted products and services that I promote via reviews on the site.

If you found the above report useful, please consider supporting Hoax-Slayer by making a donation. Any amount you can give will be greatly appreciated.

You can donate using your credit card via the form below. Donations are collected securely via the online payment service Stripe. Stripe uses state of the art security to keep your data safe.

Thank-you.
Brett Christensen