Scam Alert: UPS Delivery Failure

by Andy on December 3rd, 2008 in Security Alert.

Have you made any recent purchases to be delivered by the postal service? With the holiday season upon us, chances are good that you have. If so, there's a common spam scam that may try to catch you off guard in order to infect your system with malware. Here's an example of a subject line and e-mail message to be on the lookout for this holiday shopping season, and beyond ...

Subject: [NO-REPLY] UPS Tracking Number 21263130

Unfortunately we were not able to deliver postal package you sent on Sept the 18 in time because the recipient's address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS

The e-mail appears to come from 'United Postal Service' or 'Post Office', and the subject of the message usually quotes a bogus UPS tracking number. The message contains a zipped file that purports to be an invoice document from UPS, and invites the recipient to open the attached document and print it out. When you unzip the attached file, it unpacks the file UPS_letter.doc.exe, or something similar.

This malware uses a very simple, yet effective, technique to look like a legitimate file. It masquerades as a Word document by using two tricks shown in the image, below -

1. A 'Word' icon is used.
2. The file has, or appears to have, the extension for Word documents, '.doc'.

For all intents and purposes, the file looks like a regular Word document - the unsuspecting victim will double-click on the file. This is when the malware actually runs. These files have been typically categorized as "Win32.Worm.Autorun" by Lavasoft researchers.

The file itself is not really a Word document, but a Windows executable file, or program. The malware author is banking on the fact that the user's operating system is configured to hide extensions for known file types. This means that file types (like .exe, .pdf, .doc and so on) are not shown at the end of the file name. In this case, the file type is '.exe' which is a 'known file type'. That means '.exe' is not shown at the end of the file name and the victim will see the filename 'UPS_letter.doc'.

However, if you have uncheck 'Hide extensions for known file types', the '.exe' part will become visible, proving that the file is not a Word document, but a Windows executable file - see the image to the left.

Configure Windows to show known file extensions, and gain the upper hand over these types of scams, by following these steps.

1. Open Windows Explorer
2. Click on the 'Tools' menu item
3. Click on 'Folder Options' item
4. Click on 'View'
5. Uncheck 'Hide extensions for known file types'