Fake FedEx E-mails Flood the Web

A new e-mail malware campaign has hit record levels in the past 24 hours.

More than 21 million spam e-mails claiming to be notification of non-delivery from FedEx (NYSE: FDX) have hit the Web, managed e-mail security vendor MX Logic’s vice president of information security Sam Masiello told InternetNews.com.

This accounted for about 80 percent of all the e-mail borne malware over the 24-hour period, Masiello said.

This is the third round of e-mail spams purporting to come from courier companies in the past few weeks, and the one with the highest volume, according to Masiello. The first two purported to be from UPS (NYSE: UPS) and DHL, but “they only numbered in the tens of thousands,” he added. “That goes to show you what good social engineering and a well-known brand can do for you.”

Social engineering is the art of manipulating people into doing something like going to a Website, or divulging confidential information. Many spammers either get their victims to click on Web sites that download malware into their computers or get them to provide their personal information through various pretexts.

The fake FedEx e-mails use various come-ons, such as including a tracking number or claiming the recipient has a package in the subject line. According to MX Logic, the e-mails say the recipient sent a package on July 25 but it had not been delivered because the address was incorrect, and ask the recipient to print out an attached invoice and collect the package at the FedEx office.

The attached invoice is a .zip file which contains the malware, MX Logic said. Once a recipient clicks on it, the code in the file infects his computer.

While the notice looks exactly like something FedEx would send out, the fact that it does not state which FedEx office to go to in order to collect the package is “a dead giveaway,” Masiello said. That also proves that the e-mails are being sent out blindly and are not harvested from FedEx’s databases, so it’s not an inside job, he added.

MX Logic has not tracked down the senders yet. “It’s hard to find out who’s in charge of botnets because they use distributed machines all around the world and there’s no one central point,” Masiello explained. “That’s why there are so few arrests made.”

While there is the odd news story about someone being arrested for sending out mass spam mailings, that’s “nothing compared to what’s out there,” Masiello said. “The rate of return on this is very low.”

Masiello expects the number of FedEx spams to remain static or decrease over the weekend because “they may want to shut it down and go on to launch another campaign.”

News Around the Web