Skip to main content

Your package has arrived.

I'm impressed by this scam e-mail:
Return-path: <tracking@ups.com>
Reply-To: <tracking@ups.com>
From: UPS Shipments <tracking@ups.com>
Subject: Your package has arrived!
Date: Thu, 2 Dec 2010 14:31:34 +0000
To: Undisclosed recipients:;
Dear client<br />
Your package has arrived.<br />
The tracking# is : 1Z45AR990
*****749 and can be used at : <br />
<a href="
http://www.ups.com/tracking/tracking.html">http://www.ups.com/tracking/tracking.html</a><br />
The shipping invoice can be downloaded from :<br />
<a href="
http://thpguild.net84.net/e107_files/cache/invoice.scr">http://www.ups.com/tracking/invoices/download.aspx?invoice_id=3483273</a> <br />
<br />
Thank you,<br />
United Parcel Service<br />

<p>*** This is an automatically generated email, please do not reply ***</p>

UUCLJNFYSDMJENHSLBIXJFGSUGKCVUTDYVBOGM

I’ve snipped the delivery related headers (not interesting) and *’d out a bit of the tracking number. The links are intact.

What is interesting is that when rendered as HTML, the message contains valid URL's for all visible text, including the tracking URL. If click on the tracking URL and paste in the tracking number, you'll get some poor dudes house in Florida. If you click on what appears to be a valid link to an invoice, you have the opportunity to download what I assume is an interesting payload. (But alas, the golden hour has passed - those how amuse themselves by downloading interesting payloads will have to amuse themselves elsewhere.)

The finance people I know never met an invoice they didn't like. I'd imagine that for them, the temptation to click is overwhelming.

It’s not hard to make a case for reading mail in plain text.

BTW - Most bloggers mangle potentially hostile URL’s prior to publication. This blogger presumes that the readers of this blog are smart enough to know what’s safe and what isn’t.

Comments

  1. My finance people actually asked me about it *before* clicking on anything. I'm so proud of them.

    ReplyDelete
  2. I've seen a few of these hit our office. Unfortunately one of the poor victims clicked on the link on their home computer because she regularly receives packages from UPS. It's a very well conceived phishing scheme.

    ReplyDelete
  3. John - Awesome. We had a finance person fall for a phish a couple days ago. That's a pain.

    Jon - This one actually got caught by Forefront's AV. I released it from quarantine, figuring it'd be interesting to play with. :)

    ReplyDelete
  4. Got the same email just today. I'm confused though. How can they send this from tracking@ups.com?

    Also, the invoice thingy got me. I downloaded it but my firewall acted up so I had to do a system restore. Is my PC safe? :D

    ReplyDelete
  5. They just need to say it comes from ups.com. UPS don't use SPF (Sender Policy Framework, so there is no validation that the host actually is permitted to send email on behalf of ups.com. Anti-phishing code would likely recognize the disconnect between the displayed address and the actual address.

    ReplyDelete
  6. I am surprised a major company like UPS doesn't use something as "simple" as SPF to prevent them from being used as a unvolountary 3rd party to a phishing attempt.

    ReplyDelete

Post a Comment

Popular posts from this blog

Cargo Cult System Administration

“imitate the superficial exterior of a process or system without having any understanding of the underlying substance” --Wikipedia During and after WWII, some native south pacific islanders erroneously associated the presence of war related technology with the delivery of highly desirable cargo. When the war ended and the cargo stopped showing up, they built crude facsimiles of runways, control towers, and airplanes in the belief that the presence of war technology caused the delivery of desirable cargo. From our point of view, it looks pretty amusing to see people build fake airplanes, runways and control towers  and wait for cargo to fall from the sky.The question is, how amusing are we?We have cargo cult science[1], cargo cult management[2], cargo cult programming[3], how about cargo cult system management?Here’s some common system administration failures that might be ‘cargo cult’:Failing to understand the difference between necessary and sufficient. A daily backup is necessary, b…

Ad-Hoc Verses Structured System Management

Structured system management is a concept that covers the fundamentals of building, securing, deploying, monitoring, logging, alerting, and documenting networks, servers and applications. Structured system management implies that you have those fundamentals in place, you execute them consistently, and you know all cases where you are inconsistent. The converse of structured system management is what I call ad hoc system management, where every system has it own plan, undocumented and inconsistent, and you don't know how inconsistent they are, because you've never looked.

In previous posts (here and here) I implied that structured system management was an integral part of improving system availability. Having inherited several platforms that had, at best, ad hoc system management, and having moved the platforms to something resembling structured system management, I've concluded that implementing basic structure around system management will be the best and fastest path to …

The Cloud – Provider Failure Modes

In The Cloud - Outsourcing Moved up the Stack[1] I compared the outsourcing that we do routinely (wide area networks) with the outsourcing of the higher layers of the application stack (processor, memory, storage). Conceptually they are similar:
In both cases you’ve entrusted your bits to someone else, you’ve shared physical and logical resources with others, you’ve disassociated physical devices (circuits or servers) from logical devices (virtual circuits, virtual severs), and in exchange for what is hopefully better, faster, cheaper service, you give up visibility, manageability and control to a provider. There are differences though. In the case of networking, your cloud provider is only entrusted with your bits for the time it takes for those bits to cross the providers network, and the loss of a few bits is not catastrophic. For providers of higher layer services, the bits are entrusted to the provider for the life of the bits, and the loss of a few bits is a major problem. The…