Tuesday, April 5, 2011

Your package has arrived.

I'm impressed by this scam e-mail:
Return-path: <tracking@ups.com>
Reply-To: <tracking@ups.com>
From: UPS Shipments <tracking@ups.com>
Subject: Your package has arrived!
Date: Thu, 2 Dec 2010 14:31:34 +0000
To: Undisclosed recipients:;
Dear client<br />
Your package has arrived.<br />
The tracking# is : 1Z45AR990
*****749 and can be used at : <br />
<a href="
http://www.ups.com/tracking/tracking.html">http://www.ups.com/tracking/tracking.html</a><br />
The shipping invoice can be downloaded from :<br />
<a href="
http://thpguild.net84.net/e107_files/cache/invoice.scr">http://www.ups.com/tracking/invoices/download.aspx?invoice_id=3483273</a> <br />
<br />
Thank you,<br />
United Parcel Service<br />

<p>*** This is an automatically generated email, please do not reply ***</p>


I’ve snipped the delivery related headers (not interesting) and *’d out a bit of the tracking number. The links are intact.

What is interesting is that when rendered as HTML, the message contains valid URL's for all visible text, including the tracking URL. If click on the tracking URL and paste in the tracking number, you'll get some poor dudes house in Florida. If you click on what appears to be a valid link to an invoice, you have the opportunity to download what I assume is an interesting payload. (But alas, the golden hour has passed - those how amuse themselves by downloading interesting payloads will have to amuse themselves elsewhere.)

The finance people I know never met an invoice they didn't like. I'd imagine that for them, the temptation to click is overwhelming.

It’s not hard to make a case for reading mail in plain text.

BTW - Most bloggers mangle potentially hostile URL’s prior to publication. This blogger presumes that the readers of this blog are smart enough to know what’s safe and what isn’t.


  1. My finance people actually asked me about it *before* clicking on anything. I'm so proud of them.

  2. I've seen a few of these hit our office. Unfortunately one of the poor victims clicked on the link on their home computer because she regularly receives packages from UPS. It's a very well conceived phishing scheme.

  3. John - Awesome. We had a finance person fall for a phish a couple days ago. That's a pain.

    Jon - This one actually got caught by Forefront's AV. I released it from quarantine, figuring it'd be interesting to play with. :)

  4. Got the same email just today. I'm confused though. How can they send this from tracking@ups.com?

    Also, the invoice thingy got me. I downloaded it but my firewall acted up so I had to do a system restore. Is my PC safe? :D

  5. They just need to say it comes from ups.com. UPS don't use SPF (Sender Policy Framework, so there is no validation that the host actually is permitted to send email on behalf of ups.com. Anti-phishing code would likely recognize the disconnect between the displayed address and the actual address.

  6. I am surprised a major company like UPS doesn't use something as "simple" as SPF to prevent them from being used as a unvolountary 3rd party to a phishing attempt.