DHL phishing

Discussion in 'Phishing' started by Tywysoges Gwen, May 14, 2010.

  1. Email arrived as copied below, with an attachment "DHL_invoice_6147.zip" which my AV filter recognised as having a virus in it and removed. As it is removed I can't identify the virus, but it is posted here for a warning.

    Please do not open the attachment, as you will be exposed to the virus infection.

    ================================

    X-SID-PRA: Director Jaime Floyd <parcel@dhl.com>

    Received: from 189.88.1.206 by mail02.move.com; Thu, 6 May 2010 10:10:16 -0300
    From: "Director Jaime Floyd" <parcel@dhl.com>
    To: <**********@********.***>
    Subject: DHL Delivery Problem NR.47097
    Date: Thu, 6 May 2010 10:10:16 -0300
    Importance: Normal
    Return-Path: <turban@move.com>



    Dear customer!

    We were not able to deliver your postal package which was sent on the 6th of February in time
    because the addressee's address is incorrect.
    Please print out the invoice copy attached and collect the package at our department.

    DHL Customer Services.


    ===============================

    WHOIS - 189.88.1.206
    owner: EMBRATEL-EMPRESA BRASILEIRA DE TELECOMUNICAÇÕES SA (10525)
    % Security and mail abuse issues should also be addressed to
    % cert.br, http://www.cert.br/, respectivelly to cert@cert.br
    % and mail-abuse@cert.br
     
    Last edited by a moderator: Nov 17, 2010
  2. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    THIS ALERT HAS BEEN UPGRADED TO A DEFINITE MALWARE INFECTION ATTEMPT.

    DO NOT CLICK ON THE ATTACHMENT TO THIS EMAIL, AS IT WILL RUN A PROGRAM TO DOWNLOAD A MALWARE INFECTION.




    This one nearly caught me out, as I am expecting a delivery of dog food by DHL. However, being aware of the dangers I did an analysis of the email and checked everything. It does NOT come from DHL, but is part of an attempt to set up a malware botnet or similar nasty.
    This is now definitely proven to be a new Malware infection attempt, related to a resurfacing of the "BREDOLABS" botnet.

    Please read the next reply for more information.


    From DHL Logistics Services Wed Nov 3 01:31:22 2010
    Return-Path: <manager.id9575@dhl.com> The header has been forged, creating the impression it is from DHL, but....

    X-Originating-IP: [65.202.244.251]

    65.202.244.251 = FABER ORTHODONTICS Hatboro United States

    Received: from 127.0.0.1 (HELO dhl.com) (65.202.244.251)
    by mta1000.mail.ac4.yahoo.com with SMTP; Tue, 02 Nov 2010 18:31:32 -0700

    From: "DHL Logistics Services" <manager.id9575@dhl.com>
    To: <*************@********>
    Bcc: <************@******.*****>
    Subject: Track your parcel NR28867
    Date: Tue, 02 Nov 2010 21:31:22 -0400




    Wed, November 3, 2010 1:31:22 AM
    Track your parcel NR28867
    From: DHL Logistics Services <manager.id9575@dhl.com>
    Add to Contacts
    To: ********@*******.***

    DHL_label_id.Nr1522.zip (30KB) The attached file - it is a "WINZIP" compressed file, with a .exe in in. It is being submitted to the correct places for detailed analysis.


    --------------------------------------------------------------------------------

    Dear client

    Your parcel has arrived at the post office on October 05 <-- Why a post office if it is DHL - flag #1
    Our Driver was unable to deliver the parcel to your address. DHL always put a "Tried to Deliver" note through your letter box, with contact details - flag #2
    To receive a parcel you must go to the nearest DHL office and show your mailing label. No, you telephone the DHL depot and arrange re-delivery- flag #3
    You need to print mailing label, and show it in DHL office to receive the parcel. No native English speaking manager would write a sentence like this - flag #4

    Thank you for your attention.
    DHL Services.



    And at the bottom of the email message, hidden by use of a white font colour, was this additional extra bit.




    But the Fates had undertaken to act as mediators and make me the hero of a romance which ended so speedily, and in a manner which, though disagreeable, was so far from tragical, that if I desired to weave the story of my own life into a novel I should be ashamed to use the extensive apparatus employed by Destiny.Rather more than a week had passed since the last performance of The Robbers, when one day, late in the afternoon, the streets were filled with uproar. A fire had broken out, and as soon as Professor Braunes lesson was over I joined the human flood. The boiler in the Kubisch cloth factory had burst, a part of the huge building near it was in flames, and a large portion of the walls had fallen. When, with several school-mates, I reached the scene of the disaster, the fire had already been mastered, but many hands were striving to remove the rubbish and save the workmen buried underneath. I eagerly lent my aid. Meanwhile it had grown dark, and we were obliged to work by the light of lanterns.
     
    Last edited: Nov 14, 2010
  3. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Feedback from McAfee Virus Laboratory.

    From: <Virus_Research@avertlabs.com>
    Sent: Wednesday, November 03, 2010 1:50 PM
    To: <**********.**********@*****.***>
    Subject: 6308370 - Possible malware threat in email.

    McAfee Labs - Beaverton
    Current Scan Engine Version:5400.1158
    Current DAT Version:6154.0000
    Thank you for your submission.

    Analysis ID: 6308370

    File Name....................Findings...................................Detection.........................Type..........Extra
    --------------------|------------------------------|----------------------------|-----------|-----
    dhl_label.exe...........|new detection...................... | bredolab.gen.c.................|Trojan......|yes
    email.txt.................|inconclusive..........................|.......................................|...............|no

    Attached is a file for extra detection, which will be included in a future DAT set. We
    have detected a virus or trojan that can only be detected and removed with the
    attached EXTRA.DAT and current scan engine. The EXTRA.DAT must be used with the
    current scan engine, and we highly recommend you update to the most current DAT
    release. If you are not seeing this with the product you are using, please speak with
    technical support so they can help you determine the cause of this discrepancy.

    inconclusive [email.txt]

    Upon analysis the file submitted does not appear to contain one of the 200,000 known
    threats in the AutoImmune database. The file may contain a new threat, or no code
    capable of being infected. Your submission is being forwarded to an McAfee Labs
    Researcher for further analysis. You will be contacted by McAfee through e-mail with
    the results of that analysis.

    new detection [dhl_label.exe]

    The file received contains a new virus or trojan. It is recommended that you update
    your DAT and engine files and scan your computer again.

    To find detailed information about viruses and other malware, please review McAfee
    Labs' Virus Information Library:

    http://vil.mcafeesecurity.com

    You may wish to submit future malware samples to:

    https://www.webimmune.net/default.asp

    It may be the best option if you are having a problem with gateway scanners stripping
    your sample submission.

    If you believe your computer is infected, but are unsure which files should be
    submitted to McAfee Labs for review, please visit:

    http://vil.mcafeesecurity.com/vil/submit-sample.aspx

    For other virus-related information, please review McAfee Labs' homepage at:

    http://www.mcafee.com/us/threat_center/default.asp

    Support -

    Virus Research accepts file-samples for analysis and possible inclusion into AV
    signature DAT sets. We are also prepared to answer general virus questions. All
    product-related questions and comments can be addressed through technical support and
    customer service, including:

    * Product installation and update questions
    * Product usage questions
    * Specific operating system/version questions
    * Assistance with detection and cleaning or removal of viruses or trojans

    Use the following link to update your DAT and scan engine to the most current version:

    http://www.mcafee.com/apps/downloads/security_updates/dat.asp

    Use the following links to reach online technical support for McAfee products -

    Corporate Customers:

    http://www.mcafeesecurity.com/us/support/

    Single User/Retail Customers:

    http://www.mcafeehelp.com

    Note -

    Due to the prevalence of network gateway AV products, it is important that all
    submissions be zipped and the zip file password-protected (password - infected). Some
    products will reject an email that contains a virus that is not sent in this way. In
    addition, often we receive a file that appears not to have been infected, to find
    later that the file was infected when it left the sender, and was cleaned somewhere
    along the line.

    Regards,



    McAfee Labs
     
  4. basenji

    basenji Administrator Staff Member

    An extract from 'The Story of My Life from Childhood to Manhood' by Georg Ebers, a German. In the golden days of diploma mill spams (when University Degree Program was more active than today), extracts from various 19th century novels were inserted at the end of the emails in this way - often as an image, not text - to confuse spam filters. I guess it's an attempt to make a spam bot unrecognisable.
     
  5. Bruce Davey

    Bruce Davey New Member

    DHL Scam with a different hidden message

    11/3/10 received the DHL scam already documented here, with the usual "DHL Label" which is really an EXE. But this one has a different hidden message, kind of ominous for its religious radicalism. It's done in white font but exposed thru highlighting - "hidden" message below. Anyone seen this?


    "He ordered all to pray that the Lord might lift up His Church, protect it from the wiles of the enemy, extirpate heresies, grant peace and true unity among Christian princes, and mercifully avert disasters already coming near.But if the language of Paul V. was measured and decent, the swarm of Jesuit pamphleteers that forthwith began to buzz and to sting all over Christendom were sufficiently venomous. Scioppius, in his Alarm Trumpet to the Holy War, and a hundred others declared that all heresies and heretics were now to be extirpated, the one true church to be united and re-established, and that the only road to such a consummation was a path of blood."
     
  6. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Hi Bruce Davey,

    :welcome: to AFI and thank you very much for your post.

    If you still have the email, is it possible for you to post the headers here, so that we can get more information about where it is coming from? Please check out the threads at How to find email headers and Basic email header analysis tools - a short tutorial for how to do this.

    You may wish to submit the email and attachment to the support team at your own AntiVirus software provider, as well. You should be able to find out how to do this on their support web-site.

    Thank you very much,

    Garreg Ddu
     
  7. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Confirmed by Sophos - and detection/removal instructions.

    From: Sophos Support
    Sent: Wednesday, November 03, 2010 7:44 PM
    To: ********@********
    Subject: [#2536112] RE: Sample submitted for analysis (IDENTITY CREATED)


    Hello,

    Thank you for contacting Sophos Technical Support.

    **Please note that this is an automated response. If you have any questions, require assistance or clarification on this analysis, please feel free to reply to this email quoting this case number in the subject line.**

    The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.


    ---

    To create a new Full System Scan to clean up threats

    You should turn off System Restore before running a Full System Scan. Go to Start > Control Panel > Performance and Maintenance. Double-click System and then select the System Restore tab. Select the Turn off System Restore on all drives checkbox, then click Apply and then Yes.
    Right click the blue Sophos shield on the taskbar and choose "Open Sophos Anti-Virus"
    Click on "Scans". Give the scan a name, ensure you have checkmarked all of the local hard drives and removable drives under My Computer and click on "Configure this scan" at the bottom.
    On the Options tab, ensure that Scanning level is set to "Normal (recommended)". Under Scanning options, ensure that "Scan all files", "Scan for adware/PUAs", "Scan for suspicious files" and "Scan for rootkits" are checkmarked.
    Click on the Cleanup tab. Ensure that "Automatically clean up items that contain virus/spyware" is checkmarked and the two radio buttons are set to "Deny access only" (which actually means to leave the virus there, but block all access to it if cleanup fails). Checkmark "Automatically clean up adware/PUAs" and click OK.
    Click on "Save and Start". Reboot the computer once the scan completes.
    Once the computer is available, please repeat the scan to ensure a full cleanup.
    ---

    Alternatively, you can create a Sophos Bootable Anti-Virus CD and scan the machine from the bootable environment. Please contact Sophos Technical Support for information on how to obtain this tool and if it's appropriate for you.


    Please do not hesitate in contacting us by replying to this email if you have any questions or concerns.

    Kind regards,

    Sophos Technical Support Support
    knowledgebase: http://www.sophos.com/support
    Subscribe to email notifications: http://www.sophos.com/security/notifications

    New! SophosTalk community (discussion forums): http://community.sophos.com

    SOPHOS - simply secure
     
  8. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Another attempt to pass on the infection.

    Another email has been found with a malware infected file attached.

    PLEASE DO NOT DOWNLOAD AND RUN THE ATTACHED FILE, AS IT WILL INFECT YOUR COMPUTER WITH A BOTNET TROJAN.

    The infection is known to, and detected by Norton, Sophos, McAfee and Kaspersky Labs Anti-Virus systems, and probably by others now as well.


    From DHL Global Tue Nov 9 00:29:15 2010
    Return-Path: <usps.no.0589@dhl.com>

    X-Originating-IP: [209.112.147.122]

    Received: from 127.0.0.1 (HELO dhl.com) (209.112.147.122)
    by mta1242.mail.mud.yahoo.com with SMTP; Mon, 08 Nov 2010 17:29:21 -0800

    Origin IP Address = 209.112.147.122 = Alaska Communications Systems Group, Anchorage, Alaska, United States

    From: "DHL Global" <usps.no.0589@dhl.com>
    To: ************@*******.***
    Bcc:

    Subject: DHL Delivery Problem No654887
    Date: Mon, 08 Nov 2010 16:29:15 -0800

    DHL_mailing_label_No14033.zip This is the attached, malware infected file.

    Good afternoon!

    Your package has been returned to the DHL office.
    The reason of the return is - Incorrect delivery address of the package ! Flag #1 - Grammar is bad.

    Attached to the letter mailing label contains the details of the package delivery. ! Flag #2 - Grammar is bad again.
    You have to print mailing label, and come in the SDF office in order to receive the packages. ! Flag #3 - Grammar is bad yet again. What has an "SDF" office to do with DHL?

    Thank you for attention.
    DHL Customer Services.




    Note the addition of another hidden text stream, trying to confuse email system smap filters.


    Entendez-moi, ma fille, cest en vous, dans la soumission, dans la purete, dans lamour, que Dieu a mis la force de votre union.A ce moment, il y eut un rire, a lautre bout de leglise. Lenfant venait de se reveiller sur la chaise ou lavait couche la Teuse. Mais il netait plus mechant; il riait tout seul, ayant enfonce son maillot, laissant passer des petits pieds roses quil agitait en lair. Et cetaient ses petits pieds qui le faisaient rire. - Mon cher frere, reprit labbe Mouret, a demi tourne vers le grand Fortune, cest Dieu qui vous accorde aujourdhui une compagne; car il na pas voulu que lhomme vecut solitaire. Mais, sil a decide quelle serait votre servante, il exige de vous que vous soyez un maitre plein de douceur et daffection. Vous laimerez, parce quelle est votre chair elle-meme, votre sang et vos os. Vous la protegerez, parce que Dieu ne vous a donne vos bras forts que pour les etendre au-dessus de sa tete, aux heures de danger.
     
    Last edited: Nov 14, 2010
  9. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Another attempt

    This time the text and viral payload are slightly different. As usual, all has been passed over to McAfee, Sophos and Kaspersky Labs for investigation. McAfee are very quick and already have done the analysis, found the malware and updated their systems to detect and kill it.


    From DHL Global Services Tue Nov 16 10:24:36 2010
    Return-Path: <contact.s.nr1811@dhl.com>

    X-Originating-IP: [14.194.61.89]

    Origin IP address = 14.194.61.89= Tata Teleservices Limited -GSM Division, India

    From: "DHL Global Services" <contact.s.nr1811@dhl.com>
    Subject: DHL Delivery Problem S.NR706037450
    Date: Tue, 16 Nov 2010 10:24:36 +06-30

    There is an ateached ZIP file, DHL_Information_S.Nr99643.zip which contains the Malware payload.


    The company could not deliver your package to your address.
    The package was returned to DHL office.
    Information about your package is attached to the letter.
    Look through the information about your package thoroughly.


    Thank you for using our services.
    DHL Global Mail.


    With the usual attempt to beat filters with hidden text at the end:

    If female descent went for anything, it is not clear why Herbert passed by the rights of his two elder sisters, Gersendis, wife of Azo Marquess of Liguria, and Paula, wife of John of La Fleche on the borders of Maine and Anjou.And sons both of Gersendis and of Paula did actually reign at Le Mans, while no child either of Herbert or of Margaret ever came into being. If Herbert ever actually got possession of his country, his possession of it was short. He died in 1063 before either of the contemplated marriages had been carried out. William therefore stood towards Maine as he expected to stand with regard to England. The sovereign of each country had made a formal settlement of his dominions in his favour. It was to be seen whether those who were most immediately concerned would accept that settlement. Was the rule either of Maine or of England to be handed over in this way, like a mere property, without the people who were to be ruled speaking their minds on the matter?


    ================================

    The McAfee report is:


    From: <Virus_Research@avertlabs.com>
    Sent: Tuesday, November 16, 2010 3:32 PM
    To: <**********@***********>
    Subject: 6352417 - Suspected Malware infection attempt. Please see attached zip file.


    McAfee Labs - Beaverton
    Current Scan Engine Version:5400.1158
    Current DAT Version:6168.0000
    Thank you for your submission.

    Analysis ID: 6352417

    File Name------------Findings------------------------Detection-------------------Type-----------Extra
    --------------------|------------------------------|----------------------------|------------|-----
    dhl_information.exe-.|new detection---------------- |generic backdoor.u-------- |Trojan-----|yes [/B]
    dhl_information_s.nr |inconclusive-------------------|----------------------------|-------------|no

    Attached is a file for extra detection, which will be included in a future DAT set. We
    have detected a virus or trojan that can only be detected and removed with the
    attached EXTRA.DAT and current scan engine. The EXTRA.DAT must be used with the
    current scan engine, and we highly recommend you update to the most current DAT
    release. If you are not seeing this with the product you are using, please speak with
    technical support so they can help you determine the cause of this discrepancy.

    inconclusive [dhl_information_s.nr99643.txt]

    Upon analysis the file submitted does not appear to contain one of the 200,000 known
    threats in the AutoImmune database. The file may contain a new threat, or no code
    capable of being infected. Your submission is being forwarded to an McAfee Labs
    Researcher for further analysis. You will be contacted by McAfee through e-mail with
    the results of that analysis.

    new detection [dhl_information.exe]

    The file received contains a new virus or trojan. It is recommended that you update
    your DAT and engine files and scan your computer again.

    To find detailed information about viruses and other malware, please review McAfee
    Labs' Virus Information Library:

    http://vil.mcafeesecurity.com

    You may wish to submit future malware samples to:

    https://www.webimmune.net/default.asp

    It may be the best option if you are having a problem with gateway scanners stripping
    your sample submission.

    If you believe your computer is infected, but are unsure which files should be
    submitted to McAfee Labs for review, please visit:

    http://vil.mcafeesecurity.com/vil/submit-sample.aspx

    For other virus-related information, please review McAfee Labs' homepage at:

    http://www.mcafee.com/us/threat_center/default.asp

    Support -

    Virus Research accepts file-samples for analysis and possible inclusion into AV
    signature DAT sets. We are also prepared to answer general virus questions. All
    product-related questions and comments can be addressed through technical support and
    customer service, including:

    * Product installation and update questions
    * Product usage questions
    * Specific operating system/version questions
    * Assistance with detection and cleaning or removal of viruses or trojans

    Use the following link to update your DAT and scan engine to the most current version:

    http://www.mcafee.com/apps/downloads/security_updates/dat.asp

    Use the following links to reach online technical support for McAfee products -

    Corporate Customers:

    http://www.mcafeesecurity.com/us/support/

    Single User/Retail Customers:

    http://www.mcafeehelp.com

    Note -

    Due to the prevalence of network gateway AV products, it is important that all
    submissions be zipped and the zip file password-protected (password - infected). Some
    products will reject an email that contains a virus that is not sent in this way. In
    addition, often we receive a file that appears not to have been infected, to find
    later that the file was infected when it left the sender, and was cleaned somewhere
    along the line.

    Regards,



    McAfee Labs
     
  10. Dororo

    Dororo Administrator Staff Member

    It has a zip file.

    From DHL Services
    Return-Path: <customerservice.s.nr5404@dhl.com>
    Received: from 65.40.229.0, America server, Florida, Embarq Corporation, [abuse@embarqservices.net]
    From: "DHL Services" <customerservice.s.nr5404@dhl.com>
    Subject: DHL Shipment Status S.NR018536
    Date: Mon, 15 Nov 2010

    Dear Customer!

    The company could not deliver your package to your address. The package was returned to DHL office. Information about your package is attached to the letter. Look through the information about your package thoroughly.

    Thank you for your attention.
    DHL Customer Services.
     
  11. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    It appears that this infection attempt may have started as early as May 2010. A thread posted by Tywysoges Gwen at http://antifraudintl.org/showthread.php?t=36982 shows an email with very similar properties to these emails. Although the attachment and its malware could not be analysed when her post was made, it was known to be virus infected.
     
  12. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    These malware infected emails, supposedly from DHL but really from some cess-pit slime criminal scammer, are closely related to the thread at DHL - Malware attack - Fake email - malware site

    They all appear to be part of an attempt to propagate a trojan swarm to enable a net-bot, similar to the bredolabs bot.
     
  13. Nanook

    Nanook Administrator Staff Member

    Received: from 70.69.247.15, Calgary, Canada, Shaw Communications Inc.,
    From FedEx Delivery Service
    Return-Path: <federal.nr.4572@managerscom>
    From: "FedEx Delivery Service" <federal.nr.4572@managerscom>
    Bcc: <lotp875@comcast.net>
    Subject: FedEx service. Get your parcel NR.S.980890
    Date: Tue, 16 Nov 2010

    * FedEX_Information_IDS9906.zip FedEX_Information_IDS9906.zip

    Dear client!

    The company could not deliver your package to your address. The package was returned to FedEx office. Information about your package is attached to the letter. Look through the information about your package thoroughly.

    Thank you for using our services.
    FedEx Express Services.
     
  14. Naruto

    Naruto Administrator Staff Member

    From FedEx service
    Return-Path: <infoio@fedex.com>
    Received: from 203.202.249.82, Bangladesh, Aamra Networks Limited
    Reply-To: "FedEx service" <infoio@fedex.com>
    From: "FedEx service" <infoio@fedex.com>
    Subject: FedEx notice
    Date: Sun, 20 Mar 2011

    FedEx docs.zip


    Dear customer.

    The parcel was sent your home address.
    And it will arrive within 7 business day.

    More information and the tracking number are attached in document below.

    Thank you.
    © FedEx 1995-2011
     
  15. Violet

    Violet New Member

    FedEx system notification

    FedEx system notificationSunday, 3 April, 2011 6:36
    From: "FedEx" <info10bykyb@fedex.com>
    Message contains attachments1 File (7KB)FedEx-document.zip

    Dear customer.

    The parcel was sent your home address.
    And it will arrive within 3 business day.

    More information and the tracking number are attached in document below.

    Thank you.
    © 1994-2011 FedEx, Inc.

    >>> Yeah, as if I'm gonna click on that one >>>> These guys are persistent idiots!!! :mad:
     
  16. Violet

    Violet New Member

    Received: from 203.202.249.82, Bangladesh, Aamra Networks Limited


    Hi Naruto,

    Can you please tell me how to find that bit so I can include it in my posts? Pretty please :)
     
  17. Wonderwoman

    Wonderwoman Samurai

  18. Sphinx

    Sphinx Administrator Staff Member

    I don't know who these bozos are but it looks like they are going to try every single delivery service. It's a good thing they aren't attaching anything with this mail.

    Received: from 217.97.178.33, Poland Ppuh Net Center Stepniewski Piotr. [abuse@telekomunikacja.pl]
    From: "DHL Global" <supplet@dhl.com>
    To: <noijam@netscape.net>
    Subject: DHL Express Services
    Date: Mon, 4 Apr 2011

    Dear customer

    The parcel was sent your home adress And it will arrive within 10 business days

    More information and the tracking number are attached in document below.

    Thank You

    1994-2011 DHL Express Services, Inc.
     
  19. Central Scrutinizer

    Central Scrutinizer Administrator Staff Member

    From Trcking system
    Return-Path: <infoqteze@tracking-system.com>
    Received: from 91.28.247.89, Germany, Deutsche Telekom AG, [abuse@telekom.de]
    Date: Wed, 13 Apr 2011
    From: "Trcking system" <infoqteze@tracking-system.com>

    Dear customer,

    The parcel was sent your home adress It will arrive within 7 business days

    More information and the tracking number are attached in document below.

    Thank You
    Copyright © 1994-2011 DHL, Inc. All rights reserved.

    Nice little file attached: EX-38463.pdf.zip Oh yeah. don't open that file.
     
  20. Girl1

    Girl1 New Member

    And again,,,,

    From : DHL Inc. <adminjftgzym@dhl.com>

    Subject : DHL Delivery Services notification #3536283

    with 1 (one) file as attachment

    "Dear customer.

    The parcel was sent your home address! And it will arrive within 7 business day.

    More information and the traching number are attached in document below!

    Thank you.
    Best regards.


    2011 DHL International GmbH. All rights reserved".
     

Share This Page