UPS phishing

basenji

Administrator
Staff member
Trojan

Hello xuthltan, thank you for your post and welcome to AFI

There is a German version (see http://antifraudintl.org/showthread.php?t=11302) of this email as well, and apparently what hides in the link in the attachment is a trojan downloader called SHeur.BWIM. I leave it to one of the experts here to explain exactly what it will do to an infected computer.
 

Miyuki

Administratrix
Staff member
Hello xuthltan. Garreg Ddu or ETB will probably be along soon, or one of our other tekkies and they can tell you more about it because this is the first I've heard of it.
 

Garreg Ddu

Gweinyddwr
Staff member
Hi xuthltan,

thanks for the post, and the update by basenji (ninakushukuru). I'm having a problem with my ISP connection to the AV sites at the moment but will post what I can find as soon as possible.
 

Garreg Ddu

Gweinyddwr
Staff member
Multiple threat scam.

There seem to be at least 5 different variants of this malware infestation. Some AV sites have picked up "W32/Dropper", others variations on "SHeur.BWIM" and there are more.

There is a write up at http://blog.mxlab.be/2008/07/20/ups-tracking-number-trojan/ (Site has been McAfee and XPLabs LinkScanner checked and is OK) with some more detail.


DO NOT CLICK ON ANY LINKS IN THESE EMAILS
These TROJANS are designed to steal your identity.
 

Ted

Emeritus
These are nasty times we live in, on the Web...

Hello all, the link below is clean, and will bring you to a site I think you all will find intriguing, if not downright cool. It is called SenderBase and has all kinds of tools, including an email address sign-in for updates on the Virus's hopping the world, in hourly real-time updates! I too have been subjected to Trojan attacks...twice in the past 5 days. In one instance my Windows Defender snapped it up, chewed it for a bit, and spit it back out, all in about 3 seconds. You can get Windows Defender by going to Microsoft's security sender, or by simply going to Microsoft Windows Defender on the net. The second Trojan had already penetrated my defenses and was discovered by my weekly AVG 8.0 scan yesterday. It was quarantined, and has been sent to AVG Virus for analysis. You can also get AVG for free, by going to Majorgeeks.com and typing in AVG in their search box.

And a special welcome to xuthlhan...



http://www.senderbase.org/
 

Nanook

Administrator
Staff member
I bet that's a nasty little attachment.

From UPS Support Michael Morrison
Return-Path: <ungrudgingcmj99@moveez.net>
Received: from 119.68.137.3, Korea, dacom.co.kr
Date: Fri, 5 Mar 2010
From: "UPS Support Michael Morrison" <support@ups.com>
Reply-To: [ungrudgingcmj99@moveez.net]
Subject: UPS Delivery Problem NR.1091411
Message contains attachments
1 File (48KB)
* UPS_invoice_1145.zipUPS_invoice_1145.zip

Hello!

We were not able to deliver your postal package which was sent on the 28th of January in time because the addressee's address is inexact. Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.
 

Dororo

Administrator
Staff member
From Postal Manager Kate Conley
Return-Path: <scurvier1269@wires.tv>
Received: from 123.27.92.226, Vietnam, Vietnam Posts and Telecommunication (VNPT)
From: "Postal Manager Kate Conley" <help@ups.com>
Subject: UPS Delivery Problem NR.5884995
Date: Tue, 27 Apr 2010
Message contains attachments
1 File (7b)

* 3051783007.txt 3051783007.txt

Hello!

We failed to deliver postal package sent on the 21st of January in time because the recipient’s address is erroneous. Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.
 
I RECEIVED THIS MAIL AND I AM SURE IT IS A SCAM

This is to notify you that your package has been intercepted and is temporarily being held in transit in Spain .The delivery process has been suspended for the following reasons.1. It has been detected that your package contains taxable items .2. In line with new laws, items transiting through the EU are to be fully taxed and are subject to postal inspection by transitting postal authorities. Concluding the verification on the package it has been ascertained that adequate tax was not paid on the package. Your name and email address were on the package for contact details. The contents have been ascertained as a non-risk item,however under new laws any package transiting through the EU is liable to full tax coverage payment.The sender did pay the appropriate courier fee but did not state the true value of the contents of the package .We are therefore requesting you pay full tax for the coverage of $119 on the package. In order for your package to be released, you are obligated to pay the due tax on the contents of the packageYou should therefore contact your assigned claims Officer, Carl Brooks to assist with the tax payment inSpain ,where your package is currently being heldWhile we wait to receive from you the tax File Number to enable us forwardyour package to your address. Below is the contact information of your assigned claimsOfficer.

Name: Mr. Carl Brooks
Email address: [carl-brooks@ups.claims.ir]
Tel: 1-678-701 8046

Note:tax coverage fees are payable to Spanish authorities through your assigned claims Officer.UPS® does not accept fees on behalf of foreign authorities. Once you receive your tax File Number, kindly forward file number orscanned document to your assigned claims Officer for onward delivery to UPS®.When making contact with your assigned claims officer via email or phone please quote reference EE210707329CN and a confirmation of your name and address for for swift location of package details. The status of your package can be tracked as soon as payment has been confirmed Soon as we have received the required tax File Number We shall forward yourpackage to its destination.

Copyright © 1994-2010 UPS® , Inc. All rights reserved.

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9NA==
X-Message-Status: n
X-SID-PRA: UPS®Corporate Headquarters <claims@ups.com>
X-DKIM-Result: None
X-AUTH-Result: NONE
X-Message-Info: bPCY57aSH9tMuYQjOfzOOjbjImg3pAeKaOKnthdmrFcUJva9cGTVMmdbx1h813GPskNVwb+0zXy2NpQBwBanG/6H6vHeDuBL
Received: from d185.webcreators.nl ([92.48.206.185]) by SNT0-MC3-F25.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 5 Nov 2010 01:23:46 -0700
Received: from [109.169.48.119] (helo=User)
by d185.webcreators.nl with esmtpa (Exim 4.67)
(envelope-from <claims@ups.com>)
id 1PDfm6-0005Uy-2t; Wed, 03 Nov 2010 17:01:22 +0100
Reply-To: <carl-brooks@ups.claims.ir>
From: "UPS®Corporate Headquarters"<claims@ups.com>
Subject: EE210707329CN
Date: Wed, 3 Nov 2010 17:00:56 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: claims@ups.com
Message-ID: <SNT0-MC3-F25GRon4Wi0004216f@SNT0-MC3-F25.Snt0.hotmail.com>
X-OriginalArrivalTime: 05 Nov 2010 08:23:46.0285 (UTC) FILETIME=[C3EE11D0:01CB7CC2]
 
B

Basic

Guest
UPS Fraud

Hi everyone,

did someone react on this mail from carl? I would like to write him back and contact the real UPS, the police and the internet security, but I am afraid if this could be dangerous for me and my family. Did someone already do it.
I need feedback please!

Thanx
 
C

comprachina

Guest
es un fraude yo he recibido esto tamb

We would like to apologize for any inconvenience however the tax imposed is out of our control and requested by authorities.

We understand you might not want to disclose your credit card details over the internet or the phone so Kindly make payment through our trusted 3rd party payment processors ,WESTERN UNION Transfer Services .You can visit any WESTERN UNION Agent Location

The coverage costs is $119 USD.

The fees should be payable to finance agent RF76223 : Susan :

RECEIVER'S NAME: Susan Fernandez
Vía de los Poblados, 1
28033 Madrid
Spain

Once the payment is made,kindly email the payment MTCN reference number given to you by WESTERN UNION and the sender's name address and contact number to [carl-brooks@ups.claims.ir], Upon confirmation of payment we shall process and release the package for delivery immediately .

Carl
ODC 2817

Copyright © 1994-2010 United Parcel Service , Inc. All rights reserved.

Responder
 
M

Marcel

Guest
still going on

Received the message today.
[carl-brooks@ups.claims.ir] is still at it.
 
Last edited by a moderator:

Central Scrutinizer

Administrator
Staff member
U.P.S.

Forged header.

Return-Path: <notification@ups.com>
Received: from 128.8.31.175, USA, University of Maryland Office of Information Technology, [abuse@umd.edu]
From: UPS Technology Administration<notification@ups.com>
Subject: Important Security Notification
Date: Mon, 3 Jan 2011

You can use My UPS to ...

Ship Online
Schedule a Pickup
Open a UPS Account

My UPS Periodic Update

Dear Customer,

Due to Ongoing periodic update on all UPS account, we advise that you update your account to avoid Suspension .

Please click the link below to update your Account access

Click Here [Link goes to http: // www . padmahospital . com . np /MyUps/UPS.htm]

If you have forgotten your password, visit Forgot User ID or Password on UPS.com to reset it.

Thank you for choosing My UPS. To learn more ways to make My UPS work for you, please visit Getting Started. We hope you visit us again soon!

© Copyright 2011 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.

Please do not reply directly to this e-mail. UPS will not receive any reply message. For questions or comments, visit Contact UPS.

We understand the importance of privacy to our customers. For more information, please consult the UPS Privacy Policy.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
 
B

BeeeJ

Guest
Still at it... just to update - Now under Jane Parsley

UPS®Corpor​ate Headquarte​rs
Add to contacts
From: UPS®Corporate Headquarters (noxxreply@ups.com)
Sent: Thursday, 6 January 2011 3:50:46 PM
To:

Microsoft SmartScreen marked this message as junk and we'll delete it after ten days.
Wait, it's safe!
Dear Customer,

We regret to inform you that the delivery of your shipment has been suspended for the following reason.
1. In line with new laws, items transiting through the EU are to be fully taxed and are subject to postal inspection by transiting postal authorities.
Concluding the inspection on the package it has been ascertained that adequate duties was not paid on the package.
Your name and email address were on the package for contact details.
Under new laws any package transiting through the EU is liable to full duties payment. The sender did pay the appropriate courier fee but did not pay adequate duties on the package .We are therefore requesting you pay full duty for the coverage of (Ђ)119 Euros on the package.

To resume delivery, you are obligated to pay the duties on the contents of the package
You should therefore contact your assigned claims Officer, Jane Parsley to assist with the duty payment in
Spain , where your package is currently being held
Below is the contact information of your assigned claims
Officer.
Name: Jane Parsley
Email address:jane-parsley@ups.claims.ir
Tel: 1-678 701 8046
Note: Duty coverage fees are payable to authorities through your assigned claims Officer.UPS® does not accept fees on behalf of foreign authorities.
Your old tracking number has been suspended due to non payment of tax.When making contact with your assigned claims officer via email or phone please quote reference AT220TL123.

The status of your package can be tracked as soon as payment has been confirmed
Copyright © 1994-2010 UPS Inc. All rights reserved.
 
Last edited by a moderator:
S

sophie

Guest
Jane Parlsey

Just got the email also:
De : UPS®Corporate Headquarters (no_claims@ups.com)
Envoyé : 14 janvier 2011 14:24:11

Dear Customer, We regret to inform you that the delivery of your shipment has been suspended for the following reason.1. In line with new laws, items transiting through the EU are to be fully taxed and are subject to postal inspection by transiting postal authorities.Concluding the inspection on the package it has been ascertained that adequate duties was not paid on the package.Your name and email address were on the package for contact details.Under new laws any package transiting through the EU is liable to full duties payment. The sender did pay the appropriate courier fee but did not pay adequate duties on the package .We are therefore requesting you pay full duty for the coverage of (Ђ)119 Euros on the package. To resume delivery, you are obligated to pay the duties on the contents of the packageYou should therefore contact your assigned claims Officer, Jane Parsley to assist with the duty payment inSpain , where your package is currently being heldBelow is the contact information of your assigned claimsOfficer.Name: Jane ParsleyEmail address: [jane-parsley@ups.claims.ir] Tel: 1-678 701 8046Note: Duty coverage fees are payable to authorities through your assigned claims Officer.UPS® does not accept fees on behalf of foreign authorities.Your old tracking number has been suspended due to non payment of tax.When making contact with your assigned claims officer via email or phone please quote reference Z195156475L4. The status of your package can be tracked as soon as payment has been confirmedCopyright © 1994-2010 UPS Inc. All rights reserved.
 
G

Guest

Guest
Received two of them today. From address is [customerservices@ups.com] so could look valid to the trusting. Jennifer Watson is the "Officer" name on this round. Otherwise exactly the same.
 
Top