MailGuard have identified and successfully blocked a recent run of fake FedEx emails containing JavaScript malware purporting to be from an employee at Fedex.
High pressure businesses can be left exposed by scams like this as they can easily overlook insignificant features like the ‘from’ sender address. This simple oversight is what spammers exploit, it only takes a moment of inattention or a lack of vigilance to be infiltrated.
Here is a screenshot of the type of email to watch out for:
As you can see in the email above, the subject of the email is, “Delivery Notification, ID 00000290694”, whilst the sender is purported to be, ‘Ben Carter’ a mock ‘Operation Manager’ at FedEx.
This variation does not require the recipient to do anything and merely states that the shipping label is attached to the email.
It provokes the recipient based on two scenarios:
- Human curiosity to download the notification to find out more information.
- The recipient is awaiting a package and is coincidentally caught out by this scam.
Obviously the parcel does not exist – and those that download and extract the .zip will be exposed to a highly obfuscated .doc.js JavaScript file.
Unless the user has elected to show known file type extensions, this file will appear as a DOC type and further convince the recipient that the attachment is legitimate.
The JavaScript contained within this file is designed for execution by the Windows Script Host, it contains hundreds of functions that build another script and when executed, download .exe files containing malware.
In many email scams we have observed, the downloaded malware often performs GET requests to attempt to download and run a payload ransomware file, typically CryptoLocker. CryptoLocker encrypts all files on local and mapped drives and will display a message when the user attempts to open the file. The message demands payment of a ransom in exchange to (supposedly) unlock their files.
FedEx states on their website, that they do not send unsolicited email to customers requesting information regarding packages, invoices, account numbers, passwords or personal information.
If you receive a message matching this description, do not open the email or click on the attachment. Delete the email immediately or forward it to abuse@fedex.com.
As a precaution, we urge you to delete emails that:
- Are not addressed to you by name, have poor grammar or omit personal details that a legitimate sender would include.
- Are from businesses/individuals you were not expecting to hear from, or you aren't 100% sure of the legitimacy of the source.
- Ask you to download any files, namely with an .exe file extension, or in this case, a .zip extension.
Educating staff and employing cloud-based email and web filtering is your first and best line of defence. Complement this multilayered defence with on premise antivirus, anti-malware and anti-spyware solutions. This will go a long way to mitigating the risk from a wide range of email scams.
Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.
