Spam Posing as FedEx E-mail Delivers Gamarue Trojans Instead of Packages

A new wave of malicious FedEx spam delivers Trojans instead of packages, infecting users with malware when opening the attachments. In the last couple months, the Gamarue Trojan has spread intensely in the US, Australia, Croatia, Romania, Iran, the UK, Germany and Spain.

“This tracking update has been requested and attached to this email,” the malicious message reads. “Reference information includes: Invoice number, Reference, Special handling/Services, Residential Delivery. Reference information is attached to this email.”

To give credibility to the malicious payload, scammers added links to the authentic shipping company.

Trojan.Gamarue silently installs itself on the system, sending sensitive information to the command and control center. The stolen data can then be used for identity theft and other cyber-criminal activities.

Gamarue can also download and execute arbitrary files, performing updates without users noticing. The malicious software can also spread to removable drives, so users should be careful when managing important documents through USB devices.

This is not the first time Bitdefender spots a wave of Trojans spreading through FedEx spam. In 2008, scammers abused the company’s name and tricked users into downloading Trojan.Spy.ZBot. The malware was loaded on an e-mail informing customers that FedEx couldn’t deliver a specific package. Trojan.Spy.ZBot stole sensitive e-banking data and monitored browser activities.

FedEx is a common target for cyber-criminals, who only change the bait from time to time. Other excuses to ship malware include parcel delivery notifications. Scammers also request money in return for delivery of a package by posing as representatives of the shipping service. They also go so far as to create spoofed web sites to collect usernames, passwords, Social Security Numbers, credit card details and more.

“FedEx is not responsible for any charges or costs incurred as a result of unauthorized or fraudulent activity that abuses the FedEx name, service marks and logos,” the company warns. “FedEx does not request, via unsolicited mail or e-mail, payment or personal information in return for goods in transit or in FedEx custody.”

The Gamarue Trojan also affected Vodafone’s reputation in 2012, when the malware disguised as an MMS infected clients of the telecommunications company in the UK. At the beginning of this year, the Vodafone malware campaign went large-scale, with the Dutch also targeted by Gamarue. In Germany, the Trojan spread in a separate spam campaign that infected users who clicked on a fake hotel reservation.

Users should think twice before clicking on links and attachments they receive via e-mails, even when they seem to come from reputable companies. Having antivirus software installed and updated helps keep them safe from malware, zero-day exploits, spam, phishing and fraud.