Careful again: FedEx Doesn’t Leave Your Package at the Post Office

Here’s another sample of what’s not safe to open.
Again, the clues are clear, if you’re careful before you click:
Fake FedEx notice

  • There are punctuation and grammar errors in the message.
  • The link that you’ll see when floating the mouse over that ‘Print Label’ link doesn’t match the ‘from’ domain, and isn’t Fedex.com.
  • European date format used by a US-based company.
  • The logo is a bad jagged paste, and is missing the circle-R symbol for ‘registered trademark’.
  • FedEx has no pickup service at their competitor, the “nearest” US Post Office.

Now, that’s already enough information to make me delete the email, but I’ll look a little deeper:

I downloaded the “label” to look–it was “Shipping_Label_US_Westminster.zip” and it held one file, “Shipping_Label_US_Westminster.exe”.

The antivirus I’m running didn’t object to either file; it probably can’t detect today’s variation yet.

I looked inside that file with an extraction program, and found a .rsrc folder, and files .text, .rdata, .data. Inside the folder there were two .ico files, basically desktop icons.

That’s enough to tell me that it appears to be a script to install software. It’s clearly not a label–that would be a PDF or a JPG image.

IMO, the most-likely payload would be a rogue/fake security program, either scare-ware or blackmail-ware. The message itself isn’t infectious, just don’t click that link.

Jerry Stern is webmaster at PC410.com and Startupware.com.