Fake email from Royal Mail regarding detained package contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Mail – Lost / Missing package”.

This email is send from the spoofed address “Royal Mail Group” and is mainly, according to our logs, directed to co.uk domain owners. The email has the following body:

Mail – Lost / Missing package – UK Customs and Border Protection

Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.

Please fulfil the documents attached.

Screenshot of the email:

The attached ZIP file has the name Royal-Mail_B0AE39A385.zip and contains the 107 kB large file RoyalMail_Report-ID-37846378962513415238471238476218736487123684.pdf.

The trojan is known as Trojan.DownLoader9.22851, Heuristic.BehavesLike.Win32.Suspicious-BAY.K or Mal/Generic-S.

This executable will create a process on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system, it can steal information from local internet browsers, harvest credentials from FTP clients, collects information to fingerprint the system, peforms HTTP requests and starts servers listening on on port 7748, on port 6023 and on port 0.

At the time of writing, 3 of the 48 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: f0f02d25bfb4cbd924d46a9a4d9fd72b338bd350532005d1150028483b12e8d9

UPDATE 04/12/2013 15:34 (Belgian local time):

Please note that there is an new blog article regarding this threat.

64 Responses to Fake email from Royal Mail regarding detained package contains trojan

  1. gasman1837 says:

    Brilliant, exactly what I needed to know. I received 2 of these to different addresses and immediately noticed that they had different references and as I and little package mail it was clear that there could not be 2 lost packages – but it is a good one – don’t get caught out. Never open any attachment that comes from somebody you don’t know. The return addresses were different and bogus.

  2. Zoe says:

    Just had the same email myself! Thank you for the info!

  3. matt says:

    yeah me too, thanks for the heads up

    • Google.co.uk/account/recovery says:

      just had same email tried to download attachment as have recently posted packages to Australia. I reciived message from my computer that this type of attach. Could not be saved or opened so hope that has saved me.

      • KBEES says:

        Pratt for opening the attachment, some goons never learn.
        Hopefully, you have learnt your lesson

  4. uytrewq says:

    yes saved the day with me as well

  5. Ast77 says:

    Same with me was just about to open the attachment, mcafee stopped it and you appeared in my google search! Thank you!

  6. Sam says:

    I stupidly started to download this. I have since unplugged my PC from the Internet and I’m checking bank balances via my banking app. What can I do to clean my computer? I will inform my banks and the usual things.

  7. John Sayer says:

    Unsuspecting I tried to download the atachment, but my Kaspersky AV took over and disinfected my computer followed by a full scan. Thank you Kaspersky, you did your job.
    Thanks for info.

  8. Lauren says:

    Just received this email too, thankfully I already suspected it was a scam of some sort, so decided to google it before opening the attachment. So thank you very much for this post, I’m relieved to know I was right in deleting it.

    • George says:

      That’s exactly what I did as well, just google it and my suspicion was true, thank you for the info

  9. Khaled says:

    Pretty convincing email, fortunately Norton did its thing and removed it before I could open it like an idiot. Thank you Norton.

  10. no likey no clickey says:

    glad you all were wise to these stupid freudsters as i nearly opened it untill i googled it, these scumbags need to find something else to do with their time and leave us all alone

  11. Kathryn Davies says:

    I too received one of these and rather stupidly decided to open it. I was unsuspecting as I’ve ordered a lot on line recently for Xmas and just thought it was referring to an item I had ordered. I tried to open it on my iPad and now cannot seem to be able to get out of the email or out of my hotmail account. Anyone have any advice??

    • mxlab says:

      Your iPad remains unaffected. The reason why your app or email stuck is something else. Close down your email app and restart it.

  12. barbryn says:

    I got this today – the weird thing being that my luggage had been lost on a flight home yesterday, and I was expecting a delivery that could well have been from UK Customs and Border Protection. Realised from the writing that it was phishing, but I was a bit paranoid that they were somehow targeting me deliberately.

  13. Karen King says:

    Thank you so much. Exactly what I needed to know, although I was pretty suspicious as hadn’t ordered anything using my work email address. Have shared this with all my FB & LinkedIn crew. Good work keeping on top of these scum!🙂

  14. Caroline Carroll says:

    I deal with Royal Mail and was expecting to hear about a genuine missing parcel when this turned up because of all the news of tv I googled the group name and found out it was fake so straight into the bin and then dumped, I never ever open always bin, if was real then I am sure people would get back in touch.

  15. Tom says:

    Got into work this morning to find about 30 of these on the email system. Been getting them all day and so far up to about 53 of them and I’ve only been in 2 hours! Knew something was fishy so I thought I’d check out what it was trying to do… Anyone know a way to block them cos they’re coming through from different senders on different domains so i can’t just block 1 domain…

  16. Tom Coleman says:

    i stupidly downloaded this as I’m expecting several packages that have not been delivered on time. I have not opened it however, so am I safe? Going to run a virus scan just in case.

  17. Deyrick says:

    They are still sending these out as I got one today on my @mail.com account.
    Was not expecting anything and the wording seemed weired so googled it and you came up.
    Thanks for confirming suspicions.

  18. Deyrick says:

    I sent an email to the Scam center of Royal Mail, they are aware of this and are working to get it shut down.

  19. AJay says:

    Nice one! I had 3 but I have also ordered stuff online so it almost caught me out until “I JUST RECIEVED A EMAIL FROM MASTERCARD SAYING MY DEBIT CARD HAD BEEN BLOCKED’!!!! I noticed it also had an Zip attachment which is why I googled it! There’s not much info on it, but thankfully I found this! Just a heads up guys!

  20. walter says:

    just received it today so thanks for the info

  21. Jane Atkinson says:

    Thank you so much for the information. Got two today and wondered how Royal Mail had my email address so Googled it. This information is now on my Facebook page with your link. I’m really grateful to you for checking these things I don’t need this before Christmas.

  22. Pingback: “Important notification for a Mastercard holder” with trojan disguised as email from Mastercard | mxlab - all about anti virus and anti spam

  23. Kirsty says:

    Thanks for this page. I received the email but I noticed when I opened it that the email address was from “@bell.ca” so didn’t download the attachments. Seemed strange so that tipped me off no way an email would come from royal mail and not use an official email, nevermind the fact its a Canadian one. Other than that its quite convincing and could catch alot of people out expecting gifts from loved ones abroad etc

  24. Mrs Birch says:

    Received today, and did attempt to open it.Thankfully Norton did prevented it from opening. It is strange how they know when goods have gone missing or you’re waiting for items to arrive?

    I’ve had problems already with ‘deltasearch’ on my daughters laptop. Complete nightmare.
    Readers: please also be aware of Victoria Secrets official UK website it is a fake website! VS are aware of this and are having problems closing the sites down, apparently there are two operating the the moment. Unfortunately I am a victim of this too!!

    • mxlab says:

      > It is strange how they know when goods have gone missing or you’re waiting for items to arrive?

      They simply don’t know if your goods are missing but send this type of email out for a very good reason. It is the end of 2013 and a lot of people have ordered something online in a web shop so they are counting on the chance that someone will read the email and believes he/she has lost the package and eventually will open the attached email.

  25. Anna says:

    Hi, I received that email this morning and actually opened it… I’m using linux though. Does it affect linux? I’ve got two systems installed, windows and linux, but I ran it on linux… Would appreciate advice. Thanks.

  26. just had royal mail email same as above but luckily windows would not open it the folder was called b2afe82065 zip

  27. Pingback: Newer version of fake email from Royal Mail regarding detained package | mxlab - all about anti virus and anti spam

  28. Jan Parker says:

    Same email came through in junk box, which I usually just trash all contents but Royal Mail alerted my attention! Like others, have things on order so read it. However couldn’t understand how Royal Mail would have my address – didn’t ring true!! Hence investigated for scam. Thanks – will get rid of it now!!

  29. Seamus O Dunlaing says:

    My antenna went up when was directed to download an odd-looking link. There is a fake Norton “OK” symbol included to add ‘authenticity’ to this scam. Clever…’.

  30. Kate says:

    Thanks, I was suspicious, googled it and this libnk came up. Phew!

  31. mohani says:

    Just got that now aswell! Thanks

  32. Addi says:

    Thanks for the info, received two of the emails

  33. Sam says:

    Thank you, I just got one

  34. Gareth says:

    I have an account with royal Mail send a lot of parcels & Royal mail never e-mail you!had 2 sent today but as soon as I seen the zip file i knew?

  35. Rob Shepter says:

    I knew this was suspcious because the Royal Mail would not have my email address written on the outside of a package they were trying to deliver; in addition, they would send a card or letter to the address asking for additional documentation, postage, etc. not send an email. Thirdly, and this was the clincher, I received this spoof email to an address that I never use with online retailer only with friends, family and genuine companies I have legal dealings with (banks, insurance companies, etc.) and think it unlikely they will have sold my email address or had it stolen.
    Simple answer – delete and mark as spam/phishing scam.

  36. Lou says:

    Ive just had this one to.. looked pretty real…. even coming from a ‘royalmail’ email address… then i thought how the hell would they have got my email address:/ so i got rid of it

  37. Antonia Murray says:

    Had 3 of there’s email 2day was wondering what it was about a friend looked on Google and found this out glad for the information thanks

  38. Woo Wah says:

    Damn! good to know…..I send loads of international packages, and accidentally sent one this week without customs docs – of course I got two of these emails and thought it related to that…… luckily I’m on a Mac and even though I was foolish enough to click to open, its windows only. Phew.

  39. Claire says:

    Stupidly I opened the email on my iPhone mail account and downloaded the zip file but could not open the file.
    Will my iPhone be hacked I use my phone to order online through my bank and credit cards. I only opened as I had just ordered something from America 2 days ago!
    Please help I am really worried I will have to cancel all my cards so close to Christmas!

  40. Rosella Smith says:

    I stupidly downloaded this a few times but was unable to open it only because I posted a parcel
    to Australia yesterday did I think it was genuine.
    I have an apple mac(10.5.8), do you think I am safe as I do not have windows.

  41. Aidan Girt says:

    Thank you for this. Just received this email myself in my junk folder, helped to make sure I didnt download the file. Thank you so much

  42. Malcolm Hayes says:

    Thanks a lot for the info’ – thought about opening the attachment, as the logo etc seemed pretty convincing. Glad I decided to check first. Thanks again for your help.

  43. Emma waters says:

    I stupidly opened it and downloaded the attachment already! Any advice on what to do? Thank you for the info!

  44. eli says:

    I was expecting a parcel today that didn’t arrive so opened the message and downloaded zip, I have a mac what can I do to remove this?

  45. Joanna says:

    Just received this email and Googled to find out if it was a scam or not before trying to open it, I am usually daft enough to open these things without thinking about it but for once I did’nt! So thanks to all the posts I have read I have saved myself a load of problems and my husband shouting at me xxx

  46. Stacey Kelly says:

    Phewww was trying to opening this attachment on my iPhone and it wouldn’t let me so was just about to get my lap top out to open it and thot I would google it first thank god it never.

  47. Will says:

    Does this affect android?

%d bloggers like this: