Fake USPS e-mail checks user IP to evade cloud URL filters

vbimport

#1

We’ve just posted the following news: Fake USPS e-mail checks user IP to evade cloud URL filters[newsimage]http://static.myce.com/images_posts/newsitem_small.jpg[/newsimage]

One of the latest scams involves getting a USPS e-mail where the link inside checks the IP address of the user. If the IP appears to be a hosting provider such as what may host a cloud based URL filter, then a 404 Not Found page is issued, otherwise a Zip file is delivered containing Malware.

            Read the full article here: [http://www.myce.com/news/fake-usps-e-mail-checks-user-ip-to-evade-cloud-url-filters-71838](http://www.myce.com/news/fake-usps-e-mail-checks-user-ip-to-evade-cloud-url-filters-71838)

            Please note that the reactions from the complete site will be synched below.

#2

Great story Sean
I actually got something looking like this this morning.I deleted it right away


#3

I’ve been getting them for a while now, not only from the USPS but from FedEx and UPS as well. Just looking at the email itself is enough to set off warning bells, at least to someone with a modest amount of experience dealing with spam; it practically screams “hey, I’m a virus!”.


#4

I will add DHL to the list of fakes.
One way is I know if I have something ordered.
A lot of stores send tracking numbers also.

When I get one of these I go in the “backdoor” of the e-mail instead of opening it.
Right click on the unopened suspect e-mail. Select “Properties” .Then the “Details” tab ,then “Message Source”. Read down through it.
I’ve had e-mail form all 4 . It always wants you to “Print a label” & tells of a missed delivery. I don’t remember the exact message about the e-mail address but it indicates that it isn’t a valid one.


#5

“What about escalation?”

Great article, thanks for the heads up.


#6

Great piece of research Seán! :clap:

These scams get more and more sophisticated all the time.

[B]Wombler[/B]


#7

While I have received the fake FedEx and UPS e-mails, so far they have all had infected attachments instead of a smart link.

Interestingly, I even the occasional one in a different language. The following is one I received just a short while ago which appears to be a fake clothing store invoice:

From a quick test the links are not smart like the fake USPS e-mail as each one resulted in a download even while connected to a German VPN server that would have resulted in a 404 Not Found error for the link in the fake USPS e-mail.

The resulting download for this foreign language e-mail was a zip file containing a .cpl (control panel executable) file. This one showed 18 detections of 54 with Virus Total, so probably not a fresh infection either despite just getting the e-mail.



#8

The following shows this link in action - When connected to a German VPN, it gives a 404 error and VirusTotal shows it clean. However, when connected to an Irish VPN, the link delivers an infected Zip file:

//youtu.be/jiCzjsKlQWY


#9

Good video Seán .
What do you think of the “backdoor” method I posted in #4 .
To take a peek at this type e-mail?
I believe doing it that way is safe.
Any opinions on that ?


#10

For the last USPS e-mail I got, the ‘From:’ address would have been enough to show something’s not right, as the spammer didn’t appear to forge the domain. I.e. it was "status_id32@croquencuisine.com"

Going by the header, it appears like a compromised home server: “Received: from s16268226.onlinehome-server.info (s16268226.onlinehome-server.info [82.165.199.215])”

Even the script that sent the e-mail appears to be listed, i.e. one line is “X-PHP-Originating-Script: 10010:kt10ye.php”.

On another e-mail I received claiming to be an eFax, it’s actually a little more tricky for the average user to check as it uses an official looking forged e-mail address "message@inbound.efax.com", has official embedded images and links that point to efax.com and the attachment is a PDF file (using an Adobe exploit)

Going by the header, the only giveaway would be the DNS “Received: from 71-20-217-97.clt.clearwire-wmx.net (unknown [71.20.217.97])”, i.e. Clearwire is a fixed wireless broadband ISP. It has a Thunderbird user agent and little other details in the header.


#11

Interesting piece ! I learned a lot from the information , Does anyone know if my business could get access to a blank 2013 MO DoR 149 version to work with ?


#12

[QUOTE=Edna;2761592]Interesting piece ! I learned a lot from the information , Does anyone know if my business could get access to a blank 2013 MO DoR 149 version to work with ?[/QUOTE]
You can do more if you just search online with yahoo or google to find this information. It’s not that hard to do that will tell you if there is one available or not or if you have to pay to get them.