Gift of Trojan.Smoaler Delivered Through Fake FedEx Emails

Symantec Security Response is aware that fake FedEx emails have been circulating recently. The emails claim the user must print out a receipt by clicking on a link and then physically go to the nearest FedEx office to receive their parcel. Obviously the parcel does not exist and those who click on the link will be greeted by a PostalReceipt.zip file containing malicious PostalReceipt.exe executable file. Instead of receiving a parcel, which the user did not order in the first place, Trojan.Smoaler is delivered to the computer.

All the fake FedEx emails delivering this malware are almost identical except for the order numbers and the website the zip file is hosted on. One sign of laziness, or perhaps an oversight on the part of the malware author, is an consistent order date. The author does change the domain where Trojan.Smoaler is hosted daily. The following emails were spammed out in 2013 on January 21, 25, and 26.
 

Figure. Fake FedEx emails spotted in 2013 on January 21, 25, 26
 

Symantec detection Trojan.Smoaler!gen4 protects customers from this threat.

We should all know by now that the only unordered parcels we ever receive are gifts from Santa Claus. Even though Santa and his reindeer may be struggling to keep up with the ever increasing amount of gifts that need to be delivered on Christmas night each year, we are sure he would not send them through a courier delivery service!

FedEx has posted a warning on its website along with further information about online security. As always, we recommend users to keep their antivirus up to date and avoid clicking on links in emails received from unknown senders. If a suspicious email originates from an organization that you do not have any personal business dealings with, it should be assumed that these emails are potentially malicious and should not be opened.