Fake UPS Email Downloads a Virus

If you receive a "UPS Customer Service" email with your name and a link to download an "ePackage", then your email account has probably been compromised (maybe in a recent data breach like Home Depot or Target). Do NOT click the link. It will try to download a dangerous virus or other malware to your computer.

UPS Fraud Warning: UPS notes on its fraud page that it does send some emails with "epackage" links to help protect sensitive information and warns that any such links will always start with https://epackage1.ups.com. That was not the case here.

How It Works

You get an email that looks like it came from UPS, with a message that tries to get you to click on a link. The link goes to a PHP file on a hacked WordPress site that tries to download a dangerous zip file to your computer. The email was addressed to you and after you click the link, the UPS website appears in your browser, so you think the email really was from UPS. It wasn't.

UPS Customer Service fake email

How It Works: The fake UPS Customer Service email links to a PHP file that tries to download a dangerous zip file, then takes you to the UPS website to make it look legitimate.

What's New About this UPS Spam

This is a new twist on an old scam that uses some inventive ways to trick you into opening the dangerous "payload".

  • Uses Real Name / Email: The email is sent to your actual email address and uses your name in the body of the message. So, the spammers have somehow gotten this information, probably from a prior phishing scam or a recent data breach, like the Home Depot or Target hacks. This is done to make the email look authentic, like it really came from UPS. It did not.
  • Goes to the UPS Site: If you click the link (which you should not do), the UPS website opens in your browser window. But the link goes to an executable file (like a PHP file on a hacked WordPress site). That file attempts to download the dangerous payload to your computer and THEN goes to the UPS website, making you think everything is OK. It's not.
  • Holiday Season: This spam campaign was sent during the Christmas / holiday shopping season, when people are more likely to be expecting packages or email from UPS, and are thus more likely to trust email like this.
UPS Customer Service fake email

The email uses real names and email addresses to make it look more authentic so you click on the dangerous link.

Legitimate companies like UPS do not send emails with links to your account unless you have specifically requested something (like a password change). So, you should never click on a link in an email like this. UPS even has a warning posted on its website about these scams.

How We Block this Spam

We are blocking these using a few filters, including one that catches long phrases we know are only going to appear in this spam. It's a great example of why blocking single words or short phrases is a bad idea. A lot of legitimate email includes the words UPS, package, delivery, etc., so blocking on any of those would produce many false positives (good email incorrectly flagged as spam).

Other examples from recent spam include eFax, ADP, American Express, etc. That's why we block on the long phrases and variations that we know will only appear in spam.

We're also blocking it with "content" filters that let us to do complicated header analysis, body scans, etc. to really nail down spam like this. We recognize it as a UPS message and then check that things like headers and sending IP match those used by UPS. For example, one step in this process is to check that the SPF records match.

For More Info

SpamStopsHere works differently from other anti-spam programs. It blocks 99.5% of spam while delivering over 99.999% of legitimate emails. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.

Our spam review team, along with our proprietary Spamalyzer 3.0, analyzes and blocks email threats for our customers 24/7/365. That's a claim almost no other antispam provider can make.

Click here for more about SpamStopsHere and our 24/7/365 live support

Marks used in this article are the properties of their respective owners. This article is for informational purposes. No endorsement by third parties is implied and none should be inferred.