Today must be "Return of the Old Tactics" day.  A little while ago I wrote about a new tactic being employed for an old Google AdWords phish, and now we are seeing a spin on the fake FedEx delivery notification emails that have been so prevalent over the past month, except now they are targeting UPS.

We are seeing a number of emails hitting our spamtraps that appear to be from "United Postal Service" with a subject line of "[NO-REPLY] UPS Tracking Number 89259281"  (the eight digits at the end are random).  These messages have an attachment of UPS_LETTER.zip which contains an executable file of UPS_LETTER_N839925.doc.exe.  (the 6 digits in the filename may be random as well.  We are still collecting more samples to be sure).

The message body has the following text:

Unfortunately we were not able to deliver postal package you sent on Sept the 18 in time
because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS


This tactic is similar to the FedEx scam (see original post from August 22nd here) in that the message claims to be a notification of non-delivery of a package that you sent and the spammer wants you to open a copy of an "invoice" (read: malware).  Also similar to the FedEx tactic, the message is very non-descript as to where to pickup the package, which should be an obvious tipoff that something is not quite kosher with this email.  
We are still collecting volume stats on this new tactic, so as soon as I have those, I will update this post.


*** UPDATE 10/2/2008 13:45 MDT *** As of 9am today average hourly volume is approximately 100,000 fake UPS notifications per hour.  We are continuing to monitor to see if this increases or decreases but as of the time of this update we have seen over 2M of these messages processed by our systems.