Security researchers within the Marshal TRACE Team have warned that malicious spammers are using fake United Parcel Service invoices in order to deliver a malware payload.

Always looking for a new and convincing hook to snare the unsuspecting user into downloading malicious components from the web, this new attack utilises the Pushdo botnet to distribute fake UPS invoices requiring printing in order to claim an 'undelivered' package from the local office.

Of course, the attached executable file called 'ups_invoice.zip' which has an MS Word icon in an attempt to add authenticity is not an invoice at all but rather installs some malware which "seeks to download more malicious components from the web" according to Marshal.

“For the unwary or uninitiated, at first glance, the message appears to come from UPS,” warned Phil Hay, Lead Threat Analyst for Marshal TRACE Team. “The subject line of the message provides a seemingly official tracking number and the message itself seems sincere." However, upon a little closer inspection you might notice that the message is full of spelling mistakes and grammatical errors that would be unlikely to escape from any official UPS outlet.

“The subject line misspells the word packet" Hay reveals "and the message provides no contact address for the supposed collection of the package."

All of which should set alarm bells ringing. Which is just as well considering that the Pushdo botnet is currently estimated to include some 125,000 compromised computers, and is responsible for the distribution of 16 billion spam messages per day according to Marshal’s statistics. Indeed, Pushdo is currently the fourth largest botnet in terms of spam volume...

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.