Email scam aims to drop Dridex on machines by impersonating FedEx, UPS

Hackers are sending spoofed emails that appear to be from FedEx, UPS and DHL as part of a mass emailing campaign meant to infect victims’ computers.
dridex email scam
A stack of sender's receipts from FedEx and UPS. Both companies, along with DHL, are seeing their email delivery notices spoofed by criminals. (Getty Images)

As more Americans rely on package deliveries during the coronavirus pandemic, scammers are trying to capitalize on the tracking process by sending spoofed emails containing malicious software.

Hackers are sending spoofed emails that appear to be from FedEx, UPS and DHL as part of a mass emailing campaign meant to infect victims’ computers, according to research initially published on May 5 by the security vendor Votiro. The messages appear to include package tracking updates, though at least some of them aim to infect recipients with a strain of malware known as Dridex, which is typically used to steal bank account data.

The messages usually ask recipients to download an invoice, or view their tracking information.

Code in the images, links and header of the email all appeared to be legitimate, providing the hackers with cover. They also disguised many of the messages to make them appear as if they arrived from a trustworthy corporate data center, such as a UPS billing center.


“The idea is to mask it as something that’s not bad,” said Richard Hosgood, a director of engineering at Votiro. “The [victim] wouldn’t even know that there’s something going on.”

An example of the spoofed UPS messages thatstarted appearing in inboxes in April (Votiro).

Rather than including a malicious Microsoft Excel attachment in the email, researchers noted, the attackers in this case relied on code that beaconed to an external website. Victims then would be asked to enable “macros,” which are widely used commands in Microsoft apps, at which point a malicious file is downloaded instead of the seemingly innocuous Excel document.

While not totally unique, the hackers increasingly seem to be relying on outside websites to infiltrate victim machines, instead of booby-trapped email attachments, as part of an approach that Hosgood said was like the cyber equivalent of talking on a disposable burner phone to avoid detection.

“It was really smart,” he said. “They modified the code just slightly to avoid being recognized as a known threat by most anti-virus software.”


Hackers are avoiding detection by utilizing a relatively new tool called “Evil Clippy,” unveiled as a red team hacking tool by researchers in 2019. Other security firms also have detected he malicious use of Evil Clippy in recent months, including findings from Trend Micro which suggested that cybercriminals have adopted Evil Clippy as an evasion technique.

“It looks like a legitimate threat [and] the use of Evil Clippy takes it up a notch,” said Allan Liska, a threat intelligence analyst who reviewed the Votiro research. “[T]here has not been enough discussion of it.”

Attackers appear to have sent the first email in this fraud campaign on April 20. It appears to be aimed at a list of individual web users, rather than employees of a specific company, or customers of a single delivery service, Hosgood added. The number of victims affected was not immediately clear, he said.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts