The first batch of iPhone 5s will be delivered on Friday of this week. Apple sold more than 2 million of the new phone in less than 24 hours so clearly there's a huge interest in getting the device. This means that many people are eagerly waiting for their shipping notifications, to learn when the phone will arrive. I'm one of the people who pre-ordered an iPhone 5, and I'm still waiting for my delivery notification. From reading discussion forums online, I know that all orders from Apple's online store will ship with UPS. So when I received a UPS notification email today, I obviously expected it to be about my iPhone. Turns out, it wasn't.
Instead the email contained an attached HTML page that, when loaded, displayed the page below:
When I look at the emails monitored by our Cloud Email Security service, I can see that we've intercepted and blocked over 45,000 emails similar to this one. UPS/FedEx lures are not new, but in times like this -- when people are eagerly waiting for an email of this type -- the risk is great that recipients will have their guards down and will run the attached file.
The page above isn't as innocent as it looks. There's a hidden, obfuscated script on the page that deobfuscates to this:
We can see that it loads an iframe from a .RU domain, which is a Blackhole Exploit Kit site that pushes a banking trojan to the PC. See our ThreatScope report for more information and hashes. On a side note, the phrase used for the .RU domain name translates to "money on account". Banking trojan, money on account... there's no doubt that the motivation for this exploit is financial!
Our recommendation is to be extra careful if you're waiting for a delivery notification, and don't run any attachments contained in those types of emails.