Capitalizing on the Holidays: FedEx Malware Spam

Like Santa Claus and his cadre of industrious elves, spammers don’t take time off for the holidays. Unlike the jolly old elf and his posse, however, the email-happy scam artists are devious, black hearted little children who deserve giant lumps of coal. This is no truer than this time of the year, when retail sales explode, and the average gift buyer tries to stay ahead of the game by stumbling through the dizzying maze of online shopping opportunities. Online purchases require shipping, and spammers know that, too. So it shouldn’t be surprising, even if it is disheartening, that there are dark souls out there capitalizing on the probability that their targets might have ordered something – perhaps the Clapper or Chia Pet that I clamor for every year and, sadly, never get – and will become the proverbial fly to the spammer’s spider.

That’s why, in the confusing mayhem of the holiday season, anyone who uses email should be aware of the latest scam, this one in the form of a very realistic looking email that appears to come from Federal Express. Being reported by several sources, the bogus email appears to be the real thing, FedEx logo and all, with a notification that the recipient has a parcel they need to pick up.

“Dear Customer, Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you. To receive a parcel, please, go to the nearest our office and show this postal receipt,” the email states, according to

The so-called postal receipt is a clickable icon that uses a document icon to make it appear more…well, document-y. And when it’s clicked, a ‘document reader’ application launches, giving the appearance that everything is good in Chia Pet land.

However, Softpedia reports, “in the background, the malicious element injects code into svchost.exe and contacts its remote command and control server in an attempt to download the payload.”

Chris Boyd over at GFI Labs notes that some browsers will pick up the dirty little piece of code and give you the option to block its download, but also that the resulting file may still end up on your system as a Word Document file pretending to be a zip file.

“Opening the “Word document” (which is actually just an executable file in disguise) will infect your PC with a little something we detect as Trojan.Win32.Generic.pak!cobra,” Chris tells us. “Before you know it, your Trojan chum will delete the original file, create hidden files and make network connections…generally not typical behaviour where a postal receipt is concerned (unless you live in the Eighth Circle of Hell).”

Firmly convinced that the real estate costs are artificially inflated and that the neighborhood is overly pretentious, I personally do not live in the Eighth Circle of Hell, but I get Chris’s point. Do not click this link, ever. Boyd points out that GFI research has linked this type of infection to ransomware, so getting nailed by this email may turn your PC into a package that no amount of ripping and tearing will open.

“These infection files have been linked to Ransomware, in this case something called “Wheelsof” and you may well find yourself locked out of your PC if unfortunate enough to fall for this one.”

It’s pretty clear that spammers, no matter how slippery they might be, are just about as stupid as an empty bucket. In an ROTFLMAO moment, Chris points out that the email message appears to come from “UPS Office” but closes with “The FedEx Team.” (you can read the full text of the email on the GFI Labs blog) As Forrest Gump’s mother used to say, “stupid is as stupid does,” and Boyd gives the spammers an F for flumped.

“A lot of these fake delivery notices are pretty convincing, but hopefully the peculiar mashup of FedEx and UPS is the kind of tip-off that’s up there with Pippin lighting the Warning Beacons of Gondor.”

Lord of the Rings reference accepted, this is a dangerous email. It should be noted that shipping company spam messages aren’t unusual. In fact, a quick Google search shows that spams pretending to be FedEx shipping notices are quite common, giving us comfort in the knowledge that spammers are douchebags all year long.

Written by Malcolm James


  1. Jonah · December 17, 2012

    I haven’t received anything like this, thank God. But I must say this is a very clever ad. I even think that given my knowledge in spam, I will be tempted to still click on the supposed link. It sounds very neat. It’s clean, it’s grammatically understandable, and it’s professional sounding. It could have been perfect, really, if the header or the From field also says FedEx. But then again, if it weren’t for this mistake, more people would have fallen into this malware and compromise data stored in their computers. So yeah thanks for the mistake.

  2. Maria Ortiz · December 18, 2012

    Yep, this one looks very convincing! Since the days right before Christmas are the time to receive gifts ordered online, for example, this scam is very trustworthy. Thanks for notifying us – otherwise I see many people who will easily fall for it because it is so authentic-looking.

  3. Beth · December 21, 2012

    Look out for Fed-Ex spam, too. Creepy.

  4. Savannah · December 21, 2012

    Got this yesterday. Apparently the FedEx package is waiting for me at the post office? Awkward sentence structure, too. But as someone waiting for holiday orders to come in and expecting packages from relatives, I thought about it…

    I’m passing on the warning to friends.



    Order: VGH-7840-9997774307
    Order Date: Friday, 14 December 2012, 01:21 PM

    Dear Customer,

    Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.

    To receive a parcel, please, go to the nearest our office and show this receipt.


    Best Regards, The FedEx Team.

  5. Quinn White · December 23, 2012

    That’s a very interesting spam. In fact, I don’t want it to call it spam but rather a prank—well, a more serious prank. To tell you honestly, I was amused! It’s a good tease at FedEx and UPS. By the way, this reminds me of the video I saw a few days ago, about some FedEx guy leaving an iPad delivery at the door and a UPS guy eventually stealing it. Anyway, these two large couriers should pay attention to this stat since obviously the spammer is taking advantage of the holiday season. A lot of people are waiting for their packages and thus are more likely not to be mindful of the small inconsistent details of this e-mail once they received this.

  6. Steve · December 24, 2012

    I actually have 3 in my inbox as I write.

  7. Kailea · December 28, 2012

    Very sneaky, slimy spammers these! We’ve had four so far in the last couple days…and they look about as real as they come, in terms of capturing the FedEx logo. Scan reading, it was easy enough to seem believable. They were even clever enough to put the copyright sign with dates at the bottom!

    What stopped me was remembering that FedEx, like UPS, leaves a slip to sign or take into the FedEx office, if your package is undeliverable.

    But…we were waiting for packages. Had FedEx changed their protocol? Closer reading revealed terrible grammer and poor sentence structure, and even a word missing here and there. Thank God my English major came in handy.

    Here’s one we got so you can see for yourselves. I’ll be spreading the word – to FedEx, friends and family, and via my social media accounts.

    Order: VGH-9106-2024138653
    Order Date: Friday, 14 December 2012, 01:21 PM
    Dear Customer,

    Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.

    To receive a parcel, please, go to the nearest our office and show this receipt.


    Best Regards, The FedEx Team.

  8. doug · January 2, 2013

    Anyone with a moderate grasp of English grammar would not be fooled by this silly email. Your parcel “has arrived” on a particular date? No; rather, it “arrived” on a particular date. It arrived “at” the fourth of December? No; rather, it arrived “on” the fourth of December. Go to the nearest “our post office” rather than the nearest “post office”? And why is “please” bracketed by commas when only the first comma is necessary (not to mention most conducive to meaning)?

    I’m no fan of spam, but anyone fooled by this email hopefully received a remedial grammar book in his or her FedEx package….

  9. Bernard Dy · January 2, 2013

    Steve, that’s REALLY scary! It’s a good thing, though, that you didn’t open any of them. Is it because you’ve already read this blog? Good for you, because I know a friend of mine almost fell into it, if not for this blog link I had sent two days before he received the fake message. But he said that it really sounded kind of authentic.

    I think that’s how spam is going to sound from now on. They’re getting really smarter, and I think they’re taking the time now to really study how good e-mail messages look like.

  10. Lilli · January 26, 2013

    Thanks to this blog I didn’t open these messages. I have 2 sitting in my gmail spam folder and was pretty tempted to click on the links. Who doesn’t want a parcel? Tricky tricky…

  11. Eimear · February 14, 2013

    Thanks to gmail putting these messages into spam I haven’t been tempted to click on them but I have received loads, just searched today to see what it was and now thankful I haven’t clicked on where it says print receipt

  12. Fed Ex Abuse · February 15, 2013

    If you have any of these emails you can send them to

  13. Edie · February 28, 2013

    Just got this today. They’ve cleaned up the language, so it now reads:

    Tracking ID: 3454-54769042
    Date: Monday, 18 February 2013, 10:22 AM

    Dear Client,

    Your parcel has arrived at February 25.Courier was unable to deliver the parcel to you at 25 February 06:33 PM.

    To receive your parcel, please, print this receipt and go to the nearest office.

  14. Eliza · March 1, 2013

    Received it a few days ago, and tried opening it as I did not suspect it was a spam. The attachment did not open. Can anyone tell me this is okay if the attachment is not opened? I have virus protection software on my laptop. Will that help screen out the malware? Help!!!

  15. Dopey Carole · March 6, 2013

    I’ve opened 2 of them as I’m expecting a parcel! What do I do now???

Leave A Reply