[Smiley433]

My sister phoned me last night to say she'd got an email from "Fed Ex" to say there was a package waiting for her at the depot and to download a receipt/delivery note. "I don't normally order things on-line that are bigger than the letter box so wondered if this was genuine or not?" Of course it isn't.

I logged into her email account, or rather I tried to - the password had been changed. Through the "forgot your password" link I was able to regain control of the email account and today I've done scan with MB and SAS on her machine but nothing was found.

I wasn't aware email passwords could be changed as easily as that. Do ISPs (BT Internet in this example) provide an API so that passwords can be changed in this manner without having to use something like Captcha or entering the original password first? Looks like a security hole that could be closed.

Given that all that looks to have happened is attempting to take control of the email account via a password change, I presume that they were going to be sending out spam from this account to any contacts found, does anyone have experience of this kind of scam and is there anything else I should consider besides the following before allowing use of the laptop again?

1) MB and SAS scans complete - nothing found
2) Email password changed to something a bit more secure
3) Contacts to be alerted that they may receive emails purporting to look like it came from my sister - these should be ignored/deleted
4) Educate sister in how to identify scam emails

Thanks.

[chrisjr]

I would also see if there are any Spam filters set up on her e-mail account. I get several scam e-mails purporting to come from Fed-Ex. The big give away of course is that it asks me to go to a depot in the USA to pick up the parcel, But anyway 99.999999% of these things end up in the spam folder.

Do BT still use Yahoo as their mail provider? I have a Yahoo mail account and it has reasonably good spam filtering. Very rarely see any spam in the inbox that it missed and only an occasional false positive where a legit message gets flagged as spam.

That may be another way to ensure such messages don't get downloaded if she uses a mail client on her PC to read messages. Won't stop her poking about in the Spam folder on-line though. But might make her stop and think about why the message is in the spam folder though.

Oh and are you sure she didn't change the password herself and simply forgot about it?

[Smiley433]

I set her up a BT Yahoo address on dial-up (which she uses for five mins a month so the account is kept active) and a 3G dongle which she uses all other times. So I regularly log in to her on-line email and verify there's nothing unwanted in the inbox. But lately she seems to have got a lot more in the way of spam and this one must have arrived following the last time I checked.

So that confirms the password was correct between Sunday (last time I logged in) and last night before she phoned (and after she downloaded mail into Windows Mail). She wouldn't know how to change the password so can only conclude it was this FedEx scam.

Will be teaching her to check her email using a browser first and after verifying all is correct, can then start up Windows Mail and click Send/Rec. I noticed a couple of emails went into a Junk folder in Windows Mail so will need to have a look at the settings for that. Yes, some of the junk does go directly to a spam folder online as well, but this one must have gone into the inbox unfortunately.

I think a sit-down session with her and the laptop working through identifying spam, moving mail incorrectly identified as spam and stuff like that will bring better results.

Thanks for the tips so far.

ETA. Will also be looking at remote access software such as Teamviewer which I've seen recommended in various threads on here.

[louise1966]

Quote:

Originally Posted by Smiley433

My sister phoned me last night to say she'd got an email from "Fed Ex" to say there was a package waiting for her at the depot and to download a receipt/delivery note. "I don't normally order things on-line that are bigger than the letter box so wondered if this was genuine or not?" Of course it isn't.

I logged into her email account, or rather I tried to - the password had been changed. Through the "forgot your password" link I was able to regain control of the email account and today I've done scan with MB and SAS on her machine but nothing was found.

I wasn't aware email passwords could be changed as easily as that. Do ISPs (BT Internet in this example) provide an API so that passwords can be changed in this manner without having to use something like Captcha or entering the original password first? Looks like a security hole that could be closed.

Given that all that looks to have happened is attempting to take control of the email account via a password change, I presume that they were going to be sending out spam from this account to any contacts found, does anyone have experience of this kind of scam and is there anything else I should consider besides the following before allowing use of the laptop again?

1) MB and SAS scans complete - nothing found
2) Email password changed to something a bit more secure
3) Contacts to be alerted that they may receive emails purporting to look like it came from my sister - these should be ignored/deleted
4) Educate sister in how to identify scam emails

Thanks.

You didn't confirm,Smiley, did your sister definitely not order anything? Perhaps she didn't realise the size of it. Or, due to packaging, it is boxed rather than just a packet. I have always had BT as my ISP and, but for a couple of blips (not BT fault) I have had no problems at all with security, one of the reasons I remain with them, and use Yahoo as my email server. We all get scams tested on us via our email accounts or internet surfing records, we just have to know not to open them, as this will verify our email address, then the sender will know they have an active account. If she did open the email, which I assume she did, and still has it, I'm sure you have instructed her to mark it as spam, then any future mail from the same sender will automatically be delivered to her spam box.

[radioanorak]

Even if genuine, why would you need to download receipt or delivery note
These are normally contained within a parcel

[Smiley433]

Louise, yes my sister does order stuff online but this was a trade-mark phishing email supposedly from FedEx ("Dear Customer") and she hasn't had any missing deliveries recently and has no orders outstanding. I'm not even sure which companies in the UK actually use FedEx for delivery as they tend to use Royal Mail, CityLink and judging from a number of threads in GD, Yodel!

I deleted the email from Windows Mail today but as they tend to send out a batch of them then create a new email address for the next batch of spam, marking the original sender as spam wont have much of an effect I don't think as that account may never be used again. While checking in the past, I have seen similar FedEx emails going straight into the on-line spam folder and I've deleted them before she can see them - I guess I should have warned her first in case one got through as it looks to have happened here.

Thanks.

Quote:

Originally Posted by radioanorak

Even if genuine, why would you need to download receipt or delivery note
These are normally contained within a parcel

Precisely. Or there's a consignment number on the "while you were out" card. And it's not always the case a delivery company would have your email address anyway.

[Stig]

The FedEx scam have been going around for years. I'm surprised more people haven't heard of it.

[chrisjr]

I assume you've done the usual stuff like set up the mail client to not automatically download images and to have the mail scanned by the AV on the PC?

And show her the way most browsers indicate (usually at the bottom of the window) the true destination of any link there may be in a message when you hover the mouse over it. So she can see where she would be going if she did click on the link.

[chrisjr]

Quote:

Originally Posted by radioanorak

Even if genuine, why would you need to download receipt or delivery note
These are normally contained within a parcel

I've not yet seen one of these Fed Ex messages that does not say in the body text that the parcel is waiting in some depot in the US. I don't recall ever seeing one saying it's in the UK.

So that instantly alerts me that it is a scam (even if nothing else has!) After all what half way sane delivery company tries to deliver a parcel to a UK address then ships it all the way back to the US for collection??

[Stig]

From http://www.fedex.com/bz/fraud/virusalert.html

Example:

Sent: Thursday, August 21, 2008 1:30 PM CET
Subject: FedEx Tracking N_2545362053
Unfortunately we were not able to deliver postal package you sent on August the 1st in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office
Your FEDEX
Attachment: WD6128922.zip

[Orbitalzone]

Is it likely that your sister opened the attachment and unleased something but hasn't admitted to doing this?

Often people tend to forget the exact thing they did when they get a virus infection, or rather they're too embarassed to admit they opened a very obviously dodgy attachement/pop up etc.

[Smiley433]

Quote:

Originally Posted by Stig

The FedEx scam have been going around for years. I'm surprised more people haven't heard of it.

Her technical expertise extends to being able to switch a laptop on, send some emails, do a bit of online banking and buy stuff from Amazon. She's not familiar with scams, viruses, etc - that's up to me to educate her.

Quote:

Originally Posted by chrisjr

I assume you've done the usual stuff like set up the mail client to not automatically download images and to have the mail scanned by the AV on the PC?

Yes on both points.

Quote:

And show her the way most browsers indicate (usually at the bottom of the window) the true destination of any link there may be in a message when you hover the mouse over it. So she can see where she would be going if she did click on the link.

I've sent an email this evening explaining how a link can be hidden and you should hover the mouse over to see the actual URL, but she's not savvy enough to know what a dodgy URL would look like.

Quote:

I've not yet seen one of these Fed Ex messages that does not say in the body text that the parcel is waiting in some depot in the US. I don't recall ever seeing one saying it's in the UK.

On some of the more well known sites (such as snopes and hoaxslayer) there are some examples of the variations that have been sent out over the years - some say "collect at your local depot", I don't think they always mention a specific location.

Quote:

Originally Posted by Orbitalzone

Is it likely that your sister opened the attachment and unleased something but hasn't admitted to doing this?

Anything is possible. I did ask if she clicked on a link and she denied it but I can't be too sure.


Judging by a few internet searches, the link in the email is to a zip file which contains an exe which then either downloads a trojan directly or updates the registry, etc, so that a trojan is installed. But I found no evidence of that today so maybe she never followed through fully from the zip file and no trojan was installed, or Avast did it's job correctly and prevented it installing.

That just leaves the unexplained changed email password - maybe it was just a coincidence that I failed to log in. Once I changed the password and did get logged in, there was an email from BT Yahoo advising the password had been changed - if the FedEx mail link had changed the password as well, maybe there would have been two emails? So maybe this is a red herring - I've not seen any mention of this happening on any of the other forum threads I've read on this virus so I could be wrong on this.

Visited her on-line inbox again tonight and there was another FedEx mail in the spam folder - maybe opening the previous one has confirmed an active email address and she'll be sent them again and again.

Thanks for the feedback so far, been most helpful.

[max99]

Whenever an email password is compromised you should check that no other account settings have been altered. Log in via webmail and check things like security questions, alternate email address, forwarding, signatures, aliases, etc.

If you've never filled in any of the account recovery options, now would be a good time to do so. If the password is ever forgotten or compromised again, it can be difficult to sort things out if you have no way of proving you are the account holder.

Edit: Missed this bit:

Quote:

Originally Posted by Smiley433

That just leaves the unexplained changed email password - maybe it was just a coincidence that I failed to log in. Once I changed the password and did get logged in, there was an email from BT Yahoo advising the password had been changed - if the FedEx mail link had changed the password as well, maybe there would have been two emails?

Most likely explanation is that you simply mistyped the password, assumed it had been changed and so chose to reset it.

[jsmith99]

Quote:

Originally Posted by Stig

.............Attachment: WD6128922.zip

Why would anyone bother to convert a small document into a zip file? I think that should be a major warning signal.

For some reason, in relation to two recent orders to Amazon to be supplied by their "partners", I've had invoices from the supplying companies . This hasn't happened prior to these purchases. One of them I checked with Amazon, who said that there was nothing wrong, and I should ignore the invoice.

It should be said that the invoices contained details of the order, and were sent to the email address I use with Amazon, so I wasn't worried too much.

[Smiley433]

Quote:

Originally Posted by max99

If you've never filled in any of the account recovery options, now would be a good time to do so. If the password is ever forgotten or compromised again, it can be difficult to sort things out if you have no way of proving you are the account holder.

They're already completed, that was how I was able to recover ownership of the account once I found the password had been changed - date of birth, mother's maiden name, etc.

Quote:

Most likely explanation is that you simply mistyped the password, assumed it had been changed and so chose to reset it.

Possible but I use the built-in password manager in Firefox so it logs me in automatically without needing to remember the password. When that failed I tried typing it manually and Windows Mail on the laptop failed to login successfully so from that I concluded that the password had been changed. But perhaps there was some kind of technical issue going on that rejected valid passwords.

[REDBUS]

Quote:

Originally Posted by Smiley433

My sister phoned me last night to say she'd got an email from "Fed Ex" to say there was a package waiting for her at the depot and to download a receipt/delivery note. "I don't normally order things on-line that are bigger than the letter box so wondered if this was genuine or not?" Of course it isn't.

I logged into her email account, or rather I tried to - the password had been changed. Through the "forgot your password" link I was able to regain control of the email account and today I've done scan with MB and SAS on her machine but nothing was found.

I wasn't aware email passwords could be changed as easily as that. Do ISPs (BT Internet in this example) provide an API so that passwords can be changed in this manner without having to use something like Captcha or entering the original password first? Looks like a security hole that could be closed.

Given that all that looks to have happened is attempting to take control of the email account via a password change, I presume that they were going to be sending out spam from this account to any contacts found, does anyone have experience of this kind of scam and is there anything else I should consider besides the following before allowing use of the laptop again?

1) MB and SAS scans complete - nothing found
2) Email password changed to something a bit more secure
3) Contacts to be alerted that they may receive emails purporting to look like it came from my sister - these should be ignored/deleted
4) Educate sister in how to identify scam emails

Thanks.

you mentioned 2 anti-malware scans ,are these the only security on p.c./laptop ,if so i assumme MB is set to actively prevent malware (24/7) before it gets onto pc ,very niavely got stung with this good few years back but Anti-virus (MSE ) (full scan ) did locate and delete/remove it ,I'd be a bit worried if scan's found nothing ,i can remember doing MSE/MB quick scans and finding nothing untill week's latter i done full AV scan and it located file . Lesson learned and scan fully with each regularly

[Smiley433]

MB and SAS aren't the only weapons, I've got Avast running as an anti-virus. I can't be sure a link was actually clicked on - she either can't remember or isn't admitting to what she did. If, according to other sources, the virus is contained in a zip file, I'm not sure she'd have known what to do to trigger installation of the malware.

[REDBUS]

Quote:

Originally Posted by Smiley433

MB and SAS aren't the only weapons, I've got Avast running as an anti-virus. I can't be sure a link was actually clicked on - she either can't remember or isn't admitting to what she did. If, according to other sources, the virus is contained in a zip file, I'm not sure she'd have known what to do to trigger installation of the malware.

simply open attachment triggers its downloan ,full AV scan recomended to be on safe side

[Smiley433]

Yes but if the link linked to a zip then it would just download the zip file and you'd need a user to double click and open it to extract and run the executable.

Will need to try and determine exactly what she did.