1.ORDERSOrder N21560 (numbers vary)
This link redirects to .ru/main.php or .com/main.php URL, which serves the Blackhole exploit kit. These emails are targeting users who just purchased an Adobe CS4 license, which is weird, because version 5.5 is already out. The spammers obviously have not done their research and are behind the times.
2.TICKETSFW: Re: UNIFORM TRAFFIC TICKET (ID: 239127922) (numbers vary and subject might appear without FW: or RE:)
Fwd: Your Flight Order N125-9487755 (numbers vary)
Users are lured to click on a "CLICK HERE" link, which redirects to another URL serving the Blackhole exploit kit. I guess these types of emails are targeting specific people: a) who have driven a vehicle in New York and b) who have been cited for a speeding violation recently, and of course c) those who are curious, otherwise why would they click on this link?
3. DELIVERY COMPANIES:USPS Invoice copy ID46298 (numbers vary)
FedEx: New Agent File Form, trackid: 1V6ZFZ7FEOHUQ (numbers vary)
DHL Express Notification for shipment 90176712199 (numbers vary)
Fake emails pretending to be invoices or tracking emails have been around for several years and usually would have an attachment, such as a Trojan like Zeus or SpyEye. Websense Security Labs™ has written several blogs before about similar cases. I just want to point out that such emails are still being sent in bulk and are still being used as a vector to infect end users' computers. The reason why these kinds of emails are still so popular is because the attachments are being repacked for every new campaign; therefore, antivirus products struggle to release new signatures for those and are unable to block them, like in this case. The campaign is known, but VT shows only 8/42 results for an attachment.
4. TestThis email suggests that the attachment is a patch for WoW (World of Warcraft). Unfortunately, for the criminals, the archive is corrupt and therefore harmless to the recipients. Emails with "test" in the Subject line are commonly used by criminals to spread their malicious software. Users are used to seeing legitimate emails with "test" in the Subject line when an email system is being checked, and also spammers use such techniques to validate an email address.
5. Payment/TAX systems:
FRAUD ALERT for ACH
Your Wire Transfer
Wire transfer rejected
IRS requires new EIN
IRS Tax report
Click Spam News to read daily Spam tricks and Hoax-Slayer for Hoax Email/Scams.