This is one of the newer (although kinda stupid) virus spreaders I have seen this year. It sends a UPS notice to a random (in this case even non-existent) email address in your domain with an attachment of a virus disguised as an invoice to be printed out.

Thank goodness our company has invested on a security gateway called Borderware, which prevents malicious emails such as this from wreaking havoc on the network.

A common (and unfortunately, effective) technique for luring e-mail users into opening virus-launching attachments is to send messages that would appear to be relevant or important to many of their potential recipients. One way of accomplishing this feat is to make the virus-carrying messages appear to come from some type of business entity that many people commonly deal with, such as one of the large Internet auction or retailing sites, or a national bank (or other financial institution), or a major provider of a common service.
–Snopes.com

Rule is always to check the originating email address. In this case the sender is NOT UPS but “teld@grics.qc.ca”. That itself is a tell-tale sign that the email is fraudulent.

At first glance it looks just like the real ebay site. But a quick look at the URL in the address bar will tell you that this is NOT ebay.

The link says http://www.grandzawiyah.com/state.wa/signin.htm?213rjceirjqexr98rdlkmsanchfrinvc58ucrdjkxnerimjgtmxkjnzmhrugt45ncoirehviuhtrckm45x and you end up here if you happen to have received the spoofed ebay email.

My client got theirs from email address eBay Member: quickshipelectronics [mailto:lindbergjh@hotmail.com] and as usual I checked the URLs embedded in the email. While on the surface the URLs say http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=130258573190 the actual destination is http://www.shamick.com/SWF?item=130258573190 which leads you to the URL of the site in the screenshot above.

However, www.shamick.com and www.grandzawiyah.com appear to be legitimate domains and websites — but people with malicious intent may have hijacked a subfolder on their hosting service where the redirect from shamick.com/swf has been placed to lead to the fake ebay landing page above.

So a CAVEAT to all. Check the actual links before you click on them, especially if you know you shouldn’t be getting emails from services you have not signed for. Mouse over the link and then check if the URL that appears in your status bar matches the link and is the actual URL of the service.

I got this in my office email today, which made me raise an eyebrow. As head of web development for the company I work for I have subscribed to almost every feature that google has offered EXCEPT for adwords. But in my senility I thought maybe I did sign up for one sometime ago so what the heck I’d check it out anyway.

The good thing was I never click on a link in my email — I copy the entire URL and paste it on my browser instead. This was something I learned to do after the Metrobank phishing scam.

So instead of ending up at the REAL phishing url (see highlighted section above) that was masked by the URL in the email address, I ended up on the real Google Adwords login screen, which of course told me that I did not have an adwords account.

I googled for the first line of the email and sure enough, I found out that it IS a scam. Fortunately, though, the phishing destination URL is no longer active.

seopulse has more to say on the matter.