A spam campaign whose emails purport to originate from the United States Postal Service (USPS) is delivering a triple malware threat to recipients.
An infection begins when a user receives an email from a sender purporting to be the USPS. The email states that the USPS delivered a package for the recipient to a ground station. It then requests that the recipient download the attachment to view the delivery label and schedule a pick-up time.
Ever hear the saying "curiosity killed the cat"? That phrase couldn't be more appropriate to this campaign. Malwarebytes' senior malware intelligence analyst Adam McNeil explains in a blog post:
By no means is this the first USPS-themed malware campaign.
With that in mind, it's important that users not open suspicious emails and attachments. Whenever they receive an unsolicited email from what appears to be the USPS or another trusted institution, they should also verify the sender's email address. In many cases, doing so will reveal the sender to be an imposter.