Germans bombarded in malware attack, shipment firm caught in crossfire forced to suspend email address

German malwareA particularly vociferous malware campaign has been forcefully spammed out in the last 24 hours, targeting German internet users.

The malicious emails, which have are intercepted by Sophos security products, contain an attachment which pretends to be a PDF file, and claim to come from an air shipment company and use the subject line “Luftfrachsendung AWB”.

Here is an example of a typical email that was intercepted by the team at SophosLabs:

AWB malware

Sign up to our free newsletter.
Security news, advice, and tips.

Hallo,

anbei der AWB bitte bestätigen ob alles Ok ist.

Danke

Mit freundlichen Grüßen

Attached to the emails is a file called AWB-Avis 123-12345678.pdf.zip (the numbers can vary) which carries the malicious payload.

Sophos products detect the attack as the Troj/Agent-AAJO and Troj/Agent-AANK Trojan horse.

Astrid, one of the translators here at Sophos, tells me that the German used in the emails isn’t perfect (which might help raise suspicions) – but here’s a rough translation for non-German speakers:

Hi,

Please confirm the enclosed AWB is OK.

Thank you

Yours sincerely

What makes the attack stand out from all of the other attacks that we have intercepted in the last few days is its sheer scale, dwarfing all the other malware attacks that SophosLabs has seen sent out via email in recent days.

The shipping company referenced in the email has posted a message on its website saying that it has had to suspend its normal info@ email address because of the sheer number of emails it is receiving, and has offered an alternative address for contact instead.

Warning

ATTENTION! Email Spam and Virus warning: Unknown parties are currently sending large quantities of spam emails with the false sender address of [email protected]. The subject line reads "Airfreight shipment AWB". The email has an attachment that is infected with a Trojan!

We therefore advise that if you receive such an email, you delete it without opening. Please do not try to open the attachment!

For this reason, the info@email address has been disabled [email protected] until further notice. You can contact us in the meantime, using the email address "[email protected]"

You have to feel some sympathy for an innocent company which has had its business disrupted by a cybercriminal scheme.

Make sure that you are reducing the risk of your computers being infected by malware in an attack like this.

As well as keeping your wits about you, and ensuring that you and your colleagues never open unsolicited attachments, always ensure that all of your computers are running up-to-date anti-virus software.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.