Christmas time is essentially connected with buying presents. There's a lot of stuff to be done and a lot of opportunities to buy a present in an e-shop to save time. Who doesn't know someone who buys a Christmas gift online?

The malware authors know and are very keen to take advantage of it. We see scam emails containing order or delivery details every day and they have a lot of common. In fact, it's nothing new. Such methods are used constantly during the year, it's nothing special connected to Christmas. However, Christmas is the reason why many people might be fooled. Let's look at them in detail.

Imagine you are customer waiting for a present to be delivered. You get anxious and check your email waiting for order details. You are probably the most vulnerable at this time. Then you get an email from DHL, the well-known parcel delivery service, with a notice saying that the shipping details are in an attachment. In that moment of relief, you click on the email attachment. It turns out to be a zip file containing a file named DHL-parcel.exe. The strange thing is the file extension looks like regular PDF file because it has the same icon. In fact, it is malware.

Cyber Grinches want to ruin your Christmas

One sample that we spotted in recent days was an email pretending to be sent from Booking.com with an attached invoice. The filename of the attachment is Invoice 801490457278 PRINT pdf.zip and it surprisingly contains Invoice 801490457278 PRINT pdf.exe.

The real magic starts when the user clicks on the attachment and executes the file. It secretly drops and executes malware to %ALLUSERSPROFILE%\explorer.exe enabling on start execution by setting HKLM\...\CurrentVersion\Run registry key and it starts listening on TCP port 3232 allowing remote access to infected computer. That means that the computer is not fully under your control and the attacker can silently spy on you or simply install additional malware in order to get your money. That's not a good present for Christmas!

We also spotted similar email scams pretending to be sent from HSBC.com, Amazon.com, Amazon.co.uk, etc as you can see on the image below.

How can I protect myself?

Follow this simple advice to minimize the risk of infection.

1) Use antivirus software with updated virus database (e.g. avast! 2014 :))

2) If you see an email similar to our examples, just ask yourself, "Did I order something from that company?"

3) If so, do not open the attachment. Most services don't send emails with attachments, especially zipped one.

4) Never, EVER run executables from an email.

SHA: C669E7E9E9A6FA4E321670E8237AEFDE73991425B8320C23F3A9F9FACA61B7C3

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.