No, UPS does not have a package for you
A story as old as email itself. Ever since humanity figured out how to pass notes from computer to computer, viruses and badware have been delivering themselves to unsuspecting users.
In 2001, the biggest example was Lovebug. In 2013, it was CryptoLocker. Today, it seems as if every badware writer is mailing their wares.
Whether it's in the name of UPS, Fedex, a fax delivery, the delivery mechanism has barely changed. In the days of old, the badware came in ZIPs, DOCs, and PDFs. Now they mostly come in links, telling you to "click here to view your payment" or "click here to view details".
IT'S A TRAP!
So, what happens if you clicked on the link?
Fortunately, we don't need to dust off any tools and test. I asked a technician who had to deal with it.
1. First, it installs a dialer.
When you get to the page and realize you've been tricked, it's already started the process. While you're processing the fact that this isn't UPS, it starts to download a file silently in the background. Then, it starts it.
The file is typically stored in /Users/YOURUSER/AppData/Roaming/randomx/random.exe - where random means a random string of seven letters.
2. The dialer calls up a server.
The dialer calls up a friend on a server. It asks what files are available. It picks a few packages and starts downloading.
3. Then it plans the attack
It adds entries to Task Scheduler for a random time. At that random time, the fun will start - usually one file at a time. It may launch a swarm. It might launch only one. You've closed the website, but the badware train is starting down the tracks.
4. The fun begins
At the random time, it starts executing the files. The computer grinds to a halt under the weight of the badware and friends. If you open Task Manager, you'll notice a bunch of randomly-named exectuables. By now, it's too late. Your files are probably already toast.
5. The last hurrah
It sets up one last trap, a ticking timebomb of sorts. If you reboot the machine, it executes. At bootup, it launches (in my experience) another badware, one which encrypts all your data. If anything's connected to it as a drive, it encrypts that too.
The version I dealt with was CryptoWall. After it's started encrypting, it pops up a page informing you that you lose. They have all your data. Do you want your data back? You'll have to pay them.
To add insult to injury, it deletes System Restore points and Previous Folder Versions.
6. The worst part: virus scanners can't stop it.
Virus scanners can't protect you from the millions of new variants that are spawned every day. The virus scanner can't stop you from clicking on that link. It can't stop that download. It certainly can't undo the damage the final exectuable did to you.
The world of viruses moves way too quickly for tools to protect you from this particular set of badwares.
How to protect yourself:
1. Don't open files you weren't expecting.
If you weren't expecting John from Accounting to send you a package, don't open it. Better yet, contact the sender by phone. If you don't know the sender- don't open.
2. Don't click on links (without checking them)
Hover your mouse over links before clicking them. See where they lead - if it doesn't lead to the official site (google it!), don't click it. If you don't know if it's legitimate, don't click.
3. Don't open package notifications, faxes, "secure file links", etc
Don't open that link. Don't open that email. Just, please: don't, period.
If you get an email like that, ask your IT team to look at it. IT teams are always busy, but we're more than happy to check something out for you. Better to check now, than to spend days or weeks cleaning up after a badware infection. Some businesses never recovered from infection.
4. If you got infected, react as if your identity were stolen
Pretend that somebody broke into your house and stole all your ID, your cards, everything. Start making calls. Change passwords - using a machine you know is safe. Go through everything you can think of.
5. Keep a list of everything you use (and only in paper form)
It's not a matter of if you will be infected, it is a matter of when. Make a list of all your accounts, the sites, the banks, etc. Don't write down the passwords, but keep track of what you would need to change if your ID was stolen today.
It might sound like work, a lot of work. Don't put it off, start now. Grab a bit of paper. A notebook, even. Write what comes to mind. Put it to the side for a few days. Look at it again, fill it out more. Repeat.
You'll never stop needing to keep track.
But when the infection does come, you'll be in a much better place to recover from it.