Fake FedEx, DHL, and UPS delivery issues used in COVID-19 phishing scams
May 5, 2020
Cybercriminals are leveraging overwhelmed delivery services to further phishing schemes.
The coronavirus pandemic has upended global delivery systems as countries around the world have shut their borders and companies reduce their workforce.
The problem has been compounded by the fact that millions are stuck at home with extra time, ordering hundreds of dollars worth of goods. Estimates from Facteus say consumer spending on Amazon is up 35 percent compared with last year.
But a new report from Kaspersky found that cybercriminals are using the increase in delivery demand to push convincing phishing emails into thousands of inboxes.
“The spikes in demand are causing in-transit times to stretch out. As a result, customers are getting used to receiving apologetic messages from couriers linking to updated shipping statuses. Recently, we have observed a number of fake sites and emails supposedly from delivery services exploiting the coronavirus topic,” Kaspersky Lab anti-spam analyst Tatyana Shcherbakova wrote in a blog post.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
Cybercriminals are using a number of different attack styles centered around package delivery. Some are sending emails purporting to be from delivery services that contain malicious attachments, pushing recipients to open them either for more information on their package or for addresses to places where packages can be picked up.
Shcherbakova explained that these attachments often “install a Remcos backdoor on the computer,” giving hackers the ability to use a device for any number of attacks including stealing data, installing malware, or forcing a device to join a botnet.
Other emails caught by Kaspersky show similar tactics, all of which are attempting to get people to download attachments. These emails generally claim there are problems with package deliveries, signatures needed or other in-person tasks required for people to get what they ordered.
SEE: Phishing emails claim recipient has been infected with coronavirus (TechRepublic)
More sophisticated phishing emails even contain images to make them seem like they have come from DHL, UPS and FedEx. Knowing that these same delivery services are sending out more emails about delays to mail, cyberattackers are banking on people not looking closely and quickly opening attachments without paying attention.
James McQuiggan, security awareness advocate at KnowBe4, said it was becoming common for phishing scams to use a delivery shipment as the subject of the email, knowing end users are curious about the package or expecting a delivery.
“Our human nature sparks our curiosity of wanting to know about that delivery. With these delivery phishing scams, it’s crucial not to rely on the link in the email. It’s a lot more reliable to copy the shipping or tracking number from the email and post it on the actual website, as the tracking information will be located on the home page in most cases,” McQuiggan said.
“This quick check reduces the risk of trying to see if the link is valid or not. If the search comes up with a package, then you can verify it’s come to your organization or home. Unfortunately, the phishing scams relating to COVID-19 are not going away anytime soon, as criminals work to leverage everyone’s fears about it, especially regarding any supply chain concerns for an organization.”
SEE: Cyberattacks on the rise since the start of the coronavirus outbreak (TechRepublic)
In addition to Remcos backdoors, Shcherbakova noted that Kaspersky has found executable ACE archives containing the spyware program Noon, Androm backdoors and the Bsymem Trojan, which she says “enables the attackers to take control of the device and steal data.”
“Many spammers simply insert a mention of COVID-19 into their usual mailing templates, but some focus specifically on quarantines and the rapid spread of the pandemic. For example, in one story, the government had banned the import of any kind of goods into the country, so the package was returned to the sender,” Shcherbakova wrote.
Cybercriminals are even upping the ante further by creating spoofed package tracking websites that look like DHL, FedEx and UPS as a way to steal account information. On the Kaspersky website, they show that these copies look nearly identical to the actual websites of these delivery companies and could easily fool someone who is not paying close attention.
Shcherbakova added that companies will never send emails with spelling mistakes or bad grammar and that everyone should be wary of emails about coronavirus or COVID-19. People should know to check the sender addresses and almost never download attachments from delivery services.
Patrick Hamilton, cybersecurity evangelist at Lucy Security, said scammers know there has been a surge in online purchases and therefore deliveries. They also know that people like to track their packages and tend to click before thinking or looking.
“We click without looking at the link. We download without suspicion. We supply our credentials without a thought. How did you get robbed? You left the house unlocked,” Hamilton said. “We can train people out of this behavior. We see people overcome phishing scams just by increasing awareness.”
Cybersecurity Insider Newsletter
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays