The holidays are approaching, and there appears to be a shipping crunch. Due to supply chain concerns, many are worried that they won’t get their holiday gifts in time.
In response to people anxiously checking tracking numbers and refreshing their emails to see the status of their goods, hackers are spoofing shipping and missed goods notification emails.
Starting in November 2021, Avanan observed a credential harvesting attack in which attackers spoof the United States Postal Service to notify users of an undelivered package. In this attack brief, Avanan will analyze the company’s most recent discovery of this new spoof.
In this attack, hackers are utilizing a spoofed USPS notification. When clicking on the link, it leads to a credential harvesting page.
- Vector: Email
- Type: Credential Harvesting
- Techniques: Brand Impersonation, Spoofing
- Target: Any end-user
In this attack, hackers use brand impersonation to trick users into clicking on a link that’s actually a credential harvesting page.
The email starts with a subject line saying, “Not possible to make delivery.” In the body of the email, there’s a message saying that the delivery couldn’t be made.
When clicking on “View Details”, end-users are led to a webpage that also spoofs the USPS. It shows the photo of an iPhone, and for $1, users can re-schedule the delivery. That’s where users are directed to enter their credit card information, which the hackers can then use for future attacks and fraudulent purchases.
Email Example #1
In this email, hackers present what looks like a message about an undelivered package. The email utilizes traditional social engineering tactics, such as urgent language, to get the user to act:
This email purports to be a notification about an undelivered package. Notice the sender address.
Email Example #2
When clicking on the link, users are directed to this credential harvesting page, which steals user information and credit card data. The URL is not a USPS link.
In this email attack, hackers have relied on brand impersonation. Knowing that end-users are anxiously awaiting their holiday packages, they are relying on this impatience to get them to click.
The email does a good job of impersonating the USPS, down to the logo and some legit links.
There are legit links that point to the actual USPS site. However, the “View Details” link leads to the credential harvesting page.
On that page, the user is asked to enter their credentials and a $1 fee to “receive” the product. To do so, they request credit card data, which they will harvest.
This attack will not only steal user credentials but also credit card data. That credit card data is the real prize. Not only do credit card numbers sell handsomely on the black market, but they can also be used by hackers to make future purchases.
Best Practices: Guidance and Recommendations
In order to guard against these attacks, security professionals can do the following:
- Encourage end-users to look at the sender. In this email, the sender’s email address is not the USPS. End-users should also be encouraged to look at grammar and spelling.
- If clicking on the harvesting link, inspect the URL. It is also not a USPS address.
- Pay extra attention to emails from brands, especially around the holidays. Check Point Research has found that two of the top five most impersonated brands ship goods (DHL, Amazon).
- Utilize an email security solution that relies on multiple factors to determine an email is phishing.