Attackers are piggybacking off the booming market for meal-kit delivery services since the pandemic, and sending SMS phishing messages doctored up to look like they’re legitimate correspondence from popular brand names — including HelloFresh and Gousto.
This is just another example of why the world cannot have nice things.
Researchers at Tessian discovered the meal-kit phishing campaigns and said there are many versions of the phishing pitch. Some are received through SMS, others through WhatsApp. Some ask customers to rate their experience to enter a prize. The messages run the gamut in terms of sophistication from very convincing, to an example Tessian called “easy to spot,” which is riddled with spelling errors.
“Your Gousto box is now delivered,” the phishing message read. “Enjoy the reoipej! Rate delivesy and enter wrize diaw at ‘URL’.”
The goal is to drive users to a site controlled by the attackers and trick them into entering their personal data.
Cybercriminals Capitalize on Trends
“Where there is consumer demand, there are always cybercriminals looking to capitalize on these trends and trick people into sharing valuable information or those all-important account credentials, Charles Brook, threat-intelligence specialist with Tessian, told Threatpost about the findings. “So as demand for meal-kit deliveries surge, due to lockdown restrictions, so too have social-engineering scams with hackers posing as these brands.”
Data released from Nielsen showed meal-kit sales grew nearly 19 percent in 2020 as a result of COVID-19 restrictions.
The rising popularity of meal kits happens to coincide with a spike in SMS-based phishing attacks, a.k.a. “smishing,” worldwide. Personal devices lack a lot of security, everyone has them, and the emotional addiction many have developed with their devices makes users susceptible to a shakedown.
“SMS based scams are incredibly convincing, and are growing in frequency,” Brook added. “Data breaches, for example, have made it easier for scammers to access people’s full names and phone numbers as details are made public. In addition, more and more companies are relying on SMS as a marketing channel to reach their customers and update them about online orders. Given that nine in 10 people open their texts, it’s likely the message will be read.”
How to Spot Smishing Attacks
Brook recommended that users take a few, simple precautions to protect themselves against a smishing attack.
The first is to be wary of delivery notices that seem unfamiliar.
“So while you might not be expecting a delivery, scammers will still try their luck. Often impersonating a legitimate brand, and using sophisticated methods like including a shortened, legitimate-looking URL or an ‘urgent’ call to action, they’re hoping their targets have signed up to some form of home-delivery service, will click the link and fall for the scam.”
He also recommended avoiding clicking on links in SMS messages as a general policy, and taking a close look at the sender number.
“Unknown numbers or 11-digit long numbers starting with a local area code, such as +44, are often associated with scam texts. Large institutions will generally send text messages from short-code numbers.
And similar to the previous fake Gousto message above, he recommended steering clear of messages with spelling or grammatical errors. Finally, he advises users to be proactive about their relationship with companies they do business with.
“Visit the company’s social-media channels to see they have warned their customers about potential scams that have been circulating, and research whether other customers have received the same message.”
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!