Threat actors are increasingly using scams that spoof package couriers like DHL or the U.S. Postal Service in authentic-looking phishing emails that attempt to dupe victims into downloading credential-stealing or other malicious payloads, researchers have found.
Researchers from Avanan, a Check Point company, and Cofense have discovered recent phishing campaigns that include malicious links or attachments aimed at infecting devices with Trickbot and other dangerous malware, they reported separately on Thursday.
The campaigns separately relied on trust in widely used methods for shipping and employees’ comfort with receiving emailed documents related to shipments to try to elicit further action to compromise corporate systems, researchers said.
Indeed, this trend has become so prevalent that it even earned DHL the dubious distinction of replacing Microsoft at the top of the Check Point Software list of brands most imitated by threat actors in the fourth quarter of 2021. Scams related to the courier accounted for 23 percent of all phishing emails during that time frame when the company’s name had been attached to only 9 percent of scams in the third quarter.
Specifically, a recent Trickbot phishing campaign discovered by the Cofense Phishing Defense Center uses emails that claim to be a missed-delivery notice from the U.S. Post Office but instead include a malicious link, according to a report published Thursday.
Meanwhile, researchers from Avanan earlier this month discovered a new wave of hackers spoofing DHL in phishing emails that aim to spread “a dangerous Trojan virus” by notifying victims that a shipment has arrived and asking them to click on an attachment to find out more details.
Fooled by Trusted Brands
Researchers attributed a couple of factors behind the ramp-up in scams related to package delivery. Spoofing DHL certainly made sense in the fourth quarter of last year during the busy holiday-shopping season, noted Jeremey Fuchs, cybersecurity researcher and analyst from Avanan, in a report on the latest DHL-related scam, published Thursday.
“Now, hackers are taking advantage of this, by attaching malware to a DHL spoof,” which will likely attract attention from a recipient in part because of its use of a trusted company, he wrote in the report.
Moreover, shipping delays and supply-chain issues have become commonplace during the pandemic, which also has spurred a massive increase in people working remotely from home.
Attaching a malicious invoice link to a fake USPS missed-delivery notification, then – as threat actors did in the recently discovered Trickbot campaign – would be an attractive lure for potential victims accustomed to receiving these types of emails, according to Cofense.
“With the supply-chain delays, receiving a notification that a delivery attempt was missed can lead to frustration and entice the recipient to open the invoice link to further investigate,” Cofense PDC researchers Andy Mann and Schyler Gallant wrote in the report.
Indeed, an unrelated study from security firm F-Secure that simulated sending phishing emails to more than 82,000 corporate employees found that email scams aiming to share a document with, or to report a service issue to, potential victims likely will have more success when documents are tied to a trusted brand.
Tricked Into Trickbot
In both of the recent delivery service-related campaigns, attackers aimed to make the scams appear as authentic as possible to convince users to commit further actions to download malicious payloads, researchers said.
The emails used to deliver Trickbot include official USPS branding as well as details such as third-party social-media logos from Facebook, Instagram, LinkedIn and Twitter, “to make the email look even more legitimate,” researchers wrote.
However, the emails include a sender address completely unrelated to the USPS, which easily could have alerted someone to its dodgy intent, they said.
If the lure works and a user clicks on the link to the purported invoice, they are directed to a domain, hxxps://www.zozter[.]com/tracking/tracking[.]php, that downloads a ZIP file. The unzipped file is an XMLSM spreadsheet named “USPS_invoice_EA19788988US.xlsm” that purportedly requires editing due to document protection – a tactic often used in malicious email campaigns.
If a victim goes so far as to enable editing, it will trigger a malicious PowerShell process that ultimately downloads Trickbot. The banking trojan was first discovered in 2016 but has evolved into one of the most widely used tools for cybercriminal activity, full of malicious capabilities.
Duping with DHL
The attack spoofing DHL also includes what threat actors want victims to believe is a shipping document, but this time in the form of an attachment, Avanan’s Fuchs described in his report.
“By spoofing a popular brand, the hackers are hoping to target vulnerable users who are accustomed to checking for shipping notifications,” he wrote.
However, the attachment itself doesn’t include a document file. Rather, it instead directs the recipient to a credential-harvesting web page, Fuchs explained. Clicking on the file also installs an unspecified trojan that also can lift other sensitive data and ultimately take over the victim’s computer “to propagate more attacks on your network,” he wrote.
Fuchs said the attack has its origins in a previous attack observed by Check Point that spoofed FedEx in a similar vein to deliver the Snake Keylogger malware.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.