Many shoppers are anxious to get their holiday gifts on time due to supply chain concerns. Attackers exploit fears by spoofing the US Postal Service.
There appears to be a shipping crunch, and many shoppers are worried whether they will get their purchases just on time to surprise their loved ones. They are anxiously checking tracking numbers and refreshing emails to see the status of their goods.
Threat actors are well aware of it and are spoofing shipping numbers and missed goods notification emails.
Starting in November 2021, Avanan, a Check Point company, observed a credential harvesting attack in which attackers spoofed the United States Postal Service to notify users of an undelivered package.
Criminals are crafting emails and impersonating brands to trick users into clicking on a link that's actually a credential harvesting page.
The email starts with a subject line saying: "Not possible to make delivery." There's a message in the body of the email saying that the delivery couldn't be made.
When clicking on "View Details," end-users are led to a webpage that also spoofs the USPS. It shows the photo of an iPhone, and for $1, users can reschedule the delivery. That's where users are directed to enter their credit card information, which the hackers can then use for future attacks and fraudulent purchases.
"This attack will steal not only user credentials but also credit card data. That credit card data is the real prize. Not only do credit card numbers sell handsomely on the black market, but hackers can also use them to make future purchases," Avanan said.
Here's how the forged email looks like:
“In this email attack, hackers have relied on brand impersonation. Knowing that end-users are anxiously awaiting their holiday packages, they are relying on this impatience to get them to click. The email does a good job of impersonating the USPS, down to the logo and some legit links,” Avanan concluded.
Exploiting well-known brands
Cybercriminals are masters of exploiting popular brands to trick people into clicking on malicious links.
Email spoofing is the act of sending emails with a forged sender address. It tricks the recipient into thinking that someone they know or trust sent them the email. Usually, it’s a tool of a phishing attack designed to take over your online accounts, send malware, or steal funds.
Recently, CyberNews wrote how malicious hackers are spoofing Amazon purchase notifications to steal financial information. All links go directly to Amazon’s site. This means that even the most trained user will click on it.
An impersonation is another common form of phishing. Malicious actors can impersonate users, domains, and brands. Whatever the impersonation is, the idea is to convince the victim to give up information or data that they wouldn’t normally feel comfortable releasing.
When it comes to brands, here are the most impersonated ones, according to Check Point:
1. Microsoft (related to 45% of all brand phishing attempts globally)
2. DHL (26%)
3. Amazon (11%)
4. Bestbuy (4%)
5. Google (3%)
6. LinkedIn (3%)
7. Dropbox (1%)
8. Chase (1%)
9. Apple (1%)
10. PayPal (0.5%)
Just be aware, this is not a limited list. INKY researchers revealed that scammers now use math symbols in the Verizon logo to trick their victims. Despite all the money major brands spend on logo design, people are terrible at remembering them, so exercise double caution when checking your email next time.
Did you get a similar message? Always double-check all the links before clicking by hovering over them. Watch out for poor grammar and spelling in the email body, be aware of unfamiliar senders, and never act on a document or file unless you are sure it can be trusted.
More from CyberNews:
Subscribe to our newsletter