How fraudsters use package delivery problems during an epidemic, and how not to fall for their tricks.

[root]

How fraudsters use package delivery problems during an epidemic, and how not to fall for their tricks.


Spam: home delivery of malware

Often, cybercriminals pretend to be delivery service employees to force the victim to open a maliciously crafted email attachment. The classic trick is to inform you that the package has already arrived, but in order to receive it, you need to read or confirm the information in the attached file.

For example, in a fake letter from a large delivery service in broken English it says that the parcel arrived at the warehouse, but because of the epidemic it can not be delivered to the house, so you need to come for it in person.

The warehouse address and other details, of course, are in the attachment. If the recipient opens it, a backdoor from the Remcos family will be installed on the computer, which allows, in particular, turning the device into zombies, stealing data or downloading other malware.

Fraudsters report delivery on behalf of a large transport company
A similar trick is used by the authors of a fraudulent letter on behalf of another delivery service, which supposedly cannot deliver the package due to an error in the data. The victim is required to confirm information from the attachment, which actually contains another representative of the Remcos family. Pay attention to the sender’s address: it gives out that attackers have little to do with a real company.

Fraudsters pretend to be a large delivery service, but their sender's address gives out
Sometimes spammers insert images of documents in a letter for greater conviction. So, scammers supplemented the text of the letter with a photograph of the receipt, which is impossible to read because of the scale. Clicking on an image is useless - nothing happens to it. It remains only to open a malicious attachment, in the name of which there is a standard extension of the graphic file - .jpg.

If the recipient's email client does not display the true extensions, such an attachment is easily mistaken for an image. In fact, this is an executable .ace archive, which will start as soon as you click on it. Inside the archive is the Noon spyware program.

To convince the victim to open the attachment, attackers demand to send the missing information before they enter quarantine.

In the attachment of the letter, instead of the receipt picture, there is an archive with double extension
Another topic that is not new, but relevant in the current situation for malicious email, is delivery delay. The scenario is very believable, and for details the scammers in the example below again send the user to the attachment. It hides the Bsymem Trojan, which allows attackers to control the device and steal data. To further lull the recipient's vigilance, the bottom of the letter means that it was allegedly checked by a mail protection solution and does not contain malicious files and links.

Fraudsters report delivery delays due to COVID-19
Many spammers simply insert the mention of COVID-19 in old malware distribution patterns. But there are letters in which the main emphasis is placed on the introduction of quarantine and the rapid development of the pandemic.

For example, the story that the government banned the import of any goods into the country and the package went back is clearly completely inspired by the current situation.

Fraudsters claim that the government has closed the import of goods into the country
The attachment allegedly contains a tracking number for the order, according to which it will be possible to request re-sending it when the epidemic goes into decline. By opening the file, the recipient risks installing the Androm backdoor, which gives attackers remote access to the victim’s computer.

Phishing: chasing accounts on delivery sites
Phishing scammers also take advantage of the difficult situation in the delivery market. We found both very plausible copies of legitimate sites and fake tracking pages. Both of them, of course, mention the coronavirus.

So, hunters for customer accounts of a major express delivery service in detail repeated the interface of the official website’s homepage, including the latest news about the epidemic.

This is the home page of the delivery service site (left) and a phishing resource that imitates it (right)


A copy of the official site of another Kursk service, on which the coronavirus is also mentioned in the news, also looks no less detailed.

A phishing resource that mimics the front page of a major courier service site

But the authors of the fake portal for tracking packages added COVID-19 to the copyright line. There is not much other information on the page: a form for entering credentials and a list of “partners” - email services. It is not known for certain what the scammers wanted to say with this list, but it can be assumed that the names of well-known companies will increase confidence in the site.

Note that this technique is often found on phishing pages aimed at stealing usernames and passwords from email. Anyway, if the victim enters his credentials on this resource, they will leak to the scammers, and the fate of the package will remain unknown.

Fake Shipment Tracking Page

How not to fall for the scammers
Against the background of the epidemic and a large number of really delayed packages, fake sites have good chances to convince the user, and letters catch their attention. Especially if you are really waiting for the package. Or if the information about the shipment came, say, to work mail, and you have every reason to think that one of the colleagues could place the order. In order not to fall for the scammers:

• Look carefully at the sender’s address - if the letter came from a free email service or contains a meaningless set of characters in the name of the mailbox, you are most likely a fake. True, do not forget that the sender address in the letters may well be faked.
• Pay attention to the text. A large company will definitely not send out letters with crookedly formatted text and a lot of grammatical errors.
• Do not open attachments in letters from delivery services, especially if the sender in every way pushes you to this. It is better to look into your personal account on the website of the transport company or check the tracking of the parcel by number by driving the address of the page you need into the browser manually. The same thing should be done if you received a letter demanding to urgently click on the link.
• Take special care if the coronavirus is mentioned or not mentioned there. Cybercriminals use hot topics to catch the victim’s attention, so in no case should you react to such messages in a hurry.
• Use a reliable security solution that detects malicious attachments and blocks a phishing site.

Source

 

[Kiril Harchevnikov]

Let's be careful! Thanks for the analysis!