A phishing campaign utilized an XSS vulnerability in UPS.com to push fake and malicious ‘Invoice’ Word documents. The phishing scam pretended to be an email from UPS stating that a package had an “exception” and needs to be picked up by the customer. This vulnerability allowed the threat actor to distribute a malicious document through a remote Cloudflare worker but made it look like it was being downloaded directly from UPS.com.
The phishing scam was first discovered by security research Daniel Gallagher and pretended to be an email from UPS stating that a package had an “exception” and needs to be picked up by the customer, as Bleeping Computer reports.
The document attached to the scam emails is named ‘invoice_1Z7301XR1412220178’, with the pretence that this is a shipping invoice from UPS. If opened, the document appears to be unreadable, prompting the user to ‘Enable Content’ to view it correctly. If enabled, the macros attempt to download a file from a website, and this is the source of the malware.
To understand more about the incident, Digital Journal caught up with David Pickett, Senior Cybersecurity Analyst at Zix | AppRiver.
Pickett begins by delving into the nature of the attack and the implications that stem from it, noting: “The type of phishing attack that targeted UPS customers is one we refer to as Living off the Land (LotL) phishing.”
As to what LotL means, Pickett says this “Occurs when cybercriminals abuse otherwise legitimate services to “blend in with the crowd” and mask the true nature of their message.”
In terms of the specific, Pickett explains: “The Zix threat research team has seen a huge uptick in this type of phishing attack over the past few years. The attacks vary greatly in theme and brand being impersonated.”
The concern is, Pickett says is with “More attackers have begun posing as a shipping service since the pandemic began, given that consumers are spending less time in stores and shopping more online. Many threat actors are experts in social engineering and have been known to launch these types of LotL phishing attacks from compromised accounts so that the sender is an actual contact of the recipient.”
As to what lessons the wider business community can learn from this incident, Pickett recommends: “In order to help reduce the risk of LotL and other email threats, organizations should implement multi-factor authentication, which provides an extra layer of security for authenticating users. Organizations should also limit authorized use of third-party services when possible, as this will help reduce the attack surface that criminals constantly work to exploit.”
He adds further that: “Organizations should use end to end email encryption for any message containing confidential or personally identifiable information and ensure their email security solution is capable of dynamically analyzing email attachments and URLs.”
Pickett’s final words of advice are: “If there is any suspicion about a message or transaction, it never hurts to call the sender. Most will be glad of your security protocols in place to help prevent fraud.”
