Login
One frustrating aspect of email phishing is the frequency with which scammers fall back on tried-and-true methods that really have no business working these days. Like attaching a phishing email to a traditional, clean email message, or leveraging link redirects on LinkedIn, or abusing an encoding method that makes it easy to disguise booby-trapped Microsoft Windows files as relatively harmless documents.
KrebsOnSecurity recently heard from a reader who was puzzled over an email he’d just received saying he needed to review and complete a supplied W-9 tax form. The missive was made to appear as if it were part of a mailbox delivery report from Microsoft 365 about messages that had failed to deliver.
The reader, who asked to remain anonymous, said the phishing message contained an attachment that appeared to have a file extension of “.pdf,” but something about it seemed off. For example, when he downloaded and tried to rename the file, the right arrow key on the keyboard moved his cursor to the left, and vice versa.
The file included in this phishing scam uses what’s known as a “right-to-left override” or RLO character. RLO is a special character within unicode — an encoding system that allows computers to exchange information regardless of the language used — that supports languages written from right to left, such as Arabic and Hebrew.
Look carefully at the screenshot below and you’ll notice that while Microsoft Windows says the file attached to the phishing message is named “lme.pdf,” the full filename is “fdp.eml” spelled backwards. In essence, this is a .eml file — an electronic mail format or email saved in plain text — masquerading as a .PDF file.
“The email came through Microsoft Office 365 with all the detections turned on and was not caught,” the reader continued. “When the same email is sent through Mimecast, Mimecast is smart enough to detect the encoding and it renames the attachment to ‘___fdp.eml.’ One would think Microsoft would have had plenty of time by now to address this.”
Indeed, KrebsOnSecurity first covered RLO-based phishing attacks back in 2011, and even then it wasn’t a new trick.
Opening the .eml file generates a rendering of a webpage that mimics an alert from Microsoft about wayward messages awaiting restoration to your inbox. Clicking on the “Restore Messages” link there bounces you through an open redirect on LinkedIn before forwarding to the phishing webpage.
As noted here last year, scammers have long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedin’s parent firm Microsoft).
The landing page after the LinkedIn redirect displays what appears to be an Office 365 login page, which is naturally a phishing website made to look like an official Microsoft Office property.
In summary, this phishing scam uses an old RLO trick to fool Microsoft Windows into thinking the attached file is something else, and when clicked the link uses an open redirect on a Microsoft-owned website (LinkedIn) to send people to a phishing page that spoofs Microsoft and tries to steal customer email credentials.
According to the latest figures from Check Point Software, Microsoft was by far the most impersonated brand for phishing scams in the second quarter of 2023, accounting for nearly 30 percent of all brand phishing attempts.
An unsolicited message that arrives with one of these .eml files as an attachment is more than likely to be a phishing lure. The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly.
If you’re unsure whether a message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.
The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn’t be shipped unless the customer paid an added delivery fee.
In a snail mail letter sent this month to Canadian customers, UPS Canada Ltd. said it is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered, and that it has been working with partners in its delivery chain to try to understand how the fraud was occurring.
The recent letter from UPS about SMS phishers harvesting shipment details and phone numbers from its website.
“During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient’s phone number,” the letter reads. “Because this information could be misused by third parties, including potentially in a smishing scheme, UPS has taken steps to limit access to that information.”
The written notice goes on to say UPS believes the data exposure “affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023.”
As early as April 2022, KrebsOnSecurity began receiving tips from Canadian readers who were puzzling over why they’d just received one of these SMS phishing messages that referenced information from a recent order they’d legitimately placed at an online retailer.
In March, 2023, a reader named Dylan from British Columbia wrote in to say he’d received one of these shipping fee scam messages not long after placing an order to buy gobs of building blocks directly from Lego.com. The message included his full name, phone number, and postal code, and urged him to click a link to mydeliveryfee-ups[.]info and pay a $1.55 delivery fee that was supposedly required to deliver his Legos.
“From searching the text of this phishing message, I can see that a lot of people have experienced this scam, which is more convincing because of the information the phishing text contains,” Dylan wrote. “It seems likely to me that UPS is leaking information somehow about upcoming deliveries.”
Josh is a reader who works for a company that ships products to Canada, and in early January 2023 he inquired whether there was any information about a breach at UPS Canada.
“We’ve seen many of our customers targeted with a fraudulent UPS text message scheme after placing an order,” Josh said. “A link is provided (often only after the customer responds to the text) which takes you to a captcha page, followed by a fraudulent payment collection page.”
Pivoting on the domain in the smishing message sent to Dylan shows the phishing domain shared an Internet host in Russia [91.215.85-166] with nearly two dozen other smishing related domains, including upsdelivery[.]info, legodelivery[.]info, adidascanadaltd[.]com, crocscanadafee[.]info, refw0234apple[.]info, vista-printcanada[.]info and telus-ca[.]info.
The inclusion of big-name brands in the domains of these UPS smishing campaigns suggests the perpetrators had the ability to focus their lookups on UPS customers who had recently ordered items from specific companies.
Attempts to visit these domains with a web browser failed, but loading them in a mobile device (or in my case, emulating a mobile device using a virtual machine and Developer Tools in Firefox) revealed the first stage of this smishing attack. As Josh mentioned, what first popped up was a CAPTCHA; after the visitor solved the CAPTCHA, they were taken through several more pages that requested the user’s full name, date of birth, credit card number, address, email and phone number.
A smishing website targeting Canadians who recently purchased from Adidas online. The site would only load in a mobile browser.
In April 2022, KrebsOnSecurity heard from Alex, the CEO of a technology company in Canada who asked to leave his last name out of this story. Alex reached out when he began receiving the smishing messages almost immediately after ordering two sets of Airpods directly from Apple’s website.
What puzzled Alex most was that he’d instructed Apple to send the Airpods as a gift to two different people, and less than 24 hours later the phone number he uses for his Apple account received two of the phishing messages, both of which contained salutations that included the names of the people for whom he’d bought Airpods.
“I’d put the recipient as different people on my team, but because it was my phone number on both orders I was the one getting the texts,” Alex explained. “That same day, I got text messages referring to me as two different people, neither of whom were me.”
Alex said he believes UPS Canada either doesn’t fully understand what happened yet, or it is being coy about what it knows. He said the wording of UPS’s response misleadingly suggests the smishing attacks were somehow the result of hackers randomly looking up package information via the company’s tracking website.
Alex said it’s likely that whoever is responsible figured out how to query the UPS Canada website for only pending orders from specific brands, perhaps by exploiting some type of application programming interface (API) that UPS Canada makes or made available to its biggest retail partners.
“It wasn’t like I put the order through [on Apple.ca] and some days or weeks later I got a targeted smishing attack,” he said. “It was more or less the same day. And it was as if [the phishers] were being notified the order existed.”
The letter to UPS Canada customers does not mention whether any other customers in North America were affected, and it remains unclear whether any UPS customers outside of Canada may have been targeted.
In a statement provided to KrebsOnSecurity, Sandy Springs, Ga. based UPS [NYSE:UPS] said the company has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it.
“Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries,” reads an email from Brian Hughes, director of financial and strategy communications at UPS.
“Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted,” Hughes said. “We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website.”
Web hosting giant GoDaddy made headlines this month when it disclosed that a multi-year breach allowed intruders to steal company source code, siphon customer and employee login credentials, and foist malware on customer websites. Media coverage understandably focused on GoDaddy’s admission that it suffered three different cyberattacks over as many years at the hands of the same hacking group. But it’s worth revisiting how this group typically got in to targeted companies: By calling employees and tricking them into navigating to a phishing website.
In a filing with the U.S. Securities and Exchange Commission (SEC), GoDaddy said it determined that the same “sophisticated threat actor group” was responsible for three separate intrusions, including:
-March 2020: A spear-phishing attack on a GoDaddy employee compromised the hosting login credentials of approximately 28,000 GoDaddy customers, as well as login credentials for a small number employees;
-November 2021: A compromised GoDaddy password let attackers steal source code and information tied to 1.2 million customers, including website administrator passwords, sFTP credentials, and private SSL keys;
-December 2022: Hackers gained access to and installed malware on GoDaddy’s cPanel hosting servers that “intermittently redirected random customer websites to malicious sites.”
“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the company stated in its SEC filing.
What else do we know about the cause of these incidents? We don’t know much about the source of the November 2021 incident, other than GoDaddy’s statement that it involved a compromised password, and that it took about two months for the company to detect the intrusion. GoDaddy has not disclosed the source of the breach in December 2022 that led to malware on some customer websites.
But we do know the March 2020 attack was precipitated by a spear-phishing attack against a GoDaddy employee. GoDaddy described the incident at the time in general terms as a social engineering attack, but one of its customers affected by that March 2020 breach actually spoke to one of the hackers involved.
The hackers were able to change the Domain Name System (DNS) records for the transaction brokering site escrow.com so that it pointed to an address in Malaysia that was host to just a few other domains, including the then brand-new phishing domain servicenow-godaddy[.]com.
The general manager of Escrow.com found himself on the phone with one of the GoDaddy hackers, after someone who claimed they worked at GoDaddy called and said they needed him to authorize some changes to the account.
In reality, the caller had just tricked a GoDaddy employee into giving away their credentials, and he could see from the employee’s account that Escrow.com required a specific security procedure to complete a domain transfer.
The general manager of Escrow.com said he suspected the call was a scam, but decided to play along for about an hour — all the while recording the call and coaxing information out of the scammer.
“This guy had access to the notes, and knew the number to call,” to make changes to the account, the CEO of Escrow.com told KrebsOnSecurity. “He was literally reading off the tickets to the notes of the admin panel inside GoDaddy.”
About halfway through this conversation — after being called out by the general manager as an imposter — the hacker admitted that he was not a GoDaddy employee, and that he was in fact part of a group that enjoyed repeated success with social engineering employees at targeted companies over the phone.
Absent from GoDaddy’s SEC statement is another spate of attacks in November 2020, in which unknown intruders redirected email and web traffic for multiple cryptocurrency services that used GoDaddy in some capacity.
It is possible this incident was not mentioned because it was the work of yet another group of intruders. But in response to questions from KrebsOnSecurity at the time, GoDaddy said that incident also stemmed from a “limited” number of GoDaddy employees falling for a sophisticated social engineering scam.
“As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks,” GoDaddy said in a written statement back in 2020.
Voice phishing or “vishing” attacks typically target employees who work remotely. The phishers will usually claim that they’re calling from the employer’s IT department, supposedly to help troubleshoot some issue. The goal is to convince the target to enter their credentials at a website set up by the attackers that mimics the organization’s corporate email or VPN portal.
Experts interviewed for an August 2020 story on a steep rise in successful voice phishing attacks said there are generally at least two people involved in each vishing scam: One who is social engineering the target over the phone, and another co-conspirator who takes any credentials entered at the phishing page — including multi-factor authentication codes shared by the victim — and quickly uses them to log in to the company’s website.
The attackers are usually careful to do nothing with the phishing domain until they are ready to initiate a vishing call to a potential victim. And when the attack or call is complete, they disable the website tied to the domain.
This is key because many domain registrars will only respond to external requests to take down a phishing website if the site is live at the time of the abuse complaint. This tactic also can stymie efforts by companies that focus on identifying newly-registered phishing domains before they can be used for fraud.
A U2F device made by Yubikey.
GoDaddy’s latest SEC filing indicates the company had nearly 7,000 employees as of December 2022. In addition, GoDaddy contracts with another 3,000 people who work full-time for the company via business process outsourcing companies based primarily in India, the Philippines and Colombia.
Many companies now require employees to supply a one-time password — such as one sent via SMS or produced by a mobile authenticator app — in addition to their username and password when logging in to company assets online. But both SMS and app-based codes can be undermined by phishing attacks that simply request this information in addition to the user’s password.
One multifactor option — physical security keys — appears to be immune to these advanced scams. The most commonly used security keys are inexpensive USB-based devices. A security key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.
The allure of U2F devices for multi-factor authentication is that even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails. Thus, the second factor cannot be phished, either over the phone or Internet.
In July 2018, Google disclosed that it had not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical security keys in place of one-time codes.
FreshRSS 