Researchers discovered that threat actors are increasingly deploying scams that impersonate package couriers such as DHL or the United States Postal Service in authentic-looking phishing emails to trick victims into downloading credential-stealing or other malicious payloads. Separately on Thursday, researchers from Avanan, a CheckPoint firm, and Cofense identified current phishing scams that involve malicious links or attachments aimed at infecting computers with Trickbot and other harmful malware.
Researchers stated the campaigns relied separately on faith in commonly used shipping methods and employees' familiarity with receiving emailed documents linked to shipments to try to provoke further action to hack corporate systems.
The emails used to send Trickbot in recent delivery service-related campaigns included official USPS branding as well as features such as third-party social-media logos from Facebook, Instagram, LinkedIn, and Twitter, "to make the email look even more credible," researchers said. The emails, however, have a sender address that is totally irrelevant to the USPS, which might easily have alerted someone to their shady motive, they claim.
If the bait works and a user clicks on the link to the alleged invoice, they are routed to a domain that downloads a ZIP file, hxxps:/www.zozter[.]com/tracking/tracking[.]php. The unzipped file is an XMLSM spreadsheet called “USPS_invoice_EA19788988US.xlsm” that requires editing due to document protection — a common approach used in fraudulent email campaigns. If a victim goes so far as to enable editing, a malicious PowerShell process is launched, which eventually downloads Trickbot.
According to Avanan's Jeremey Fuchs, cybersecurity researcher, and analyst, the DHL spoofing assault likewise includes what threat actors want victims to believe is a shipping document, but this time in the form of an attachment. “By spoofing a popular brand, the hackers are hoping to target vulnerable users who are accustomed to checking for shipping notifications,” he wrote.
This practice has become so widespread that DHL has achieved the dubious distinction of replacing Microsoft at the top of Check Point Software's list of brands most mimicked by threat actors in the fourth quarter of 2021. Scams involving the courier accounted for 23% of all phishing emails during that time period, but the company's name was associated with only 9% of scams in the third quarter.
Researchers attributed the increase in package delivery frauds to a number of variables. Spoofing DHL made perfect sense in the fourth quarter of last year during the hectic holiday shopping season, according to Jeremey, in a study on the latest DHL-related fraud published Thursday.