Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label USPS. Show all posts

Credential Phishing Attack Impersonating USPS Targets Consumers Over the Holidays

 

As the year is coming to a wrap, the 2020 holiday season is being actively attacked by malicious actors.  In recent months, a steady upsurge has been witnessed in cybercrime related to online shopping as people have increasingly shopped online this year. Security experts have predicted a further spike in cyber scams during the holiday season, especially throughout the month of December. 

On Wednesday, Abnormal Security Corporation disclosed that its email security platform has blocked a credential phishing attack that was imitating the U.S. postal service for victims’ credit card credentials. The attack was pursuing recipients for special delivery charges so they can get their delivery within three days. 

Companies reported that peoples are approaching fast order delivery and online orders are continuing to pour in, because of this, courier services are facing more pressure from consumers. It's mainly due to the pandemic that online shipping demand has increased and the rise in online shipping is turning out to be vicious for inexperienced customers of USPS, Amazon, FedEx, and UPS. In a related blog post, Abnormal Security said that the hackers were taking advantage of those customers who were looking for fast delivery over the holidays. 

Recent research by CheckPoint revealed that shipping-related phishing emails have increased 440 percent in November 2020, in comparison to the previous month of October. Furthermore, more phishing scams are being anticipated this holiday season. 

Abnormal Security Platform said on its blog post that they managed to block the attacker before it could hack 15,000 to 50,000 mailboxes of the customers. 

According to intelligence, this attack itself imitates delivery notification emails from the USPS, notifying delivery payment confirmation to the customers that their parcel cannot be delivered until their payment gets confirmed. Although the platform has been hacked, emails were appeared as originating from real US postal service as it was using all official features of the US Postal Service. The email carried some link that leads the customer to a fake USPS tracking site asking for special shipping charges for their fast delivery; this page was ultimately leading recipients to share their credit card information. 

Hank Schless, Senior Manager, Security Solutions at Lookout said, "an attack like this can be even more effective if the target accesses it from a mobile device. It’s harder to spot a phishing attack on mobile than it is on a desktop. Since mobile devices have smaller screens and a simplified user experience, people are less inclined to verify the sender’s real email address or identity. In this particular case, if the targeted individual doesn’t know how to preview a link on mobile, they are at higher risk of falling for the scam."

As suggested by Jamie Hart, Cyber Threat Intelligence Analyst at Digital Shadows, users and security teams can follow the steps mentioned below to ensure the prevention of phishing attacks. 

• Install antivirus software 
• Frequently update all the systems which include the latest security patches and updates 
• Use a web filter that blocks suspected websites 
• Offer more often security training that includes when and where users should report suspected phishing emails.