Phishing Campaign Mimics FedEx, DHL ExpressFake Messages About Package Delivery Designed to Steal Credentials
A phishing campaign tried to steal credentials by sending emails that purported to come from DHL Express and FedEx, reports security firm Armorblox.
The phishing emails claimed the recipients had a parcel to be delivered. When the targets clicked on a malicious link within the emails, they were redirected to fake Microsoft and Adobe login pages, through which the attackers attempted to harvest email passwords.
Armorblox says the campaign, which used legitimate hosting services Quip and Google Firebase to bypass security, is estimated to have targeted 10,000 potential victims.
The phishing page for the FedEx campaign, hosted on Quip, resembled Microsoft’s login portal to trick the victims to enter their credentials.
"Entering fake details on this page reloads the login portal with an error message asking the victim to enter correct details," the report says. "This might point to some backend validation mechanism in place that checks the veracity of entered details. Alternately, attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered."
Armorblox notes the phishing emails portrayed as coming from to come from DHL contained a malicious HTML file titled 'SHIPPING DOC.' If a victim clicked the HTML file, they were redirected to a login page that impersonated the Adobe brand.
Because the login page was pre-filled with the victim's work email, the attackers were likely attempting to trick the victims to enter their email passwords, the researchers say.
"Just like with the FedEx phishing attack, entering fake details on this page returns an error message asking the victim to enter correct details," the report states.
Social Engineering Tactics
Hackers waging phishing campaign increasingly are relying on social engineering tricks to entice victims to clicking malicious links, security researchers say.
"There are few brands like FedEx, DHL, and UPS that can quickly capture the attention of targets," says Chris Hazelton, director of security solutions at Lookout. "The goal here is to get people to click what they think is a valid link and then present them with a fake login page that they will recognize. If the fake page is convincing enough, then many users will login without thinking about it. These are the risks of cloud services - while they are accessible from any browser, many users inherently trust login screens that they recognize."
Organizations should train their employees to identify common patterns of phishing attacks, says Erich Kron, security awareness advocate at KnowBe4.
"They should look for fake reply-to addresses, hover over links that go to websites to ensure they go to a legitimate site and to look at the URL bar in the browser when they are taken to a login screen in order to ensure they are at the right place," Kron says. "In addition, the use of multifactor authentication that requires an additional code to be able to log in will help keep these accounts safer."