Bogus FedEx and DHL Phishbait
Researchers at Armorblox describe an ongoing phishing campaign that’s using phony FedEx and DHL shipping notifications as phishing lures.
“A few days ago, the Armorblox threat research team observed an email impersonating FedEx attempt to hit one of our customer environments,” the researchers write. “The email was titled ‘You have a new FedEx sent to you’ followed by the date the email was sent. The email contained some information about the document to make it seem legitimate, along with links to view the supposed document.”
The emails contained links to the Quip document hosting service, where the attackers had set up a landing page with a link to a spoofed Office 365 login page. The DHL phishing scam used a similar technique.
“The email sender name was ‘Dhl Express’ and title was ‘Your parcel has arrived’, including the victim’s email address at the end of the title,” Armorblox says. “The email informed victims that a parcel arrived for them at the post office, and that the parcel couldn’t be delivered due to incorrect delivery details. The email includes attached shipping documents that victims are guided to check if they want to receive their delivery.”
These emails contained an HTML attachment that opened what appeared to be a blurred-out spreadsheet behind an Adobe login box. The login overlay had the user’s email address pre-filled in the first box, so the researchers believe the attackers were trying to trick the user into entering their email password rather than their Adobe account credentials.
The researchers conclude that people should use a combination of training and technical defenses such as two-factor authentication to defend themselves against these attacks.
“Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions,” they write. “It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is the email sender name ‘Dhl Express’ instead of ‘DHL Express’, Why does this shipping details document have an HTML extension? etc.).”
What might users be trained to look for? Poor idiomatic control, for one thing. The logos and layouts are very nicely done, but the words are a bit clumsier: DHL and FedEx have better writers. New-school security awareness training can create a culture of security within your organization so your employees can recognize phishing and other types of social engineering attacks.