Shipment Scams and the Theft of Credit Card info

According to Wikipedia’s description, Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure, like ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. Since 2020, phishing has been by far the most common attack performed by cybercriminals with the FBI’s Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.

The first recorded use of the term ‘phishing’ was in the cracking toolkit AOHell that was created by Koceilah Rekouche in 1995; however, it is possible that the term was used before this in a print edition of the hacker magazine 2600. The word is a leetspeak variant (a system of modified spellings used primarily on the Internet ) of fishing, probably influenced by phreaking, and alludes to the use of increasingly sophisticated lures to ‘fish’ for users’ sensitive information.

Attempts to prevent or mitigate the impact of phishing incidents include legislation, user training, public awareness, and technical security measures. Phishing awareness has become important at home and at the work place. For instance, from 2017 to 2020 phishing attacks have increased from 72% to 86% among businesses.

Currently about 150 million phishing e-mails are sent every day with 16 million getting through the spam filters. About half of these are opened, and 800,000 links are then clicked. Every day, more than 80,000 people share sensitive information due to these types of phishing attacks, according to phished.io

Why does this matter?

It matters because contrary to popular belief, investing in digital solutions to combat phishing cannot provide complete nail-in-the-coffin solutions to eliminate these threats. The above information outlines how many organisations and nation-states have attempted to implement lawful solutions to reduce/eliminate the distribution of phishing campaigns with little to no avail.

Phishing has certainly existed since the birth of the internet and the campaigns continue to be improved and distributed to this day. The integration of everything internet-wise into the daily lives of people has also provided attackers with a stable and extensive platform that reaches to the far corners of the planet.

The campaigns

During the month of August 2022, we observed and monitored a specific phishing campaign being circulated. The campaign specifically targets parcel shipments where the recipient is advised that a delivery is pending release after ‘payment of a small fee’.

The emails are structured to look like the national post office or courier companies, e.g., Fastway Couriers and Aramex, and contain a link to the respective company’s website payment portal where the user is to enter their credit card information to pay the ‘small fee’ so their item may be released for delivery.

The website link is usually hidden behind a button in the email with the reading ‘pay now’, or something similar, hiding the full URL from the user and making it a little harder to identify where the link will resolve to once clicked. Upon clicking the link, the user is redirected to a spoofed/fake payment portal requesting credit card details to proceed.

For most persons, the requested funds are minute, usually around R10 to R50 (almost completely affordable for most people). The attackers understand how people may think and use these low amounts because most people wouldn’t bat an eye and simply pay the fee whether they’re expecting a package or not. If you’ve only opened the link and landed on this payment page, but have not entered any information or made payment, now is the time to stop, close the webpage and report or delete the email.

Unfortunately, if you have fallen prey and provided the requested information, this is where it gets tricky. Law enforcement needs to be alerted and so does your bank and any other associated financial or credit services. There are many scenarios and examples of how the now-stolen information can be used for fraud, but one needs to bear in mind that it will usually happen when least expected. What happens to the info is dependent on the attacker. They may:

• Immediately attempt to extort additional funds from the account.
• Slowly exfiltrate unnoticeable amounts from the bank account (i.e. under R100).
• Create fraudulent accounts in the victims’ name.
• Hold onto the info until they have met a set quota.
• Sell the information to the highest bidder.
• Purchase goods or services.

Why was it not blocked by my email provider or spam filter?

Email providers and security solutions will block most phishing emails received but are limited by the knowledge of new and active campaigns which attackers purposefully revise to avoid detection. Attackers are constantly tweaking the keywords, phrases, and URLs in emails, and also the structure of emails, using different organisations and the spoofed websites they direct victims to. This is proven as a successful evasive measure by how long phishing has existed for (since 1995).

Email providers and security solutions have and are constantly improving to detect and block these threats. According to our previous statistic, 150 million phishing e-mails are distributed daily with only 16 million getting through spam filters. This calculates to roughly 10% of spam/phishing emails making it to end-users. On the other hand, that means that the solutions are 90% effective in detecting and blocking these emails.

Examples:

Over the month of August 2022, we observed 121 phishing emails for this one campaign, all sent to the same 5 end-user email addresses, using different sender addresses, parcel numbers, subjects, and other fake identifiers in the mail body.

Some of these made it to the end-user for reasons detailed above.

Investigating further:

One needs to pay attention to the below-highlighted fields as these can help identify when an email is from an illegitimate source or sender. One should also note the similarities between some of these examples which represent how campaigns are tweaked over time or are from a different attacker (personal touch).

• From (Envelope) – is the return address. It tells mail servers where to return or bounce the message back to, when relevant.
• From (Header) – is an address contained in the ‘from:’ field of an email, which is visible to all email users.
• Subject – the single line of text people will see when they receive your email, usually based on the message topic.
• Email Body – who it addresses, wording, and clarity.
• Pay now link URL (the URL in red).

Observations:

Across all of the examples below, we see similarities that should not be ignored and here are the reasons why:-

• When the email’s ‘from envelope’ and ‘from header’ do not match – the sender’s name seen in your email client (e.g. outlook, gmail, etc.) is not the actual sender. This technique is not illegal and is used in email marketing but is also misused by attackers who are attempting to hide where the email is from or have spoofed a trusted/known user’s email address.
• The from addresses do not originate from the proper or a random domain – brand reputation and recognition is extremely important to organisations and their digital communications with customers. Attackers attempt to exploit this trust by using spoofed brand names. Replicating the original/real domain (e.g., cybervision.co.za) is rather difficult and time consuming and is avoided unless the target is deemed to be of high value.
• The subject contains keywords like parcel, package, delivery, payment, purchase, invoice, etc. used to inspire thoughts of urgency – usually used as a form of psychological manipulation to get the user to read the email with urgency and act ‘asap!’
• Email body does not specify a specific customer name and/or is very vague regarding what the user is receiving/paying for – another psychological manipulation technique used to inspire curiosity.
• Also note phrasing and/or spelling errors as this can also signify that the attacker, like in many cases, has no regard for the details or is not natively English speaking (this relates to brand reputation, knowing that trusted organisations ensure their emails are clear and concise).
• URL/Link – Hovering over the URL will show a preview of the destination website. This must always link to the original website. To confirm, simply Google the company name where the email claims to be from and it will show their website. The website contains their domain name.

The Landing pages

The following images are examples of landing pages that are spoofed and made to look like the originals. They are configured to steal information and the sites have been reported to the authorities and shut down.

All the navigational options, resources and buttons present on these sites shown above are dead links, as in they do not do anything when clicked. The only option that works is the continue/pay/submit button for entering the credit card info. This is another sign that the site is illegitimate.

The undeniable truth
Phishing is not going away anytime soon. Instead, it is improving with every revision of a campaign. Governments, big data organisations and other enterprises have chosen to implement laws, regulations, policies, and procedures restricting the unlawful activity of distributing these threats and how people and businesses should react to these threats, but criminals target and exploit weak links. In the tech industry, a computer, machine, or software can be programmed to perform a task and it will never deviate from its set of instructions. Humans on the other hand are fallible and emotional beings and would essentially have some hand in the programming and/or operation of the said technology, implying that at some point, a natural person will inevitably introduce a vulnerability or oversight that the attackers will utilise and exploit.

The statistics show that less than 1% of the spam and phishing emails distributed daily are ever clicked on, but 1% is more than enough in a world with 5.5 billion active internet users, as of 31 July 2022. Internet Usage Stats can be viewed here.

Ignoring the low success rate, phishing is still widely utilised by hackers and other threat actors to gain access to confidential information. It is clearly being effective enough.