Action Required, Provide your Sensitive Information before Delivery: UPS Credential Phishing Attack

Lauryn Cash
Written by Lauryn Cash
Threat Research /
Action Required, Provide your Sensitive Information before Delivery: UPS Credential Phishing Attack

In today’s Blox Tale, we will take a deeper look into a credential phishing attack that used a gamut of different techniques in an attempt to steal confidential data. We will see how attackers take advantage of a legitimate company’s brand name and recognition to instill trust in unsuspecting victims.

The attack in the spotlight is a malicious email, spoofing United Parcel Service (UPS), a prominently known multinational shipping & receiving and supply chain management company. The email attack looked like a legitimate UPS Express email, simply reaching out to the customer about a pending parcel delivery. Exploiting our curiosity bias, this email attack attempts to navigate victims to a fake UPS confirmation page where victims are prompted to enter a multitude of sensitive, personal identifiable information.


Summary

Mailboxes: More than 5,000

Target: This attack targeted a major software company for IT solution providers.

Email security bypassed: Microsoft Office 365

Techniques used: Social engineering, brand impersonation, spoofed landing page


The Email

The subject of this socially engineered email attack read, “Your package UPS is Pending !” and looked to be sent from UPS. We see the name of the sender has been manipulated in order to pass the eye test of unsuspecting victims. At first glance, this sender name, uspostalservice@usp.com, can trick victims, especially with the USP being so close to UPS; however, it is the sender name that is the true giveaway here – showing association with US Postal Service (USPS), not to be confused with United Parcel Service (UPS). Additionally, the email domain of the sender ensint.com is not associated with UPS.

The email body spoofed a notification sent from UPS about an upcoming parcel delivery status of pending due to incomplete delivery address. The victim is instructed to reschedule the delivery of the parcel by updating his or her delivery address. Additionally, the attacker instills a sense of urgency by stating the victim has three days to complete this request and collect the package, otherwise additional steps and information will need to be collected.

UPS Credential Phishing Attack - fig 1

Fig 1: Fake email spoofing UPS notification

In this email attack, the attacker played on and took advantage of the victim’s fear of accepting this parcel becoming a hassle. We have all had parcels delivered to us that either needed a signature or proof of identification in order to be collected. If you miss the delivery window or do not have the correct information, then the parcel delivery needs to be rescheduled - and if urgent, can prohibit important goods from being delivered in a timely manner. Attackers know this, and took advantage of the victim(s) of this email attack by stating that increased measures would need to be taken if the recipient’s address information was not updated. Naturally, we as humans want to eliminate stress in our very busy lives; therefore, are more likely to fall victim to this attack - which was exactly the attacker’s goal and motive.

The Phishing Page

Upon clicking the ‘Update my delivery address settings’ link within the body of the email, victims are navigated to a fake landing page. This landing page was purposefully crafted to mimic a legitimate UPS webpage. Attackers showcased the UPS logo prominently and even crafted a fake tagline for the company: “Delivery all over The World”. UPS did retire their well-known slogan, “What can brown do for you”, as the company took a new approach of, “We (heart) logistics”. Attackers chose to take advantage of this, as this crafted fake tagline is relevant to the UPS brand, tricking victims into believing this is the new slogan - making this fake landing page more believable.

UPS Credential Attack_fig 2

Fig 2: Link in email leads to fake UPS confirmation page

The fake landing page also showcased an image of a parcel, bringing to life the idea of a parcel pending delivery. On this page, victims are prompted to enter the parcel number (seen as N° on page) found within the email received, and to click continue.

UPS Credential Attack-fig 3

Fig 3: Fake UPS confirmation page exfiltrates PII & PCI data

Upon clicking ‘continue’, victims are taken to a second screen that asks for sensitive PII information: address, email, phone number, date of birth, as well as sensitive PCI (payment card information). Victims who completed this step in the attack flow would have voluntarily given attackers their most sensitive information and put themselves at risk.

Attack Flow

Attackers used a valid domain to send this malicious email that contained a link to a fake landing page, with the goal to exfiltrate sensitive PII and PCI data. This email attack passed both SPF and SPF Alignment authentication checks. Looking at the Whols information for the URL within the email attack body, the reputation score is ‘trustworthy’, receiving a 92 out of 100 score. This email attack would have bypassed email security solutions that only look at these checks; however, Armorblox accurately detected this bad url within the email attack body through NLU - providing better protection to end users from these types of targeted, malicious attacks.

This email attack impersonated a well-known brand, with the intention to create a sense of trust in the victim. Attackers included legitimate logos and company branding across the email and landing pages, in order to exfiltrate the victim’s sensitive PII and PCI data. Once the attacker succeeded in getting the victim outside of the email, each subsequent action was designed to take further advantage of the victim’s curiosity and trust, as well as the willingness to comply to reduce unnecessary stress or complexity.

UPS Credential Phishing Attack Flow


Recap of Techniques Used

This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.

Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims. Trust was induced by impersonating a well-known brand (UPS) and a sense of urgency through the language used within both the email and the fake landing pages. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.

Brand impersonation: The email has HTML styling and disclaimers similar to UPS branding. The information included within the body of the email attack is similar to legitimate UPS communications, plus the logos used within both the email and landing pages are the same in order to try and trick the victim and instill trust.

Guidance and Recommendations

1. Augment native email security with additional controls

The email highlighted in this blog got past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute their requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.

3. Follow multi-factor authentication and password management best practices

If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:

  • Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
  • Don’t use the same password on multiple sites/accounts.
  • Use password management software like LastPass or 1password to store your account passwords.

For more email security threat research, news, and industry guidance, sign up for email updates from Armorblox below.

Join the Bloxlist

Read This Next