What should you do if you receive a suspicious text message?ĭo NOT engage. For example, the fact that the phish will block non-mobile users from connecting helps the attack stay active longer and avoid detection. This helps identify the most vulnerable targets for future attacks as well as improve evasion. The attacker records if the user clicks the link and if they fall for the phish. In many cases with SMS phishing, each link tracks an individual phone number. The phishing site could only be accessed if a user was based in the US and accessing the phishing site from a mobile device. If a user clicked the link on a desktop computer, then the same redirect chain would occur sending the user to a random scam network chain. Mobile Users: The phishing sites also ensured that a user was accessing the website using a mobile device by checking the user agent. At this time, we are unable to assert whether the scam network has any links or ties to the threat actors conducting the credential phishing. If the user was not located in the target area, then they would be redirect into a common scam network. We found that this campaign's users had to be located in the US in ord er to access the phishing site.
Ups verify email address scam code#
Geo-Filtering: When a user attempts to access the website, the code in the background will check for the accessing user's location. If a website is taken down the threat actor has another site already installed just one number different. These are usually used by threat actors to enable them to create hundreds of fake websites simply by changing a digit. The URLs also contain a randomly generated number. URL Construction: The URLs are all different in their structure however, they all feature UPS.
Ups verify email address scam install#
As a result, it is now commonplace for phishing websites to install a TLS certificate on their websites to prevent arousing suspicion that the website is fake. Many sites where there is not a TLS certificate are flagged by the user's browser to alert and protect them. This means that the websites are using HTTPS, ensuring an encrypted connection between the host and the website. TLS Certificate: All the observed URLs are utili z ing a TLS certificate which has an issuer of DST Root CA X3. As a result of this, we can see automation patterns in the data and draw the following correlations. Threat actors frequently utili z e automated deploy ment scripts to speed up the building of campaigns allowing them to create hundreds of URLs every hour.
This is part of why this particular threat remains effective. While detection can use image processing, it is more resource intensive and less popular of a feature. Phishing detection vendors have struggled to identify and block UPS branded phishing because of the the letter s "ups" having legitimate uses in many contexts. However, the challenge begins before a text message ever makes it to a consumer. A rapid increase in o nline shopping means additional shipments made to p eople who are not used to buying everything online and are unfamiliar with basic personal protection measures when it comes to validating branded SMS messages. The pandemic has given them a golden opportunity to moneti ze e-commerce- a market segment that has grown exponentially. Threat actors are incredibly adept at adapting to, and taking advantage of, changing conditions in the global marketplace.
įake UPS Tracking Number Page Fake UPS Payment Page WHY IT MATTERS While the attack is impersonating UPS, its objective is to collect personal credit card numbers and accounts for VISA, Master c ard, American Express, and Discover. The site directs the user to enter their credit card payment information to schedule a new delivery. Once the user has clicked the link, the phishing website shows the victim what appears to be a UPS tracking number and updates. Much like the previous email version of the attack, the text message informs the user that they have missed a package delivery and provides a link to receive more information. We have observed in this attack that the URLs consistently vary per user. The attackers h ave converted a popular UPS email phishing lure to text message. WMC Global ’ s Threat Intelligence Team has identified a massive ongoing SMS phishing attack beginning 02.16.21 with 70,000+ unique URLs. Many email and security teams are becoming more effective at blocking attacks, but phishers are targeting new gaps in remote workforce and SMS phishing detection. Specifically, threat actors are increasing the delivery of phishing campaigns via text message to avoid email vendor protections to deliver phishing directly to victims. Phishers are well known for identifying and exploiting security weaknesses.
0 kommentar(er)
