Are you waiting for the package? Do not click on this fake UPS mail

Are you waiting for the package? Do not click on this fake UPS mail

Sophisticated scammers have been dropping malware on unsuspecting victims by inducing them to click on legitimate UPS tracking number links that direct them to the UPS.com website.

Phishing and malware scams can usually be avoided by checking the URL (web address) to which they are directed. Usually, if the URL and the spoofed site do not match, it is a deadly sign.

However, as reported by Twitter user Daniel Gallagher via Bleeping Computer, in this case, the victim ended up on the real UPS website and was downloaded when he opened the tracking number page may have been more inclined to trust the malicious Word document.

The Word document itself is intentionally unreadable until the reader clicks on "Enable Content" and more files are downloaded.

Gallagher called it "one of the best phishing emails I've seen in a long time."

UPS.com has since fixed the specific flaw that allowed this scammer to inject malicious code into the company's website, and most best antivirus software detects malicious Word documents. However, this will not be the last time this method is used in phishing or "malspam" (malicious spam) campaigns.

The deception begins with a convincing e-mail message informing you that "a package has encountered an exception."

You are invited to "download and print an invoice to pick up your package at the UPS store" or click on a link for a tracking number.

The only hint that this is bogus is the email sender's address, which includes "unitedparcelservice" but has a different dot-com name. However, it would not be too difficult for the sender to "spoof" a legitimate UPS.com e-mail address if they wanted to.

Usually, email-based phishing scams can be avoided by hovering the mouse cursor over a link in the text. When you do so, the URL of the link will appear at the bottom of the screen.

In this case, however, hovering the mouse cursor over the tracking number or billing link will display the real UPS.com web address. Clicking on either will bring up a page on the UPS website that says, "Download will begin shortly."

The scammer exploits a cross-site scripting (XSS) flaw in the UPS site to add their own code, access another website, retrieve a Word document, and deliver it to site visitors.

Here, the scheme becomes like a regular phishing/malspam scam and is most easily circumvented.

When you open that Word document, the text will be blurry and unreadable; Microsoft Word will tell you that macros (small scripts that can be run in Office files) are disabled, but the Word file will "content" to see the text. Enable" and tells you to "Enable.

Needless to say, you should not enable content in a random Word, Excel, or PowerPoint document downloaded from the Internet.

However, if you do so, a macro in the Word document will probably download a malicious .png image. Unfortunately, by the time Bleeping Computer was able to repeat this process, the image was no longer available, and it is not known exactly what this image contains.

Given the amount of deception and misdirection it took to get to this point, there is no doubt that the image was not a good one.

Categories