Threat Research

SMS Phishers Harvested Phone Numbers, Shipment Data from UPS Tracking Tool – Krebs on Security

Securonix

Two sentences summarizing the content: UPS Canada warns that its shipment-tracking data has been used to craft highly targeted SMS phishing messages that impersonate UPS and other brands, sometimes including recipients’ names and order details. The attackers then direct victims to fraudulent payment pages after a CAPTCHA, using lookups tied to brands like Lego, Adidas, and Apple to improve credibility. #UPS #Lego

Keypoints

  • UPS Canada reports a data exposure from its shipment-tracking tool that could reveal a recipient’s phone number and other delivery details.
  • The exposure occurred for a limited group of shipments from Feb 1, 2022 to Apr 24, 2023.
  • Fraudsters used tainted domains (e.g., upsdelivery.info, legodelivery.info, adidascanadaltd.com) and a Russia-based host to run smishing campaigns targeting Canadian customers.
  • Messages referenced recipients’ names and recent orders (e.g., Lego, Apple AirPods) to appear legitimate and lure responses.
  • Phishing flows typically involve a link to a CAPTCHA page, followed by a fraudulent payment page requiring personal and payment details.
  • UPS is cooperating with law enforcement and partners, and is issuing privacy incident notifications to affected Canadian individuals.

MITRE Techniques

  • [T1566.003] Spearphishing Link – Targeted SMS messages include a link that leads to a CAPTCHA and then a fraudulent payment page. Quote: “A link is provided (often only after the customer responds to the text) which takes you to a captcha page, followed by a fraudulent payment collection page.”

Indicators of Compromise

  • [Domain] upsdelivery.info – Phishing domain used in smishing campaigns targeting UPS customers
  • [Domain] legodelivery.info – Brand-tailored phishing domain used in campaigns
  • [Domain] adidascanadaltd.com – Brand-themed phishing domain in campaigns
  • [Domain] crocscanadafee.info – Campaign domain linked to delivery fee lure
  • [Domain] refw0234apple.info – Campaign domain tied to Apple-related orders
  • [Domain] vista-printcanada.info – Campaign domain tied to brand lookups
  • [Domain] telus-ca.info – Campaign domain associated with Canadian targets
  • [IP] 91.215.85-166 – Russian-hosted infrastructure overlapping multiple smishing domains
  • [Domain] mydeliveryfee-ups.info – Phishing domain used to collect a delivery fee

Read more: https://krebsonsecurity.com/2023/06/sms-phishers-harvested-phone-numbers-shipment-data-from-ups-tracking-tool/?replytocom=586273

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint