Hackers hit 10,000 mailboxes in phishing attacks on FedEx and DHL Express | SC Media
Breach, Phishing

Hackers hit 10,000 mailboxes in phishing attacks on FedEx and DHL Express

February 23, 2021
  • Social engineering. The email titles, sender names, and content did enough to mask their true intention and make victims think the emails were from FedEx and DHL. Emails informing users of FedEx scanned documents or missed DHL deliveries are common, so most users tend to take quick action on these emails instead of studying them in detail.  
  • Brand impersonation. In the FedEx attack, the final phishing page spoofs an Office 365 portal packed with Microsoft branding. Requiring Microsoft account credentials to view an invoice document also passes the “logic test” because most people get documents, sheets, and presentations from colleagues every day that consists of the same workflow. The DHL attack payload uses Adobe for its impersonation attempt, with the same underlying logic. 
  • Hosted on Quip and Google Firebase. The FedEx attack flow has two pages, the first one hosted on Quip and the final phishing page hosted on Google Firebase. The inherent legitimacy of these domains lets the email  get past security filters built to block known bad links and files. 
  • Link redirects and downloads. The FedEx attack flow has two redirects, and the DHL attack includes an HTML attachment rather than a URL for its phishing goals. These modified attack flows obfuscate the true final phishing page, another common technique used to fool security technologies that attempt to follow links to their destinations and check for fake login pages.   
prestitial ad