Malware, Phishing

Credential phishing attack impersonating USPS targets consumers over the holidays

Abnormal Security reported Wednesday that its email security platform blocked a credential phishing attack impersonating the U.S. Postal Service that sought to get victims to give up their credit card credentials and pay a special delivery fee within three days to ensure package delivered.

In a blog post today, Abnormal Security said the attackers sought to take advantage of consumers looking to get packages delivered quickly over the holidays.

These type of scams are prevalent as pointed out in recent research by CheckPoint, which found a 440 percent increase in shipping-related phishing emails in November 2020 when compared with October. More broadly, phishing scams often tie to current events.

According to the Abnormal Security blog, the impersonation attack was blocked then taken down before it could reach approximately 15,000 to 50,000 mailboxes of the one unnamed customer attacked.

This attack itself mimics a delivery notification email from the USPS, notifying the recipient that their package cannot be delivered until their payment gets confirmed. Although the email appears to originate from USPS and features the official USPS logo, the true sender was [email protected]. The email then prompts the recipient to confirm their package by clicking on a link, which leads the recipient to a fake USPS tracking site claiming additional shipping fees must be paid to ensure package delivery. This page asks for payment details to fulfill this charge, prompting the victim to share sensitive credit card information to the scammers. 

Attacks like this create legitimacy through the use of USPS logos in both the email and landing page. The landing page, in addition to a section for payment details, includes a fake tracking number, links that lead to actual USPS webpages, and even a checkbox for the recipient to indicate that they have accepted the USPS Privacy Policy.

Hank Schless, senior manager, security solutions at Lookout, said around the holidays, threat actors will frequently impersonate delivery services to trick people into sharing sensitive personal data. This year, especially during the pandemic when mail and package delivery services have been so overwhelmed, Schless said people will exercise even less caution when receiving one of these messages because they’re desperate to know if their package will arrive on time. 

“An attack like this can be even more effective if the target accesses it from a mobile device,” Schless said. “It’s harder to spot a phishing attack on mobile than it is on a desktop. Since mobile devices have smaller screens and a simplified user experience, people are less inclined to verify the sender’s real email address or identity. In this particular case, if the targeted individual doesn’t know how to preview a link on mobile, they are at higher risk of falling for the scam.”

Jamie Hart, cyber threat intelligence analyst at Digital Shadows, added while these attacks are not uncommon over the holidays, there are a few steps users and security teams can take to help prevent phishing attacks:

  • Update all systems with the latest security patches and updates
  • Install antivirus software on all devices
  • Use a web filter that blocks malicious websites
  • Offer frequent and consistent security training that includes when users should be wary of a link or attachment and where and how to report suspected phishing emails

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.