UK consumers should be wary of fake delivery notifications arriving into email inboxes, warns an anti-phishing email product company. The scammers are banking on tricking online spenders, according to PhishMe. Consumers are expecting messages from retailers, and the delivery companies used to ship ordered goods, so guards are lowered making them susceptible to phishing messages laden with malware. With many shopping from office computers, businesses could also find themselves infected too.
Aaron Higbee, CTO at PhishMe, says, “Every December we see two perennial themes utilised by threat actors taking advantage of consumers’ desire to save money during the festive shopping season, and the anticipation of an order or gift’s upcoming delivery, and this year is no exception. We’ve identified a ‘UK Mail’ phishing campaign that purported notification refers to a failed attempt to deliver a package. The message informed its victims that they must open the attached file to print information that can be used to retrieve the supposed package from a local post office. However, by opening the attached document, and engaging with the embedded macro, the victim instead infected their machine with the Dridex financial crime trojan.”
Other examples of hostile shipping information emails claim to inform recipients about tracking or confirmation data. One such example refers to a DHL shipment implied to be en route to the email recipient. Attached to the message is a .zip archive that instead contains an executable used to place a keylogger malware on victims’ machines. In the United States, one identified campaign claimed to deliver a coupon for a Black Friday LogMeIn discount, but instead delivered the Neverquest financial crimes Trojan – a malware also known as Vawtrak.
Aaron adds: “Threat actors attempt to leverage in any way the festive shopping and shipping season to further their criminal agendas. This is clear and evident in the phishing email narratives employed during the Christmas season as a means for delivering malicious software. However, through education and application of threat intelligence, it is possible to both train people how to avoid falling for these phishing lures as well as bolster an organisation’s ability to effectively respond to relevant threats.”
