Published: August 26, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
Be on the lookout for a creative UPS phishing campaign that is utilizing an XSS vulnerability in UPS.com to send fake and malicious 'Invoice' Word documents. The phishing scam impersonates a UPS message claiming there is an issue with the shipment and that it needs to be picked up by the customer. The cleaver part of the attack is the use of a XSS vulnerability in UPS.com to modify the site's regular page to look like a legitimate download page. Victims believe they were downloading a legitimate UPS shipping document when it was actually coming from a malicious site.
To make the email seem like the real deal, it has legitimate links that work as advertised with no malicious behavior. The trap is with the tracking number, it's link does go to UPS.com, but it includes a line of code that exploits the XSS vulnerability and injects malicious JavaScript into the browser when the page is opened.
The victim is none the wiser as the malicious Word document is seemingly downloaded from UPS, but is actually coming from the attacker. It is not likely the target is remotely suspicious at this point because all signs point to the actual UPS.com page. Even the URL prompting the invoice download is real, so no alarm bells.
The downloaded document is named 'invoice_1Z7301XR1412220178' and pretends to be a shipping invoice from UPS. When the document is opened, the text is unreadable making the prompt to "Enable Content" that much harder to resist.
When enabled, the macros will attempt to download the malware. This phishing scam illustrates the creativity and evolving techniques used by threat actors to distribute malicious files convincingly.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com
Comments