A clever UPS-themed phishing campaign utilized a Cross-Site Scripting (XSS) vulnerability in UPS.com to push fake and malicious ‘Invoice’ Word documents. The phishing scam was first discovered by security research Daniel Gallagher, who found an email message pretending to from UPS stating that a package had an “exception” and needs to be picked up by the customer. What makes this phishing attack stand out is that the threat actor used the XSS vulnerability in UPS.com to modify the site’s regular page to look like a legitimate download page. This vulnerability allowed the threat actor to distribute a malicious document through a remote Cloudflare worker but make it look like it was being downloaded directly from UPS.com. This email is filled with numerous legitimate links that perform no malicious behavior. However, the tracking number is a link to UPS’ site that includes an exploit for an XSS vulnerability that injects malicious JavaScript into the browser when the page is opened. The downloaded document is named ‘invoice_1Z7301XR1412220178’ and pretends to be a shipping invoice from UPS. When opening the document, all the text will be unreadable, and the document will prompt a user to ‘Enable Content’ to view it correctly. When enabled, the macros will attempt to download a file from https://divine-bar-3d75.visual-candy.workers[.]dev/blackhole.png. However, this URL is no longer working, so it is not possible to see the payload. This phishing scam illustrates the creativity and evolving techniques used by threat actors to distribute malicious files convincingly. While the email sender clearly showed a suspicious domain, as the XSS vulnerability allowed the URL and download page to appear legitimately from UPS, many people would have fallen for this scam.
Analyst Notes
Phishing emails have been, and most likely will be, the most used method of spreading malicious programs. In this case, if the user looks at the sender’s email address, they see unitedparcelservice@paradanta[.]com, which is not a domain that UPS would use. One of the recommended defenses against phishing is to check the email address of the sender. This example shows a malicious sender, but it is also possible for attackers to spoof the sender address if they don’t need to handle replies. Any email that includes a download should be treated as suspicious, especially any Word or Excel file that seems to be “encrypted” or “secure” and asks the recipient to enable macros or click the “Enable Content” button to decrypt the content – these are almost always malicious files.
https://www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/
