Threat Watch

New COVID-19 Related Phishing Campaign Leveraging Package Delivery Issues

With the increasing amount of online shopping taking place as people remain at home, delivery services are being worked overtime. With this increased workload on parcel carrier services many customers have been receiving notifications that packages have been delayed under the increased strain. Scammers are now taking advantage of these delays and are sending out phishing emails claiming to be from popular package carriers including UPS, FedEx and DHL. The emails claim to be notifying customers of a delay for reasons ranging from government lockdowns to incomplete delivery details. The emails request that the recipient open an attached document where they can fill out new delivery details or to follow a link for similar purposes. Versions of these emails which contain attachments have been found to install either the Remcos RAT, or Bsymem Trojan. Versions which contain links redirect users to phishing sites.

ANALYST NOTES

Since the start of the pandemic, attackers have been finding newer and more inventive ways to leverage current events to target users through malicious emails. It is important to note that parcel carriers will not typically request customers to fill out any document attached to an email, but instead would use web-portals at their well-known websites to manage deliveries. Users should be suspicious of emails from parcel carriers when no packages are expected through that carrier’s service. The emails which have been seen in this campaign have varied in sophistication—some include standard disclaimers and messages at the bottom, including an unsubscribe link. Other messages have utilized poor spelling and grammar, including the use of “pls” in places of the word please. In this instance, very simple protection from this campaign even when a package is expected is to navigate to the carrier’s website and check there for messages and package status. If a Remote Access Trojan is installed on a corporate workstation, it can be used by attackers to cause major damage to the company’s data and brand. In addition to email filtering and employee education, it is important to monitor workstations and servers for attacker activity and quickly cut off any unauthorized remote access to corporate computers. More information on this incident can be found at https://www.bleepingcomputer.com/news/security/fake-fedex-and-ups-delivery-issues-used-in-covid-19-phishing/