The United Parcel Service (UPS) says fraudsters have been harvesting telephone numbers and different info from its on-line cargo monitoring device in Canada to ship extremely focused SMS phishing (a.okay.a. “smishing”) messages that spoofed UPS and different high manufacturers. The missives addressed recipients by identify, included particulars about latest orders, and warned that these orders wouldn’t be shipped except the client paid an added supply payment.
In a snail mail letter despatched this month to Canadian prospects, UPS Canada Ltd. mentioned it’s conscious that some bundle recipients have obtained fraudulent textual content messages demanding fee earlier than a bundle may be delivered, and that it has been working with companions in its supply chain to attempt to perceive how the fraud was occurring.
The latest letter from UPS about SMS phishers harvesting cargo particulars and telephone numbers from its web site.
“Throughout that overview, UPS found a technique by which an individual who looked for a specific bundle or misused a bundle look-up device may get hold of extra details about the supply, probably together with a recipient’s telephone quantity,” the letter reads. “As a result of this info could possibly be misused by third events, together with probably in a smishing scheme, UPS has taken steps to restrict entry to that info.”
The written discover goes on to say UPS believes the info publicity “affected packages for a small group of shippers and a few of their prospects from February 1, 2022 to April 24, 2023.”
As early as April 2022, KrebsOnSecurity started receiving ideas from Canadian readers who had been puzzling over why they’d simply obtained one among these SMS phishing messages that referenced info from a latest order they’d legitimately positioned at a web based retailer.
In March, 2023, a reader named Dylan from British Columbia wrote in to say he’d obtained one among these transport payment rip-off messages not lengthy after putting an order to purchase gobs of constructing blocks straight from Lego.com. The message included his full identify, telephone quantity, and postal code, and urged him to click on a hyperlink to mydeliveryfee-ups[.]information and pay a $1.55 supply payment that was supposedly required to ship his Legos.
“From looking out the textual content of this phishing message, I can see that lots of people have skilled this rip-off, which is extra convincing due to the data the phishing textual content incorporates,” Dylan wrote. “It appears prone to me that UPS is leaking info someway about upcoming deliveries.”
Josh is a reader who works for a corporation that ships merchandise to Canada, and in early January 2023 he inquired whether or not there was any details about a breach at UPS Canada.
“We’ve seen lots of our prospects focused with a fraudulent UPS textual content message scheme after putting an order,” Josh mentioned. “A hyperlink is supplied (usually solely after the client responds to the textual content) which takes you to a captcha web page, adopted by a fraudulent fee assortment web page.”
Pivoting on the area within the smishing message despatched to Dylan reveals the phishing area shared an Web host in Russia [91.215.85-166] with almost two dozen different smishing associated domains, together with upsdelivery[.]information, legodelivery[.]information, adidascanadaltd[.]com, crocscanadafee[.]information, refw0234apple[.]information, vista-printcanada[.]information and telus-ca[.]information.
The inclusion of big-name manufacturers within the domains of those UPS smishing campaigns suggests the perpetrators had the flexibility to focus their lookups on UPS prospects who had just lately ordered gadgets from particular firms.
Makes an attempt to go to these domains with an internet browser failed, however loading them in a cellular system (or in my case, emulating a cellular system utilizing a digital machine and Developer Instruments in Firefox) revealed the primary stage of this smishing assault. As Josh talked about, what first popped up was a CAPTCHA; after the customer solved the CAPTCHA, they had been taken by way of a number of extra pages that requested the consumer’s full identify, date of delivery, bank card quantity, handle, e-mail and telephone quantity.
A smishing web site focusing on Canadians who just lately bought from Adidas on-line. The location would solely load in a cellular browser.
In April 2022, KrebsOnSecurity heard from Alex, the CEO of a expertise firm in Canada who requested to depart his final identify out of this story. Alex reached out when he started receiving the smishing messages nearly instantly after ordering two units of Airpods straight from Apple’s web site.
What puzzled Alex most was that he’d instructed Apple to ship the Airpods as a present to 2 totally different folks, and fewer than 24 hours later the telephone quantity he makes use of for his Apple account obtained two of the phishing messages, each of which contained salutations that included the names of the folks for whom he’d purchased Airpods.
“I’d put the recipient as totally different folks on my staff, however as a result of it was my telephone quantity on each orders I used to be the one getting the texts,” Alex defined. “That very same day, I acquired textual content messages referring to me as two totally different folks, neither of whom had been me.”
Alex mentioned he believes UPS Canada both doesn’t totally perceive what occurred but, or it’s being coy about what it is aware of. He mentioned the wording of UPS’s response misleadingly suggests the smishing assaults had been someway the results of hackers randomly trying up bundle info by way of the corporate’s monitoring web site.
Alex mentioned it’s seemingly that whoever is accountable discovered learn how to question the UPS Canada web site for less than pending orders from particular manufacturers, maybe by exploiting some sort of software programming interface (API) that UPS Canada makes or made accessible to its largest retail companions.
“It wasn’t like I put the order by way of [on Apple.ca] and a few days or even weeks later I acquired a focused smishing assault,” he mentioned. “It was kind of the identical day. And it was as if [the phishers] had been being notified the order existed.”
The letter to UPS Canada prospects doesn’t point out whether or not some other prospects in North America had been affected, and it stays unclear whether or not any UPS prospects outdoors of Canada might have been focused.
In an announcement supplied to KrebsOnSecurity, Sandy Springs, Ga. primarily based UPS [NYSE:UPS] mentioned the corporate has been working with companions within the supply chain to grasp how that fraud was being perpetrated, in addition to with regulation enforcement and third-party consultants to determine the reason for this scheme and to place a cease to it.
“Regulation enforcement has indicated that there was a rise in smishing impacting quite a lot of shippers and many alternative industries,” reads an e-mail from Brian Hughes, director of economic and technique communications at UPS.
“Out of an abundance of warning, UPS is sending privateness incident notification letters to people in Canada whose info might have been impacted,” Hughes mentioned. “We encourage our prospects and basic shoppers to be taught concerning the methods they will keep protected towards makes an attempt like this by visiting the UPS Struggle Fraud web site.”
