Group-IB has discovered a large-scale phishing campaign impersonating well-known postal services from Bahrain, Egypt, Kuwait, Qatar, Saudi Arabia, Israel, Jordan, and the United Arab Emirates.
Analysts from the Group-IB Computer Emergency Response Team (CERT-GIB) have discovered over 270 domains that use regional delivery and postal service brands since 2020. The domains were all part of a massive phishing infrastructure. In accordance with its mission of combating cybercrime, CERT-GIB sent notifications to relevant regional Computer Emergency Response Teams upon discovery so that they could take action when new resources appeared.
Perfect Storm
The pandemic-driven explosion in online shopping created a perfect storm for threat actors, who discovered fertile ground for inventing new attack scenarios. Following that, phishing schemes based on the delivery topic became one of the most profitable activities for fraudsters.
As a result, CERT-GIB identified over 400 domains impersonating postal brands as part of this phishing campaign, with more than half of them (276) targeting Middle Eastern users. To target their victims, attackers have been seen using over 30 brands of post services and relevant delivery organizations from over 20 countries around the world. Scammers have impersonated at least 13 different delivery brands, postal operators, and public companies from at least eight different countries in the Middle East, including Bahrain, Egypt, Israel, Jordan, Kuwait, Qatar, Saudi Arabia, and the United Arab Emirates.
Group-IB researchers were able to reveal the links between infrastructures used for attacks in the Middle East using its patented Network Graph Analysis tool:
In fact, the majority of the 276 websites identified at the time of the analysis were inactive. These domains are designed to be short-lived in order to make detection more difficult, and instead, new websites are created on a regular basis. The most recent resource impersonating a Middle Eastern postal brand appeared on July 14, 2022, according to Group-IB.
How the scheme works
Customers awaiting an order may receive an email or an SMS from the national postal service requesting payment for a delivery or customs clearance fee. Following the link from the message, customers are redirected to a phishing page that requests their bank card details in order to process the payment. As soon as the customer submits the form, the sum of the “fee” is deducted from their bank account and transferred to cybercriminals, along with their bank card details.
Additionally, these phishing templates are thoroughly localized: a user in the UAE would see their local postal brand and currency. For instance, on the screengrab of the phishing page below, the victim is required to transfer AED 12.23 (about $3.2). Whereas these cybercriminals would most likely attempt to pocket a bigger amount.
In addition to these scams being highly targeted, cybercriminals have also been using a method to bypass OTP verification via a technique called ‘Man-in-the-Middle’. Through this technique, payment card data entered on a phishing website by a victim is manually or automatically inserted into the real website by the scammer to initiate a transaction. The victim subsequently enters the OTP onto the phishing page which might suggest that the alleged fee is instead transferred to the cybercriminals’ bank account.
«Starter pack» for phishers
Similar phishing templates are being utilized by domains impersonating the region’s postal and delivery services. Group-IB analysts were also able to identify phishing kits used in the campaign to target users in the Middle East mimicking
local postal brands. Phishing kits typically represent archive files containing a collection of scripts that ensure the functionality of a phishing website. Simply put, it is a toolset used to build phishing websites quickly.
Attackers utilize distinct phishing kits for specific brands. However, they all have certain similar characteristics, namely, the use of a script that validates the number of a banking card, so that the users do not enter invalid or non-existing cards. In addition, the scripts that process input data have unconventional naming patterns: jeddah.php, riyadh.php, dammam.php, etc – depending on the location of the brand that the phishing page is trying to mimic. This and the connections between the identified phishing domains suggest that the campaign targeting users in the Middle East is likely to have been orchestrated by the same group of cybercriminals.
Stop the fraudsters. Recommendations to avoid getting scammed
· Users are advised to stay vigilant when clicking on the links from emails or SMS, regardless of the sender. To avoid falling prey to such scams, users should only use official websites to track their packages, where they can also include the contact details of customer support teams. Usually, legitimate delivery companies do not send payment requests by SMS or via email.
· Shortened URLs and long chains of redirects are red flags. Do not click on such links and do not enter sensitive information unless you are 100% confident that the website you are dealing with is legitimate.
· Have a dedicated disposable virtual card with predetermined limits for safe online shopping so that, if it is compromised, the scammers will not be able to access your savings.
· Cybercriminals exploit the lack of adequate monitoring and blocking efforts to create fraudulent sites that abuse the names of legitimate brands. Against such complex threats, businesses must act swiftly. Early detection is essential to minimizing the digital risks to the affected brands and safeguarding potential victims. Effective monitoring and blockage should involve an automated machine-learning Digital Risk Protection system fueled by regular updates to its knowledge base about cybercriminals’ infrastructure, tactics, tools.
