{"id":35125,"date":"2020-04-27T10:29:14","date_gmt":"2020-04-27T14:29:14","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=35125"},"modified":"2020-04-27T10:29:14","modified_gmt":"2020-04-27T14:29:14","slug":"covid-fake-delivery-service-spam-phishing","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/covid-fake-delivery-service-spam-phishing\/35125\/","title":{"rendered":"Fake deliveries in an age of lockdown"},"content":{"rendered":"

It would be hard to find a sphere of human activity untouched by the coronavirus pandemic, and express delivery services are no exception. Transport flows between countries have been disrupted, and there is a shortage<\/a> of cargo planes as people and companies continue to order goods both domestically and from abroad. Demand for some items has even shot up<\/a>.<\/p>\n

The spikes in demand are causing in-transit times to stretch out. As a result, customers are getting used to receiving apologetic messages from couriers linking to updated shipping status. Recently, we have observed a number of fake sites and e-mails supposedly from delivery services exploiting the coronavirus topic. Fraudsters are using both tried-and-true ploys<\/a> and new schemes.<\/p>\n

Spam with malicious attachments<\/h2>\n

Spammers may pose as delivery service employees to persuade victims to open malicious e-mail attachments. The classic trick is to say that to receive a package that\u2019s come in, the recipient must first read or confirm the information in an attached file.<\/p>\n

For example, a fake delivery notification e-mail in broken English says that a parcel cannot be delivered because of the pandemic, so the recipient needs to come to the warehouse and pick it up in person.<\/p>\n

The warehouse address and other details are, of course, said to be in the attachment \u2014 which, if opened, installs a Remcos backdoor on the computer. Cybercriminals can then make the PC join a botnet, or they might steal data or install other malware.<\/p>\n

\"Fake<\/a>

Fake delivery notification<\/p><\/div>\n

The authors of another fake delivery e-mail use a similar trick, alleging that the company was unable to deliver the package because of a labeling error. The victim is asked to confirm the information in the attachment, which in fact contains another member of the Remcos family.<\/p>\n

\"These<\/a>

These crooks are pretending to be from a certain express delivery company, but the address gives them away<\/p><\/div>\n

Sometimes spammers insert images of documents in a message to add credibility. In the example below, scammers added a small image to the e-mail text. It appeared to be a receipt, but it was too small to read and did not change size when clicked, prompting the recipient to open the malicious attachment, whose name contains \u201c.jpg.\u201d<\/p>\n

If the recipient\u2019s e-mail client does not display the file\u2019s real extension, they might mistake such an attachment for the image. It\u2019s actually an executable ACE archive containing the spyware program Noon.<\/p>\n

To rush the victim, the cybercriminals say they need the missing information urgently so as to deliver the parcel before lockdown.<\/p>\n

\"Fake<\/a>

Fake delivery service e-mail containing an archive with a double extension<\/p><\/div>\n

Another malicious e-mail topic that\u2019s not new but is especially relevant in the current climate is delivery delays. The scenario is highly plausible: The scammers point the victim to an attachment that contains the Bsymem Trojan, which if executed enables the attackers to take control of the device and steal data. The bottom of the message includes a statement that it was scanned by a mail security solution and found to contain no malicious files or links, a claim designed to lull the recipient into a false sense of security.<\/p>\n

\"Fake<\/a>

Fake notification about a delivery delay due to COVID-19<\/p><\/div>\n

Many spammers simply insert a mention of COVID-19 into their usual mailing templates, but some focus specifically on quarantines and the rapid spread of the pandemic.<\/p>\n

For example, in one story, the government had banned the import of any kind of goods into the country, so the package was returned to the sender.<\/p>\n

\"Fraudsters<\/a>

Fraudsters claim that the government has banned the import of goods into the country<\/p><\/div>\n

The attachment supposedly contains an order tracking number to request a reshipment after virus-related health restrictions subside. Opening the file, however, risks installing the Androm backdoor, which gives the attackers remote access to the computer.<\/p>\n\n

Phishing<\/h2>\n

Scammers specializing in phishing attacks are also taking advantage of delivery market chaos. We detected highly believable copies of legitimate websites as well as fake tracking pages. All of them, of course, made mention of the coronavirus.<\/p>\n

For example, phishers targeting accounts of a delivery service customers replicated the company\u2019s official homepage in detail, including the latest news about the pandemic.<\/p>\n

\"Official<\/a>

Official website (left) and phishing resource made to look like this website (right)<\/p><\/div>\n

No less detailed is this clone of another delivery service website, which also mentions the latest coronavirus news.<\/p>\n

\"Phishing<\/a>

Phishing resource made to look like another delivery service website<\/p><\/div>\n

The authors of this fake portal for tracking packages added COVID-19 to the copyright line. There is little other information on the page: a form for entering credentials and a list of \u201cpartner\u201d e-mail services. Needless to say, entering credentials on this resource sends them to the scammers, and the fate of the package will remain unknown.<\/p>\n

\"Fake<\/a>

Fake package tracking page<\/p><\/div>\n

How not to swallow the bait<\/h2>\n

Against the backdrop of the pandemic and the large number of genuine package delays, fake sites and e-mails have a good chance of success \u2014 especially if you really are expecting a package, or if, say, shipment details were sent to your work e-mail and you have reason to think that a colleague might have placed the order. To avoid getting hooked:<\/p>\n