Cybercrime , Fraud Management & Cybercrime , Social Engineering
Phishing Campaign Spoofed DHL Delivery Service
Fraudsters Attempted to Steal Credit Card DataThe security firm FireEye reports that a recently uncovered phishing campaign spoofed DHL's delivery service as way to collect personal information, including credit card data, from victims.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The fraudsters used encrypted Telegram channels to transfer stolen data, according to FireEye’s report. They also appeared to be using Web Open Font Format - WOFF - as a substitution cipher, which helped them avoid detection by security tools. WOFF is an open-source format that is normally used for delivering webpage fonts on the fly.
The campaign, which mainly targeted victims in the Americas and Europe, started around the December 2020 holiday season when delivery services were in greater demand.
"While phishing attacks targeting users of shipping services is not new, the techniques used in these examples are more complex than what would be found in an off-the-shelf phishing kit," according to the FireEye report.
Spoofing DHL
The campaign started with a phishing email imitating DHL. The message noted that a package delivery was ready and encouraged the recipient to click on a link, which took the victim to a fake DHL domain, the report notes. The spoofed domain then asked for information, such as credit card details. If the victim entered that information, the fraudsters harvested the data.
The DHL phishing campaign used a rare technique for obfuscating its source page, according to the report.
"The page source contains proper strings, valid tags and appropriate formatting, but contains encoded text that would render gibberish without decoding prior to loading the page,” the researchers note. “Typically, decoding such text is done by including script functions within the code. Yet in this case, the decoding functions are not contained in the script.”
This decoding, which is done through the WOFF font file, occurs upon loading the page in a browser and is not visible in the page content. The researchers found that the hackers used this technique to evade detection by security vendors.
"Many security vendors use static or regex signature-based rules, so this method will break those naïve-based conditions," the researchers note. "Loading this custom font which decodes the text is done inside the Cascading Style Sheets. This technique is rare as JavaScript functions are traditionally used to encrypt and decrypt HTML text."
The fraudsters also use encrypted Telegram channels to transfer the stolen data from the phishing domain to command-and-control servers. The researchers were able to access one of these channels to see the flow of data moving between the domain and the fraudsters collecting it.
In September 2020, Malwarebytes reported that some fraudsters were also using Telegram as an easy way to steal payment card data from e-commerce sites (see: Fraudsters Use Telegram App to Steal Payment Card Data).
Sign of Worse Things to Come?
"My usual concern about attacks that involve new [detection evasion] techniques is that they are often a test of worse things to come, even if the vendor market changes how it identifies these attacks to block them," says Sarb Sembhi, CTO and CISO at U.K. consultancy Virtually Informed Limited. "The concern is that, if there are several million people who are prepared to run any range of outdated operating systems, the chances of them having spent any money on a product that may block this type of product is going to be much lower."
Recently, the security firm Proofpoint found several phishing campaigns - including some spoofing DHL - using lures about COVID-19 vaccines as a way to entice victims to open up messages and click on malicious links (see: COVID-19 Vaccine Themes Persist in Fraud Schemes).