Delivery failed: users in the Middle East deceived by cybercriminals who mimic post services

Group-IB, one of the global leaders in cybersecurity, has identified a widescale phishing campaign targeting users in the Middle East by impersonating well-known postal services from Bahrain, Egypt, Kuwait, Qatar, Saudi Arabia, Israel, Jordan, and the United Arab Emirates. Since as early as 2020, the Group-IB Computer Emergency Response Team (CERT-GIB) analysts have detected over 270 domains making use of the regional delivery and postal service brands. All the domains were part of a single massive phishing infrastructure. In line with its mission of fighting cybercrime, upon discovery, CERT-GIB has sent notifications to relevant regional Computer Emergency Response Teams so they could take actions when new resources appear.

Perfect Storm

The pandemic-driven explosive growth of online shopping created a perfect storm for threat actors, who found fertile ground for inventing new attack scenarios. Thereafter, phishing schemes exploiting the delivery topic became one of the highest ROI activities for fraudsters.

As such, globally, CERT-GIB identified more than 400 domains impersonating postal brands as part of this phishing campaign, with more than a half of them (276) intended for the users in the Middle East. Attackers have been spotted employing over 30 brands of post services and relevant delivery organizations from over 20 countries worldwide to target their victims. In the Middle East specifically, scammers have impersonated over 13 different delivery brands, postal operators, and public companies from at least eight different countries, including Bahrain, Egypt, Israel, Jordan, Kuwait, Qatar, Saudi Arabia, and the United Arab Emirates.

Using its patented Network Graph Analysis tool Group-IB researchers were able to unveil the links between infrastructures used for attacks in the Middle East:

These domains are short-lived by design to complicate detection and instead, new websites are regularly created. According to Group-IB, the latest resource impersonating a Middle Eastern postal brand appeared on July 14, 2022.

In line with the responsible disclosure protocol, Group-IB always does its best to mitigate these threats. In this case, CERT-GIB alerted the regional Computer Emergency Response teams of the active phishing domains and continues to monitor the infrastructure for the appearance of new malicious resources exploiting the delivery theme.

How the scheme works

Customers awaiting an order may receive an email or an SMS from the national postal service requesting payment for a delivery or customs clearance fee. Following the link from the message, customers are redirected to a phishing page that requests their bank card details in order to process the payment. As soon as the customer submits the form, the sum of the “fee“ is deducted from their bank account and transferred to cybercriminals, along with their bank card details.

Additionally, these phishing templates are thoroughly localized: a user in the UAE would see their local postal brand and currency. For instance, on the screengrab of the phishing page below, the victim is required to transfer AED 12.23 (about $3.2). Whereas these cybercriminals would most likely attempt to pocket a bigger amount.

In addition to these scams being highly targeted, cybercriminals have also been using a method to bypass OTP verification via a technique called ‘Man-in-the-Middle’. Through this technique, payment card data entered on a phishing website by a victim is manually or automatically inserted into the real website by the scammer to initiate a transaction. The victim subsequently enters the OTP onto the phishing page which might suggest that the alleged fee is instead transferred to the cybercriminals’ bank account.

“Starter pack” for phishers

Similar phishing templates are being utilized by domains impersonating the region’s postal and delivery services. Group-IB analysts were also able to identify phishing kits used in the campaign to target users in the Middle East mimicking local postal brands. Phishing kits typically represent archive files containing a collection of scripts that ensure the functionality of a phishing website. Simply put, it is a toolset used to build phishing websites quickly.

Attackers utilize distinct phishing kits for specific brands. However, they all have certain similar characteristics, namely, the use of a script that validates the number of a banking card, so that the users do not enter invalid or non-existing cards. In addition, the scripts that process input data have unconventional naming patterns: jeddah.php, riyadh.php, dammam.php, etc depending on the location of the brand that the phishing page is trying to mimic. This and the connections between the identified phishing domains suggest that the campaign targeting users in the Middle East is likely to have been orchestrated by the same group of cybercriminals.

Stop the fraudsters. Recommendations to avoid getting scammed

  • Users are advised to stay vigilant when clicking on the links from emails or SMS, regardless of the sender. To avoid falling prey to such scams, users should only use official websites to track their packages, where they can also include the contact details of customer support teams. Usually, legitimate delivery companies do not send payment requests by SMS or via email.
  • Shortened URLs and long chains of redirects are red flags. Do not click on such links and do not enter sensitive information unless you are 100% confident that the website you are dealing with is legitimate.
  • Have a dedicated disposable virtual card with predetermined limits for safe online shopping so that, if it is compromised, the scammers will not be able to access your savings.
  • Cybercriminals exploit the lack of adequate monitoring and blocking efforts to create fraudulent sites that abuse the names of legitimate brands. Against such complex threats, businesses must act swiftly. Early detection is essential to minimizing the digital risks to the affected brands and safeguarding potential victims. Effective monitoring and blockage should involve an automated machine-learning Digital Risk Protection system fueled by regular updates to its knowledge base about cybercriminals’ infrastructure, tactics, tools.
About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.