Group-IB, one of the global leaders in cybersecurity, has identified a widescale phishing campaign targeting users in the Middle East by impersonating well-known postal services from Bahrain, Egypt, Kuwait, Qatar, Saudi Arabia, Israel, Jordan, and the United Arab Emirates. Since as early as 2020, the Group-IB Computer Emergency Response Team (CERT-GIB) analysts have detected over 270 domains making use of the regional delivery and postal service brands. All the domains were part of a single massive phishing infrastructure. In line with its mission of fighting cybercrime, upon discovery, CERT-GIB has sent notifications to relevant regional Computer Emergency Response Teams so they could take actions when new resources appear.
The pandemic-driven explosive growth of online shopping created a perfect storm for threat actors, who found fertile ground for inventing new attack scenarios. Thereafter, phishing schemes exploiting the delivery topic became one of the highest ROI activities for fraudsters.
As such, globally, CERT-GIB identified more than 400 domains impersonating postal brands as part of this phishing campaign, with more than a half of them (276) intended for the users in the Middle East. Attackers have been spotted employing over 30 brands of post services and relevant delivery organizations from over 20 countries worldwide to target their victims. In the Middle East specifically, scammers have impersonated over 13 different delivery brands, postal operators, and public companies from at least eight different countries, including Bahrain, Egypt, Israel, Jordan, Kuwait, Qatar, Saudi Arabia, and the United Arab Emirates.
Using its patented Network Graph Analysis tool Group-IB researchers were able to unveil the links between infrastructures used for attacks in the Middle East:
These domains are short-lived by design to complicate detection and instead, new websites are regularly created. According to Group-IB, the latest resource impersonating a Middle Eastern postal brand appeared on July 14, 2022.
In line with the responsible disclosure protocol, Group-IB always does its best to mitigate these threats. In this case, CERT-GIB alerted the regional Computer Emergency Response teams of the active phishing domains and continues to monitor the infrastructure for the appearance of new malicious resources exploiting the delivery theme.
How the scheme works
Customers awaiting an order may receive an email or an SMS from the national postal service requesting payment for a delivery or customs clearance fee. Following the link from the message, customers are redirected to a phishing page that requests their bank card details in order to process the payment. As soon as the customer submits the form, the sum of the “fee“ is deducted from their bank account and transferred to cybercriminals, along with their bank card details.
Additionally, these phishing templates are thoroughly localized: a user in the UAE would see their local postal brand and currency. For instance, on the screengrab of the phishing page below, the victim is required to transfer AED 12.23 (about $3.2). Whereas these cybercriminals would most likely attempt to pocket a bigger amount.
In addition to these scams being highly targeted, cybercriminals have also been using a method to bypass OTP verification via a technique called ‘Man-in-the-Middle’. Through this technique, payment card data entered on a phishing website by a victim is manually or automatically inserted into the real website by the scammer to initiate a transaction. The victim subsequently enters the OTP onto the phishing page which might suggest that the alleged fee is instead transferred to the cybercriminals’ bank account.
"Starter pack" for phishers
Similar phishing templates are being utilized by domains impersonating the region’s postal and delivery services. Group-IB analysts were also able to identify phishing kits used in the campaign to target users in the Middle East mimicking local postal brands. Phishing kits typically represent archive files containing a collection of scripts that ensure the functionality of a phishing website. Simply put, it is a toolset used to build phishing websites quickly.
Attackers utilize distinct phishing kits for specific brands. However, they all have certain similar characteristics, namely, the use of a script that validates the number of a banking card, so that the users do not enter invalid or non-existing cards. In addition, the scripts that process input data have unconventional naming patterns: jeddah.php, riyadh.php, dammam.php, etc — depending on the location of the brand that the phishing page is trying to mimic. This and the connections between the identified phishing domains suggest that the campaign targeting users in the Middle East is likely to have been orchestrated by the same group of cybercriminals.
Stop the fraudsters. Recommendations to avoid getting scammed
- Users are advised to stay vigilant when clicking on the links from emails or SMS, regardless of the sender. To avoid falling prey to such scams, users should only use official websites to track their packages, where they can also include the contact details of customer support teams. Usually, legitimate delivery companies do not send payment requests by SMS or via email.
- Shortened URLs and long chains of redirects are red flags. Do not click on such links and do not enter sensitive information unless you are 100% confident that the website you are dealing with is legitimate.
- Have a dedicated disposable virtual card with predetermined limits for safe online shopping so that, if it is compromised, the scammers will not be able to access your savings.
- Cybercriminals exploit the lack of adequate monitoring and blocking efforts to create fraudulent sites that abuse the names of legitimate brands. Against such complex threats, businesses must act swiftly. Early detection is essential to minimizing the digital risks to the affected brands and safeguarding potential victims. Effective monitoring and blockage should involve an automated machine-learning Digital Risk Protection system fueled by regular updates to its knowledge base about cybercriminals’ infrastructure, tactics, tools.