Summary
Netskope Threat Labs is tracking a phishing campaign that mimics a FedEx package delivery as bait to steal credit card data. This type of social engineering attack is commonly found in phishing pages, emails, and other scams, where a false sense of urgency is created to urge the victim into doing an action that eventually leads to personal data theft.
This specific phishing campaign is noteworthy because it abuses two cloud services throughout the attack: TrustedForm, a digital certificate service provided by ActiveProspectis, is abused to track victims and collect information about them, and the PAAY 3DS, a cloud-based platform that authenticates payment transactions, is abused to validate the credit card details collected from the victims.
Cybersecurity awareness training, specifically educating users to be wary of fake shipment notifications, is an effective defense against these types of phishing attacks. Netskope customers also receive protection from the threats discussed in this blog through the Next Generation Secure Web Gateway (SWG).
First Stage – Deception
The attack starts when the victim receives an email or a text message that uses a common social engineering technique, creating a false sense of urgency to get the victim’s attention. The specific approach here, using a fake shipping notification, is also a common technique used by scammers.
Step 1 – Once the victim reaches the page via phishing email or SMS text, they are instructed to click “Confirm” to view a message from “Express.” This webpage has “FedEx” in the title and uses the same company colors to deceive the user. The user is also asked to permit push notifications in the browser, which allows the attacker to push malicious ads, as we will demonstrate later in this analysis.
Step 2 – The victim is informed that delivery of a package has been suspended, and that they need to schedule delivery and should enable push notifications to avoid future issues.
Step 3 – Then, the victim is informed that they need to pay a $1.95 customs fee. The customs fee is just an excuse to collect the victim’s personal and credit card data in the next stage of the attack.
Behind the scenes, once the first page is loaded, the page sends a request to receive a customizable JSON that is used throughout the attack. The JSON includes the questions, form fields, and second-stage URLs, which will be all used in the next steps.