Don't be duped by fake domains and other malicious tricks

Updated: Package delivery scams join list of holiday shopping cyber warnings

Don't be duped by fake domains and other malicious tricks

UPDATED 11Dec, 2020, with information about new package delivery scams and our December Threat Intelligence Brief.
The holiday season is upon is, which unfortunately brings a flurry of new scams to watch for. We've updated this post with new information.

Package delivery scams

The coronavirus pandemic has upended global delivery systems as countries around the world have shut their borders and companies reduce their workforce. The problem has been compounded by the fact that millions are stuck at home with extra time, ordering hundreds of dollars worth of goods. As we continue through the holiday season, we will see an increasing number of delivery scams.

Fake package delivery update emails, text, and phone calls are a form of phishing being used to install malware and steal personal information. These delivery emails appear to come from the U.S. Postal Service, UPS, FedEx, or other delivery services. Clicking a link in one of these emails can install malicious software on your device.

Additionally, a new text/call message scam has been making its way around the country, trying to trick people into entering their credit card information by purporting they have a package to claim. Many are beginning to receive messages with wording similar to this: “[Name],  we came across a parcel from [a recent month] pending for you. Kindly claim ownership and confirm for delivery here," along with a link. This is a great example of scams of this time and while they may be slightly different they will follow this general format.

If you are unsure if a delivery notification is legitimate, do not click any links in the email or download any attachments. You can copy the tracking link and paste it into the delivery company’s website or refer back to the tracking information you received from the company you purchased from. 

How to identify fraudulent delivery notifications 

  • Hover your cursor over links in the email to see where they lead.

  • Legitimate delivery emails will never ask for personal information, financial information, or passwords through email.

  • Look for grammar and spelling errors.

Fraudulent URLs, blogging, and malicious software

Although calls to action to be vigilant against email and online scams have been sounded all year in response to heightened hacker activity during the COVID-19 months, we don’t want to silence the drumbeat. The scammers are out there, and they are waiting to pounce on the increased online shopping activity by using common techniques to steal your personal data or money. 

How to identify fraudulent URLs 

Using behavioral analytics to spot out-of-the-ordinary activity, IronNet cyber analysts look for anomalous behaviors on networks to detect suspicious and malicious activity (such as fake website domain names) and act fast to stop it.

Our threat intelligence from the past few months can give you better insight into how easily hackers can launch phishing campaigns. We hope that knowing what’s been out there recently can help you protect yourself from fake websites, allowing you to enjoy the shopping season with confidence:

  • accessbny[.]com
    Deemed malicious, this is a phishing site imitating a Bank of New York login portal. The site appears to be targeting customers’ user credentials.
  • paypal-debit[.]com
    This suspicious domain is related to credit card skimming activity and could lead to the loss of personally identifiable information (PII).
  • bestbuystoreapple[.]com
    Although this site claims to sell Apple products, it has no association with Apple Inc. and is likely a scam website selling fake products. Open source threat intelligence tools also associate this domain with suspicious activity
  • my-account-amazon[.]com
    This was a suspicious phishing page (now down), but be mindful of how egregiously fake sites try to mimic legitimate ones (often by changing a single letter or character).
  • Ecandles[.]xyz 
    This suspicious site appears to be an online shopping website, but it is unclear if the site is legitimate. The site collects personally identifiable information (PII). We have marked this activity as suspicious and recommend blocking the domain because there is little information indicating it is a legitimate merchant site.
  • kmart-com[.]com
    This suspicious domain appears to be a spam domain used for click revenue generation. 

Blogging safely this holiday season

Are you big on blogging about cooking, shopping wins, family traditions, or coping with COVID-19 during the holidays? It’s worth noting that over recent months hackers are targeting vulnerable WordPress sites. Many companies use WordPress as their preferred content management system, and it’s a go-to for bloggers as well. 

On October 24, 2020, one IronNet behavioral analytic alerted on the domain polobear[.]shop. IronNet’s team investigated the domain in question and identified several tell-tale signs of a type of command and control (C2) system that was actively registering geographically identified IP addresses. Based on files hosted within the C2 domain, our further analysis revealed varied techniques of javascript and fictitious CSS file injection targeting vulnerable WordPress sites to compromise endpoints for potential PII harvesting. 

Be aware of malicious software, too

We also routinely monitor research distributed by the wider cybersecurity community and ensure threat rules are created for documented indicators. For example, an instance of malicious software targeting Mac users was recently identified by cybersecurity researcher Patrick Wardle. In a blog post, Wardle described a piece of malware that appears to have been legitimately “notarized” by Apple.

Apple introduced the notarization process with the release of Mac OS Catalina in late 2019, which requires software developers to submit applications to Apple for review and approval prior to distribution. Such notarization allows for applications to be trusted by the operating system. This incident calls into question the security of the notarization process itself. This particular payload was observed delivering the Shlayer malware, which in turn installs various Mac OS adware.

And, as always, think before you click! If you receive an email offer that sounds too good to be true, it probably is. Finally, beware of malicious texts. If you don’t know them, don’t click them. 

See our December Threat Intelligence Brief for the latest updates from IronNet or feel free to subscribe to our blog.

About Ironnet
Founded in 2014 by GEN (Ret.) Keith Alexander, IronNet Cybersecurity is a global cybersecurity leader that is revolutionizing how organizations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing an extraordinarily high percentage of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today. Follow IronNet on Twitter and LinkedIn.