Phishing is one of the most popular social engineering techniques cybercriminals use to distribute malware and steal personal information. As per recent reports, fraudsters have been leveraging an XSS vulnerability in UPS.com to circulate fake UPS Invoice MS Word documents. United Parcel Service (UPS) is a popular American multinational shipping and receiving, supply chain management company.
Security researcher Daniel Gallagher, in an interesting tweet shared, “Just saw one of the best phishing emails I have seen in a long time.”
Just saw one of the best phishing emails I have seen in a long time… 😯 Successful injection in ups[.]com? This one is going to fool a lot of people when you have the actual @UPS website indicating “Your download will start shortly”https://t.co/ERmbLUWrhL pic.twitter.com/HaZPCU1VL8
— 𝙶𝚊𝚕𝚕𝚊𝚐𝚑𝚎𝚛 (@DanielGallagher) August 23, 2021
The malicious UPS Invoice appears like a genuine-looking communication hinting that a package needs to be picked up by the customer. With the COVID uncertainty and distributed workforce scenario, we all receive couriers and packages from various sources and UPS, being a well-known service provider, would not invite much cross inspection or suspicion.
The fake malicious document has elements and links close to the actual invoice; however, they do not perform any malicious action. Whereas the tracking number is linked to the UPS website, which has the JavaScript XSS exploit.
What is XSS?
Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
Phishing still up on popularity chart
According to Verizon’s “2021 Data Breach Investigations Report,” phishing remains one of the top Action varieties in breaches and has been in that position for the past two years.
It attributes the top position to the pandemic-driven quarantine and the continued stay-at-home orders. The UPS.com breach is an example at hand that echoes the findings.
The number of phishing-related breaches has scaled to 36% from last year’s 25%.
The ease of having targets fall victim through this malicious distribution is incentive enough for hackers to continue with these threat vectors.
Related story: Five Phishing Baits You Need to Know [INFOGRAPHIC]
