In this attack, malicious actors impersonate Canada Post to steal victims’ personal and billing information.
Platform: Office 365
Email Security Bypassed: IronPort
Payload: Malicious Link
Technique: Brand Impersonation
Setup: Since the onset of the pandemic, many in-person shopping locations have closed, and, as a result, many consumers have turned to e-commerce. This attack attempts to replicate one of the many delivery notifications consumers may receive.
Email Attack: This attack pretends to be a notification email from Canada Post notifying the recipient that their package will not be delivered. It informs the recipient that they must click on the link to organize a second delivery.
Payload: The payload of this attack is complex and consists of many redirects and layers:
1. SendGrid redirect link in the email that leads to a password protected PDF hosted on e-document.space
2. Another link in the password protected PDF to canadapost-cpc.com containing a CAPTCHA
3. Profile creation page asking for personal and billing information
And it even tries to steal the user’s MFA code!
Result: Should victims fall for this attack, their personal and billing information would be in the hands of the attackers who can use this information to commit identity and financial theft.
Convincing email and concealed URL: This attack is made to look like a legitimate notification through the use of images and the inclusion of a security code. The malicious link is hidden behind the text “Please click here” and utilizes a SendGrid redirect link.
Convincing landing page: Although the phishing page looks like it contains a CAPTCHA, in reality it is a static image containing the same code provided in the email. However, unassuming victims are likely to believe that this is an authentic security measure and would be more likely to trust the phishing page.
Layered payload, multiple redirects: By utilizing a combination of redirects, password protected files, and CAPTCHA, this attack bypasses most email security solutions.
“Security” Features: The numerous “security” measures in this attack are used to convince the recipient that this interaction is authentic and secure. Multi-factor authentication (MFA) is an important security measure in preventing unauthorized usage or access of user accounts. However, the attacker attempts to steal the user’s security code in order to circumvent the MFA. This is particularly dangerous, as some security platforms assume that because a login passed MFA, the access is authorized and authentic.
Abnormal is the email security company that stands for trust.
© 2020 Abnormal Security Corporation.
All rights reserved.