The holiday shopping season always means a big deal for phishers, who tend to have increased success this time of year with an age-old lure about a finicky package that needs to be redistributed. Here’s a look at a pretty elaborate SMS-based phishing scam that spoofs FedEx for the purpose of extracting personal and financial information from unwary recipients.
Louis Morton, a security professional based in Fort Worth, Texas, transmitted a phishing or “smishing” text message to his wife’s mobile device that indicated that a package could not be delivered.
“It’s an almost perfect attack vector this time of year,” Morton said. “A link was included implying that the recipient could reschedule the delivery.”
Attempt to visit the domain in the phishing link – o001cfedeex[.]com – from a desktop web browser, redirects the visitor to a harmless page with advertisements for auto insurance quotes. But by loading it into a mobile device (or imitating one using development tools), we can see the intended landing page shown in the screenshot on the right – fedex-returns[.]com.
Preventing non-mobile users from visiting the domain can help minimize scrutiny of the site by non-potential victims, such as security researchers, and thus potentially keep the scam site online longer.
By clicking on “Schedule a new delivery”, a page asks for your name, address, telephone number and date of birth. Those who click “Next Step” after providing this information are asked to add a charge card to cover the “delivery charge” of $ 2.20.
After clicking on “Pay Now”, the visitor is prompted to verify their identity by providing their social security number, driver’s license number, email address and password. Scrolling down the page revealed more than half a dozen working links to actual fedex.com resources online, including the company’s security and privacy policies.
While the fiber of my being is hoping that most people panic on this page and walk away, scams like these would hardly exist if they didn’t work at least some of the time.
After clicking “Check”, anyone who is anxious enough about a misplaced package to provide all of that information is redirected to the real FedEx on Fedex.com.
It seems that in the last 12 hours the domain that loads when clicking on the link in the SMS phishing message – return-fedex[.]com – stopped solving. But I doubt we saw the last of these phishers.
The real internet address of the link included in the FedEx SMS phishing campaign is hidden behind the content distribution network Cloudflare, but an examination of its Domain Name System (DNS) records shows it resolves to 23.92.29[.]42. There are currently over three dozen other newly registered FedEx phishing domains linked to this address, all with a similar naming convention, for example, f001bfedeex[.]com, g001bfedeex[.]com, and so on.
Now is a great time to remind your family and friends of the best tips for avoiding phishing scams: Avoid clicking on links or attachments that come spontaneously in emails, text messages and emails. other supports. Most phishing scams invoke a temporal element that warns of negative consequences if you don’t respond or act quickly.
If you’re not sure if the post is legitimate, take a deep breath and visit the site or service in question manually – ideally, using a browser bookmark to avoid potential typosquatting sites.