Threat Actor Serves Malware From By Exploiting XSS Vulnerability

Threat Actor Served Malware From By Exploiting XSS Vulnerability

A researcher detailed a clever phishing campaign that used an XSS vulnerability in UPS official website to send fake and malicious Word and PDF documents.

A security researcher Daniel Gallagher first discovered the phishing scam after spotting an email that claimed to be from UPS. The email was mimicking UPS and asked for the customer’s username and email address in order to pick up the package.

What makes this attack stand out is that the attacker exploited the XSS vulnerability in the website to display a fake download page and trick users into clicking a link. The vulnerability was exploited to distribute a malicious document through a remote Cloudflare worker.

All links in the email but one are legitimate and do not perform malicious behavior. Only the tracking link led to a page that contained the exploit for an XSS flaw and injected malicious JavaScript code into the browser.

What’s interesting, the threat actor helpfully left a comment in the base64 string that explains that this string’s purpose is to hide an exploit query parameter that is appended to the end of the URL:

1 jU57 N33d 70 m4K3 7h15 URL 4 l177l3 L0n93r 70 H1D3 n3x7 qU3rY P4R4M, y0u 4LR34Dy Kn0w WhY ;)

This was unusual, as threat actors rarely explain the exact steps they take in order to launch a phishing attack.

The Cloudflare worker script found by Brian Gallagher on Urlscan will cause the UPS page to show a message about a file being downloaded.

The downloaded document is a fake shipping invoice that mimics UPS. When opened, all the text in the document is unreadable, and the document then prompts the user to enable content.

This phishing scheme is effective in tricking users because they are visiting a legitimate site and clicking on a link to download an invoice. The victims are then more likely to open the weaponized PDF.

This phishing scam shows how threat actors constantly come up with new tactics to distribute malicious files.

Although the email sender’s address was suspicious and showed a suspicious domain (, the download page was legitimate as it was on a real website. Therefore, many victims would have fallen for the scam.

The XSS vulnerability has reportedly since been fixed.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.