A researcher detailed a clever phishing campaign that used an XSS vulnerability in UPS official website to send fake and malicious Word and PDF documents.
A security researcher Daniel Gallagher first discovered the phishing scam after spotting an email that claimed to be from UPS. The email was mimicking UPS and asked for the customer’s username and email address in order to pick up the package.
What makes this attack stand out is that the attacker exploited the XSS vulnerability in the UPS.com website to display a fake download page and trick users into clicking a link. The vulnerability was exploited to distribute a malicious document through a remote Cloudflare worker.
What’s interesting, the threat actor helpfully left a comment in the base64 string that explains that this string’s purpose is to hide an exploit query parameter that is appended to the end of the URL:
1 jU57 N33d 70 m4K3 7h15 URL 4 l177l3 L0n93r 70 H1D3 n3x7 qU3rY P4R4M, y0u 4LR34Dy Kn0w WhY ;)
This was unusual, as threat actors rarely explain the exact steps they take in order to launch a phishing attack.
The Cloudflare worker script found by Brian Gallagher on Urlscan will cause the UPS page to show a message about a file being downloaded.
The downloaded document is a fake shipping invoice that mimics UPS. When opened, all the text in the document is unreadable, and the document then prompts the user to enable content.
This phishing scheme is effective in tricking users because they are visiting a legitimate ups.com site and clicking on a link to download an invoice. The victims are then more likely to open the weaponized PDF.
This phishing scam shows how threat actors constantly come up with new tactics to distribute malicious files.
Although the email sender’s address was suspicious and showed a suspicious domain (@paradanta.com), the download page was legitimate as it was on a real UPS.com website. Therefore, many victims would have fallen for the scam.
The UPS.com XSS vulnerability has reportedly since been fixed.