In this phishing attack, cybercriminals convincingly impersonate UPS and email the target claiming they have a pending delivery that requires their attention. The pretext for the email is that the package has an unclear transit status which the recipient must verify using the embedded link. However, should they click on the button labeled “CLICK HERE”, they will be redirected to a detailed, multi-step phishing site that even features a fake photo purportedly of the recipient’s pending shipment. If the target clicks through all of the pages, they are redirected to the final step—at which point they are prompted to enter shipping and payment details to finalize the request and pay the $1.95 fee. If the recipient provides the requested information, the threat actor can then use it to initiate fraudulent transactions for sums much larger than $1.95. While bogus shipping notifications of the past often contained minimal text, formatting, or branding, this attack incorporates UPS’ branding into both the initial message and the phishing site. Additionally, the grammar, spelling, and syntax of the emails are essentially flawless. This attack represents the startling level of believability that modern cybercriminals can achieve and how easily they can trick targets into sharing sensitive information.

Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed email account, employs sophisticated social engineering tactics, and lacks obvious red flags like malicious attachments. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, analyze suspicious links in the message, and detect the difference between the sender name and domain to correctly flag this email as an attack.

Status Bar Dots
SCR 20240912 mbie 3

Phishing email using social engineering to compel targets to click malicious link

Status Bar Dots
SCR 20240912 mcfa 2

First page of phishing site featuring UPS branding and inviting target to schedule delivery of their package

Status Bar Dots
SCR 20240912 mcry

Penultimate page of multi-stage phishing site containing photo purportedly of pending package to reinforce legitimacy of phishing attempt

Status Bar Dots
SCR 20240912 mdfy

Last page of phishing site requesting contact and payment information which will be stolen by attacker

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker uses a spoofed email address, which allows them to bypass basic email verification checks and adds perceived authenticity.
  • Social Engineering Tactic: The email claims that tracking verification is needed for a package delivery, creating a sense of urgency and prompting immediate action.
  • Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Suspicious Link Analysis: The presence of a link that leads to a suspicious domain is scrutinized by Abnormal’s systems, triggering deeper analysis for possible malicious intent.
  • Sender Name and Domain Mismatch: The sender name does not match the domain, raising further suspicion during Abnormal’s analysis.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Spoofed Display Name
Masked Phishing Link
Branded Phishing Page

Theme

Fake Shipping Notification

Impersonated Party

Brand

Impersonated Brands

UPS

See How Abnormal Stops Emerging Attacks

See a Demo