www.armorblox.com Open in urlscan Pro
2a05:d014:275:cb01:8909:43f0:2069:7b77  Public Scan

Form analysis
2 forms found in the DOM

<form id="mktoForm_1082" __bizdiag="196351835" __biza="W___" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" data-styles-ready="true">
  <style type="text/css">
    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
      color: #fff;
      border: 1px solid #75ae4c;
      padding: 0.4em 1em;
      font-size: 1em;
      background-color: #99c47c;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
      background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
      background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
      background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
      border: 1px solid #447f19;
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
      outline: none;
      border: 1px solid #447f19;
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
      background-color: #75ae4c;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
      background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
      background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
      background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
    }
  </style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol">
      <div class="mktoOffset"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth">
          <div class="mktoAsterix">*</div>Email:
        </label>
        <div class="mktoGutter mktoHasWidth"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true"
          data-personalize-email="true"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple"><button type="submit" class="mktoButton" data-personalize-button="true">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
    value="1082"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="176-XMJ-030">
</form>

<form __bizdiag="-2059433751" __biza="W___" novalidate="novalidate" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"
  class="mktoForm mktoHasWidth mktoLayoutLeft"></form>

Text Content

Free risk assessment
 * Product
    * Overview
    * Integrations

 * Solutions
   By Use Case
    * Business Email Compromise
    * Email Account Compromise
    * Executive Phishing
    * Data Loss Prevention
    * Abuse Mailbox Remediation
   
   By Platform
    * Microsoft Office 365
    * Google Workspace
    * Secure Email Gateway Augmentation
   
   By Industry
    * Financial Services
    * Education
    * Healthcare

 * Customers
 * Learn
    * Analyst Validation
    * Learning Center
    * Resources
    * Blog

 * Company
    * About Us
    * News

Free risk assessment
Back



ACTION REQUIRED, PROVIDE YOUR SENSITIVE INFORMATION BEFORE DELIVERY: UPS
CREDENTIAL PHISHING ATTACK

Written by Lauryn Cash
Threat Research / 7.11.22

In today’s Blox Tale, we will take a deeper look into a credential phishing
attack that used a gamut of different techniques in an attempt to steal
confidential data. We will see how attackers take advantage of a legitimate
company’s brand name and recognition to instill trust in unsuspecting victims.

The attack in the spotlight is a malicious email, spoofing United Parcel Service
(UPS), a prominently known multinational shipping & receiving and supply chain
management company. The email attack looked like a legitimate UPS Express email,
simply reaching out to the customer about a pending parcel delivery. Exploiting
our curiosity bias, this email attack attempts to navigate victims to a fake UPS
confirmation page where victims are prompted to enter a multitude of sensitive,
personal identifiable information.

--------------------------------------------------------------------------------


SUMMARY

Mailboxes: More than 5,000

Target: This attack targeted a major software company for IT solution providers.

Email security bypassed: Microsoft Office 365

Techniques used: Social engineering, brand impersonation, spoofed landing page

--------------------------------------------------------------------------------


THE EMAIL

The subject of this socially engineered email attack read, “Your package UPS is
Pending !” and looked to be sent from UPS. We see the name of the sender has
been manipulated in order to pass the eye test of unsuspecting victims. At first
glance, this sender name, uspostalservice@usp.com, can trick victims, especially
with the USP being so close to UPS; however, it is the sender name that is the
true giveaway here – showing association with US Postal Service (USPS), not to
be confused with United Parcel Service (UPS). Additionally, the email domain of
the sender ensint.com is not associated with UPS.

The email body spoofed a notification sent from UPS about an upcoming parcel
delivery status of pending due to incomplete delivery address. The victim is
instructed to reschedule the delivery of the parcel by updating his or her
delivery address. Additionally, the attacker instills a sense of urgency by
stating the victim has three days to complete this request and collect the
package, otherwise additional steps and information will need to be collected.



Fig 1: Fake email spoofing UPS notification

In this email attack, the attacker played on and took advantage of the victim’s
fear of accepting this parcel becoming a hassle. We have all had parcels
delivered to us that either needed a signature or proof of identification in
order to be collected. If you miss the delivery window or do not have the
correct information, then the parcel delivery needs to be rescheduled - and if
urgent, can prohibit important goods from being delivered in a timely manner.
Attackers know this, and took advantage of the victim(s) of this email attack by
stating that increased measures would need to be taken if the recipient’s
address information was not updated. Naturally, we as humans want to eliminate
stress in our very busy lives; therefore, are more likely to fall victim to this
attack - which was exactly the attacker’s goal and motive.


THE PHISHING PAGE

Upon clicking the ‘Update my delivery address settings’ link within the body of
the email, victims are navigated to a fake landing page. This landing page was
purposefully crafted to mimic a legitimate UPS webpage. Attackers showcased the
UPS logo prominently and even crafted a fake tagline for the company: “Delivery
all over The World”. UPS did retire their well-known slogan, “What can brown do
for you”, as the company took a new approach of, “We (heart) logistics”.
Attackers chose to take advantage of this, as this crafted fake tagline is
relevant to the UPS brand, tricking victims into believing this is the new
slogan - making this fake landing page more believable.



Fig 2: Link in email leads to fake UPS confirmation page

The fake landing page also showcased an image of a parcel, bringing to life the
idea of a parcel pending delivery. On this page, victims are prompted to enter
the parcel number (seen as N° on page) found within the email received, and to
click continue.

Fig 3: Fake UPS confirmation page exfiltrates PII & PCI data

Upon clicking ‘continue’, victims are taken to a second screen that asks for
sensitive PII information: address, email, phone number, date of birth, as well
as sensitive PCI (payment card information). Victims who completed this step in
the attack flow would have voluntarily given attackers their most sensitive
information and put themselves at risk.


ATTACK FLOW

Attackers used a valid domain to send this malicious email that contained a link
to a fake landing page, with the goal to exfiltrate sensitive PII and PCI data.
This email attack passed both SPF and SPF Alignment authentication checks.
Looking at the Whols information for the URL within the email attack body, the
reputation score is ‘trustworthy’, receiving a 92 out of 100 score. This email
attack would have bypassed email security solutions that only look at these
checks; however, Armorblox accurately detected this bad url within the email
attack body through NLU - providing better protection to end users from these
types of targeted, malicious attacks.

This email attack impersonated a well-known brand, with the intention to create
a sense of trust in the victim. Attackers included legitimate logos and company
branding across the email and landing pages, in order to exfiltrate the victim’s
sensitive PII and PCI data. Once the attacker succeeded in getting the victim
outside of the email, each subsequent action was designed to take further
advantage of the victim’s curiosity and trust, as well as the willingness to
comply to reduce unnecessary stress or complexity.



--------------------------------------------------------------------------------


RECAP OF TECHNIQUES USED

This email attack employed a gamut of techniques to get past traditional email
security filters and pass the eye tests of unsuspecting victims.

Social engineering: The email title, design, and content aimed to induce a sense
of trust and urgency in the victims. Trust was induced by impersonating a
well-known brand (UPS) and a sense of urgency through the language used within
both the email and the fake landing pages. The context of this attack also
leverages the curiosity effect, which is a cognitive bias that refers to our
innate desire to resolve uncertainty and know more about something.

Brand impersonation: The email has HTML styling and disclaimers similar to UPS
branding. The information included within the body of the email attack is
similar to legitimate UPS communications, plus the logos used within both the
email and landing pages are the same in order to try and trick the victim and
instill trust.


GUIDANCE AND RECOMMENDATIONS

1. Augment native email security with additional controls

The email highlighted in this blog got past native email security. For better
protection and coverage against email attacks (whether they’re spear phishing,
business email compromise, or credential phishing attacks like this one),
organizations should augment built-in email security with layers that take a
materially different approach to threat detection. Gartner’s Market Guide for
Email Security covers new approaches that vendors brought to market in 2021 as
well as Armorblox highlights this in the 2022 Email Security Threat Report, and
should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained
to quickly execute their requested actions. It’s much easier said than done but
engage with these emails in a rational and methodical manner whenever possible.
Subject the email to an eye test that includes inspecting the sender name,
sender email address, the language within the email, and any logical
inconsistencies within the email.

3. Follow multi-factor authentication and password management best practices

If you haven’t already, implement these hygiene best practices to minimize the
impact of credentials being exfiltrated:

 * Deploy multi-factor authentication (MFA) on all possible business and
   personal accounts.
 * Don’t use the same password on multiple sites/accounts.
 * Use password management software like LastPass or 1password to store your
   account passwords.

--------------------------------------------------------------------------------

For more email security threat research, news, and industry guidance, sign up
for email updates from Armorblox below.

Join the Bloxlist


ARMORBLOGS

Blogs from Armorblox. We couldn't resist the portmanteau.

*
Email:




Subscribe
Follow Us


--------------------------------------------------------------------------------


READ THIS NEXT


A POINTED SPOOF: PROOFPOINT CREDENTIAL PHISHING

Threat Research / 11.4.21


LEAVE YOUR MESSAGE AFTER THE BEEP: WHATSAPP VOICEMAIL PHISHING ATTACK FROM
RUSSIA

Threat Research / 4.4.22


THE EMAIL BAIT … AND PHISH: META INSTAGRAM PHISHING ATTACK

Threat Research / 3.16.22


BLOX TALES: MICROSOFT DEFENDER VISHING USING ANYDESK

Threat Research / 10.14.21


FBI 2020 IC3 REPORT FINDINGS: BEC AND EAC LOSSES CONTINUE TO RISE

News and Commentary / 3.19.21


HELLO, IS IT ME YOU'RE PHISHING FOR: AMAZON VISHING ATTACKS

Threat Research / 5.20.21

Armorblox secures enterprise communications over email and other cloud office
applications with the power of Natural Language Understanding. The Armorblox
platform connects over APIs and analyzes thousands of signals to understand the
context of communications and protect people and data from compromise. Over
58,000 organizations use Armorblox to stop BEC and targeted phishing attacks,
protect sensitive PII and PCI, and automate remediation of user-reported email
threats. Armorblox was featured in the 2019 Forbes AI 50 list and was named a
2020 Gartner Cool Vendor in Cloud Office Security. Founded in 2017, Armorblox is
headquartered in Sunnyvale, CA and backed by General Catalyst and Next47.

 * Product
   * Overview
   * Integrations
 * Solutions
   * Business Email Compromise
   * Email Account Compromise
   * Executive Phishing
   * Email Data Loss Prevention
   * Abuse Mailbox Remediation
 * Armorblox
   * Customers
   * Resources
   * Blog
 * Company
   * About Us
   * News
   * Careers

--------------------------------------------------------------------------------

© 2022 Armorblox. All Rights Reserved. Privacy Policy.


--------------------------------------------------------------------------------