Abnormal Attack Stories: Canada Post Phishing

Abnormal Attack Stories: Canada Post Phishing

In this attack, malicious actors impersonate Canada Post to steal victims’ personal and billing information.

Quick Summary of Attack Target

Platform: Office 365
Email Security: IronPort
Mailboxes: 50,000+
Payload: Malicious Link
Technique: Brand Impersonation

What was the attack?

Setup: Since the onset of the pandemic, many in-person shopping locations have closed, and, as a result, many consumers have turned to e-commerce. This attack attempts to replicate one of the many delivery notifications consumers may receive.

Email Attack: This attack pretends to be a notification email from Canada Post notifying the recipient that their package will not be delivered. It informs the recipient that they must click on the link to organize a second delivery.

email censored

Payload: The payload of this attack is complex and consists of many redirects and layers:

1. SendGrid redirect link in the email that leads to a password protected PDF hosted on e-document.space

Screen Shot 2020 07 29 at 8.08.46 AM 1024x668 1
Screen Shot 2020 07 29 at 8.09.08 AM 1 1024x725 1

2. Another link in the password protected PDF to canadapost-cpc.com containing a CAPTCHA

Screen Shot 2020 07 29 at 8.09.48 AM 1024x672 1

3. Profile creation page asking for personal and billing information

Screen Shot 2020 07 29 at 8.10.12 AM 1024x727 1

And it even tries to steal the user’s MFA code!

Screen Shot 2020 07 29 at 8.11.36 AM 1024x732 1

Result: Should victims fall for this attack, their personal and billing information would be in the hands of the attackers who can use this information to commit identity and financial theft.

Why is this attack effective?

insights 1024x380 1

Convincing email and concealed URL: This attack is made to look like a legitimate notification through the use of images and the inclusion of a security code. The malicious link is hidden behind the text “Please click here” and utilizes a SendGrid redirect link.

Convincing landing page: Although the phishing page looks like it contains a CAPTCHA, in reality it is a static image containing the same code provided in the email. However, unassuming victims are likely to believe that this is an authentic security measure and would be more likely to trust the phishing page.

Layered payload, multiple redirects: By utilizing a combination of redirects, password protected files, and CAPTCHA, this attack bypasses most email security solutions.

“Security” Features: The numerous “security” measures in this attack are used to convince the recipient that this interaction is authentic and secure. Multi-factor authentication (MFA) is an important security measure in preventing unauthorized usage or access of user accounts. However, the attacker attempts to steal the user’s security code in order to circumvent the MFA. This is particularly dangerous, as some security platforms assume that because a login passed MFA, the access is authorized and authentic.

The post Abnormal Attack Stories: Canada Post Phishing appeared first on Abnormal Security.

Abnormal Security