Waiting for a package? Don't click this phony UPS email

The rear gate of a UPS truck during a delivery run on a Chicago city street.

(Prototype credit: Jonathan Weiss/Shutterstock)

A clever crook has been dropping malware on unsuspecting victims who become tricked into clicking a legitimate-looking UPS tracking-number link that leads to the real UPS.com website.

Normally, you tin can avoid phishing and malware scams by checking the URL, or spider web address, of the site they have you to. It's normally a expressionless giveaway when the URL and purported site don't match.

Get prepare for Zoom-based deepfake phishing attacks
The best Windows 10 antivirus software
Plus: Hundreds of thousands of home Wi-Fi routers are being attacked

Only in this example, reports Twitter user Daniel Gallagher via Bleeping Estimator, the victim lands on the real UPS website, and hence may be more inclined to trust the malicious Give-and-take document that gets downloaded as the tracking-number page is opened.

Only saw one of the all-time phishing emails I have seen in a long fourth dimension... 😯 Successful injection in ups[.]com? This ane is going to fool a lot of people when you have the bodily @UPS website indicating "Your download will get-go shortly"https://t.co/ERmbLUWrhL moving picture.twitter.com/HaZPCU1VL8August 23, 2021

Run across more

That Word doctor itself is deliberately unreadable until the reader clicks "Enable Content", which downloads yet more files.

Gallagher called this "one of the best phishing emails I have seen in a long time."

UPS.com has since fixed the particular flaw that permitted the cheat to inject malicious code right into the company website, and most of the best antivirus software detects the malicious Give-and-take doc. But it won't be the final fourth dimension this method is used in phishing and "malspam" (malicious spam) campaigns.

How the phish works — and how to avoid it

The charade begins with a convincing-looking email bulletin notifying you that "your bundle has experienced an exception," divers equally "when a package or shipment encounters an unforeseen event."

Y'all are invited to "download and print out the invoice to pick up the package at the UPS Store" or to click the tracking-number link.

The simply tip-off that this is artificial is the accost of the email sender, which includes "unitedparcelservice" just has a dissimilar dot-com name. However, information technology wouldn't be that hard for the sender to "spoof" a legitimate UPS.com electronic mail address if they wanted to.

Normally, yous can avert email-based phishing scams by hovering your mouse cursor over the link in the body of the message. That will display the destination URL at the lesser of your screen.

Just in this case, you'll see a real UPS.com web address when you hover over the tracking number or the invoice link. Click on either, and you land on a page on the UPS website telling you that "Your download will offset before long."

The crook has exploited a cross-site scripting (XSS) flaw in the UPS site to add together their own code, which reaches out to another website to fetch and evangelize a Word certificate to the site visitor.

Malicious macro

Hither'southward where this scheme becomes more of a regular phishing/malspam scam, and where it's easiest to avoid.

Open up that Word doctor, and the text will be so blurry that you won't be able to read it. Microsoft Word will tell y'all that macros — small scripts that can run in Role files — have been disabled, but the Word file tells you to "Enable Content" to see the text.

Needless to say, you should never Enable Content on some random Word, Excel or PowerPoint document downloaded from the internet.

But if y'all do, a macro in the Word doc downloads a possibly malicious .png image. Unfortunately, by the time Bleeping Calculator was able to repeat the process, the image was no longer bachelor, so nosotros can't exist exactly sure what it contained.

Given the amount of charade and misdirection that it took to become to this indicate, it's a off-white bet that the image was nothing skillful.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry melt, long-booty driver, code monkey and video editor. He'due south been rooting around in the information-security infinite for more than than xv years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and fifty-fifty moderated a console discussion at the CEDIA dwelling house-engineering briefing. You can follow his rants on Twitter at @snd_wagenseil.