SAN FRANCISCO — As Christmas approaches, experts suggest an extra dollop of caution before clicking on email package delivery notices. Fake notifications are proliferating, bringing not holiday cheer — but holiday ransomware.
The holiday phishing season began just before Thanksgiving and will likely extend until after Christmas, said Caleb Barlow, vice president for IBM Security.
“This is a $445 billion business. These are campaigns, run by the criminal equivalent of marketers,” he said.
Security company FireEye sees a significant increase in fake package email alerts beginning in November, an almost 100% increase from the average of September-October.
Common subject lines the company has been tracking include:
- We could not deliver your parcel, #00556030
- Please Confirm Your DHL Shipment
- Problems with item delivery, n.000834069
- Delivery Receipt | Confirm Awb no:XXX830169
- Your order is ready to be delivered
- Courier was unable to deliver the parcel, ID00990381
- Your DHL is here please download attachment to view detail and confirmation of your address
Let the clicker beware
It’s important to remember that legitimate shippers such as Amazon, FedEx and UPS have nothing to do with this and haven't done anything here.
“It’s the bad guys trying to trick you into thinking it’s them, not the companies themselves,” said Barlow.
UPS keeps a page on its site showing various examples of fake delivery notices, with tips on how to spot fraud. The Federal Trade Commission also has information up on how consumers can protect themselves.
The fake messages tend to come in two main types.
Some contain malware that invades your computer and either allows it to be used by a botnet or attempts to find and extract personal information about you that could be sold, or login information for your financial accounts.
The most damaging can contain ransomware. This is software that allows criminals to remotely lock up your computer. They then send a message demanding payment in untraceable digital currency such as Bitcoin.
These campaigns can be enormous. IBM's X-Force security team began tracking a massive spam campaign on Nov. 21 that flooded millions of inboxes with fake delivery notifications carrying the subject line "Your Amazon.com order has dispatched."
Instead of a package update, they carried a malicious zip attachment that downloaded the Locky ransomware program. At its peak, the campaign involved 44% of all incoming spam emails to IBM's decoy accounts designed to gather information about potential threats.
Security firms globally are always on alert for this type of attack and quickly identify and block new malware variants. That, too, was visible in the IBM data.
“Every time the good guys figure it out, the bad guys pivot, tweak their code and try again,” Barlow said.
Phishing attacks all have a common objective, to get people to trust the receiver and follow instructions, which are usually to click on a URL or open an attachment, said Paul Calatayud, chief technology officer at the security firm FireMon.
Check it twice
To protect yourself, look, carefully at any emailed package delivery notice. Do they include your full name, customer number and actual information from the company? Is the email address it came from actually the company or some odd variant?
For example, an email purporting to be from FedEx that came to this reporter on Wednesday was actually from FedEx-intl.com, a non-existent address.
If there’s any doubt don’t click, say experts. Take the time to actually type in the Amazon or UPS or FedEx address. It won't take that much longer but will protect you.
“To a malicious actor, this is optimal phishing season and the phishing is good!” said Thomas Pore, director of IT for security company Plixer International. “As much as you want to click and open, just don’t do it.”
