The holiday shopping season always means big business for phishers, who tend to find increased success this time of year with a time-honored lure about a wayward package that needs redelivery. Here’s a look at a fairly elaborate SMS-based phishing scam that spoofs FedEx in a bid to extract personal and financial information from unwary recipients.
Louis Morton, a security professional based in Fort Worth, Texas, forwarded an SMS phishing or “smishing” message sent to his wife’s mobile device that indicated a package couldn’t be delivered.
“It is a nearly perfect attack vector at this time of year,” Morton said. “A link was included, implying that the recipient could reschedule delivery.”
Attempting to visit the domain in the phishing link — o001cfedeex[.]com — from a desktop web browser redirects the visitor to a harmless page with ads for car insurance quotes. But by loading it in a mobile device (or by mimicking one using developer tools), we can see the intended landing page pictured in the screenshot to the right — returns-fedex[.]com.
Blocking non-mobile users from visiting the domain can help minimize scrutiny of the site from non-potential victims, such as security researchers, and thus potentially keep the scam site online longer.
Clicking “Schedule new delivery” brings up a page that requests your name, address, phone number and date of birth. Those who click “Next Step” after providing that information are asked to add a payment card to cover the $2.20 “redelivery fee.”
After clicking “Pay Now,” the visitor is prompted to verify their identity by providing their Social Security number, driver’s license number, email address and email password. Scrolling down on the page revealed more than a half dozen working links to real fedex.com resources online, including the company’s security and privacy policies.
While ever fiber of my being hopes that most people would freak out at this page and go away, scams like these would hardly exist if they didn’t work at least some of the time.
After clicking “Verify,” anyone anxious enough over a wayward package to provide all that information is redirected to the real FedEx at Fedex.com.
It appears that sometime in the past 12 hours, the domain that gets loaded when one clicks the link in the SMS phishing message — returns-fedex[.]com — stopped resolving. But I doubt we’ve seen the last of these phishers.
The true Internet address of the link included in the FedEx SMS phishing campaign is hidden behind content distribution network Cloudflare, but a review of its domain name system (DNS) records shows it resolves to 23.92.29[.]42. There are currently more than three dozen other newly-registered FedEx phishing domains tied to that address, all with a similar naming convention, e.g., f001bfedeex[.]com, g001bfedeex[.]com, and so on.
Now is a great time to remind family and friends about the best advice to sidestep phishing scams: Avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly.
If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.