Attackers are once again targeting people waiting for parcels by using the names and likenesses of DPD Courier and the Romanian Post Office.
These types of scams have become ubiquitous because waiting for packages from couriers is a mundane act that binds us all. Attackers know that if they send enough messages, they will eventually get in touch with someone who has no security solution installed and who is not familiar with the entire shipping process.
Most of the time, the campaign's core message is the same: something went wrong with the delivery, and you have to do something small, like pay a minimal fee to cover an error in shipping. Of course, the victim doesn't pay anybody, just offers attackers all the details of the credit card and all the other personal information.
Criminals use official-looking logos and websites to ensure the victim doesn't suspect anything. Here is the "official" website victims access when they open the message sending people to pay the equivalent of 3 euros to the Post Office.
What makes this campaign interesting is the number of domains used to host these fake websites:
http[:]//posta-romana[.]4pservices[.]com
https[:]//posta-romana-pachet[.]com
https[:]//posta-romana-track[.]com
https[:]//posta-romana[.]bhnyo[.]com
https[:]//posta-romana[.]cqdzzc[.]com
https[:]//posta-romana[.]hryys[.]com
https[:]//posta-romana[.]jdcwyy[.]com
https[:]//posta-romana[.]jsfxzs[.]com
https[:]//posta-romana[.]krpsc[.]com
https[:]//posta-romana[.]krpsc[.]com/
https[:]//posta-romana[.]nbfam[.]com
https[:]//posta-romana[.]scdsf[.]com
https[:]//posta-romana[.]sdpes[.]com
https[:]//posta-romana[.]sdpes[.]com/
https[:]//posta-romana[.]skmtap[.]com
https[:]//posta-romana[.]tytzs[.]com
https[:]//posta-romana[.]xmrct[.]com
https[:]//posta-romana[.]yhuhu[.]com
https[:]//postaromana[.]ogzdr[.]xyz
https[:]//romana-posta[.]firebaseapp[.]com
https[:]//romana[.]life
https[:]//romana[.]life/
https[:]//romanapost[.]app
posta-romana-colete[.]com
posta-romana[.]app
posta-romana[.]ro/track-trace[.]html
posta-romanaro[.]top
posta-romanas[.]top
postaromana[.]app
Using new technology, Bitdefender can group all these domains into a single campaign, which means they're actually from the same operator.
The campaign targeting DPD is roughly the same, although the SMS message sent to the victims also mentions Amazon. Some deliveries from Amazon go through local parcel services in Romania, so the attackers also use that name to make it more credible. It's worth noting that the SMS is in English and not Romanian.
The goal is to persuade people to offer their financial and private information voluntarily. The DPD clone website also looks convincing. In this situation, the "parcel" is trapped in a warehouse, and the only way to get it moving again is around 1 Euro.
The domains hosting these websites have suffixes of the Netherlands, France or Germany, which are all part of the same campaign. Unlike the Post Office scam, the attackers didn't bother to trick people by using something familiar in the URL. Each victim receives a unique URL, likely generated on the spot when the link is accessed.
https[:]//angeliqueminet[.]fr/new[.]html?1039
https[:]//corps-et-ame[.]fr/new[.]html?1204
https[:]//greenvideo[.]nl/new[.]html?2202
https[:]//lagnysolidaire[.]fr/new[.]html?2061
https[:]//mariahennessy[.]nl/new[.]html?9726
https[:]//nedvision[.]nl/new[.]html?104
https[:]//plugtogo[.]nl/new[.]html?3729
https[:]//psychometrique[.]fr/new[.]html?4146
https[:]//schwarzachertor[.]de/new[.]html?9687
https[:]//slatovia[.]fr/new[.]html?1151
https[:]//tessaguijt[.]nl/new[.]html?3451
https[:]//vdsolutions[.]fr/new[.]html?5760
https[:]//www[.]so-deco[.]fr/new[.]html?9093
It's not difficult to stay ahead of these campaigns by using our knowledge about them. Never trust messages that carry some sort of urgency or require victims to pay extra. Installing Bitdefender Mobile Security for Android is also a good idea because it notifies users when they receive a malicious message on SMS and from many other platforms.
tags
Silviu is a seasoned writer who followed the technology world for almost two decades, covering topics ranging from software to hardware and everything in between.
View all postsNovember 14, 2024
September 06, 2024