UPS Canada has disclosed an extended data breach involving an oversight in its online package tracking system, which was actively abused from February 2022 to April 2023. The attackers were able to access customer shipping information that should have been private, and are believed to have used some of it in an SMS phishing campaign.
Data breach involved overly permissive package tracking interface, “uncertain” time frame
At this point, most people have likely seen an SMS phishing attempt sent under the guise of a package delivery notification. Most of the time, these messages contain a made-up tracking number and are often paired with a clearly bogus URL. The attack is greatly enhanced if the hacker has access to tracking information for an actual package that is en route, however, and threat actors were able to abuse the UPS system to obtain a variety of these details: tracking numbers, recipient names and phone numbers, and zip codes among others.
The issue appears to be limited to UPS’s Canadian operations, according to a notice sent to customers. However, that notice was not framed as a data breach notification, but rather as a more general informative warning about SMS phishing techniques. Customers that dug into the message learned that this was a more specific concern about interception of their personal information, with the company indicating that it is an “inexact” estimate but that the data breach window was most likely from February 1 2022 to April 24 2023.
UPS also believes the data breach only impacts a “small group” of shippers and “some of” their customers. However, the company did not disclose details on how the attackers were able to abuse the package lookup tool. One immediate theory would be that they were stuffing in random numbers, but a follow-up by Krebs on Security found that some of the people that received the SMS phishing messages said that they came in “almost immediately” after orders were placed at major retailers.
SMS phishing attacks may have involved exploit of API tool provided by UPS to big brands
This particular SMS phishing campaign appears to be the work of one threat actor, though there are no clues as to who as of yet. Their approach was to demand money from the recipient in order to keep the delivery moving forward, usually asking for a small fee in the range of $1.50 or so. The incidents appeared to be tied to specific brands such as Apple, LEGO and Nike.
As Krebs notes, it is possible that the data breach resulted from a flaw or vulnerability in an API that UPS Canada makes available to large enterprise-scale retailers that do lots of regular shipping. Enough major companies were involved in the SMS phishing campaign that it seems very unlikely that they were all individually breached. It is also possible the attackers found a flaw in a more general business shipping API and opted to only target certain large companies with it.
The SMS phishing attacks did not appear to be attempting to pass malware or otherwise hack the user’s device, but did attempt to redirect them to one of a number of domains hosted in Russia. These URLs appeared to target mobile devices, failing to load for those who attempted to open them in a web browser (in a likely attempt to conceal the obviously bogus URL). Those that did follow the URLs to their destination were presented with a credit card payment field mocked up with a UPS logo.
SMS phishing is one of the many avenues of cyber crime that saw a major spike during the Covid-19 pandemic. It is also part and parcel of a recent change in focus for cyber criminals, as they shift toward the most effective ways of stealing login credentials and away from software vulnerabilities and more technical hacking measures as an entry point for data breaches. “Smishing” approaches that target mobile phones are particularly popular, as it is easier to miss small warning signs and mobile devices are likely to lack the security measures in place on desktops and laptops.
As Tonia Dudley, Chief Information Security Officer at Cofense, observes: “As the reliance on mobile devices grows for managing nearly all aspects of our lives, it is unsurprising that scammers have shifted their focus to exploit this platform as a means to target and obtain users’ sensitive information. This data breach emphasizes the importance of reporting smishing, even if an individual falls for the scam, to safeguard online security and prevent future attacks. Implementing security awareness training is an essential step in preventing phishing attacks on all devices. Organizations should establish a straightforward reporting mechanism and equip employees with the necessary tools to swiftly eliminate phishing threats. By training employees on how to spot malicious messages, organizations can mitigate the likelihood of falling victim to these scams and the risk of compromised sensitive data.”
Recent reporting from IBM has found that 76% of organizations are now experiencing SMS phishing attempts, and research from Klavio has found that click-through rates can range as high as 9% to 14.5% of recipients. Assorted other recent surveys tend to find that only 20% to 40% of respondents are even aware of the concept of SMS phishing, indicating that a convincing and well-crafted message has a very good chance of landing. Email phishing is still by far the most common cause of data breaches, but an increasing share involve a text message.
Zach Capers, Senior Analyst at Capterra and Gartner, shares some of his firm’s data on the trend: “According to Capterra research on U.S. workers, bogus package delivery scams are the second most common type of SMS phishing scam (reported by 49% of respondents) ranking only behind banking schemes (58%). SMS scams are also targeting businesses. Capterra reports high numbers of fake applicants, HR impersonation, and new hire phishing scams, 75% of which involve SMS phishing messages. It’s time that both consumers and businesses recognize the rising SMS phishing threat.”
Erfan Shadabi, Cybersecurity Expert at comforte AG, offers some technical insight in countering this rising threat: “To mitigate the risks associated with SMS phishing attacks, organizations should adopt a data-centric security approach that focuses on protecting sensitive information throughout its lifecycle. Protecting sensitive information, including recipient contact details, is crucial in preventing attackers from exploiting trust and conducting successful phishing campaigns. Data-centric security not only safeguards data from unauthorized access but also enhances the overall resilience of organizations against evolving threats in the digital landscape. To combat SMS phishing, organizations must not only enhance their own cybersecurity measures but also train and educate customers about best practices. By raising awareness and providing guidance on identifying and avoiding phishing attempts, organizations empower customers to protect themselves from falling victim to SMS phishing attacks.”