A data breach involving UPS Canada led to a year-long SMS phishing campaign involving legitimate package shipping information, but it does not appear to have involved a direct hack of the company.
UPS has yet to reveal more details, but the most likely culprit is some sort of flaw in an API that the attackers figured out how to exploit to access package transit updates that should have been private. The interesting twist is that this only happened in Canada, and appears to have only happened in association with legitimate shipments from certain major brands, indicating that it may have been some sort of special regional API only provided to large businesses that have a certain regular shipping volume.
SMS phishing messages posed as UPS, demanded additional payments to deliver packages
The data breach window ran from at least February 2022 to April 2023, according to UPS. The attackers somehow accessed package tracking updates, then used that information to craft targeted SMS phishing messages with legitimate tracking numbers and customer contact information. Victims were redirected to one of a number of bogus sites hosted in Russia, but the aim was not to install malware, or even phish credentials. The attackers posed as UPS and asked for a small additional credit card payment (of $1.50 or so), likely with the exclusive aim of capturing credit card numbers.
A follow-up investigation with the data breach victims revealed that the attackers posed as certain specific big brands, such as Apple. The targets also reported that the SMS phishing attempts tended to come very soon after they had placed a legitimate order with these companies. Security researchers also found that the malicious links would not load in web browsers, only redirecting if the user is on a mobile device.
Increasing share of data breaches caused by mobile compromise
SMS phishing (or “smishing”) is up in recent years, due to relatively high rates of success and also a relative lack of security on mobile phones. Though this particular scam seemed to be after credit card numbers, it is a very popular way of capturing login credentials. The problem is also not limited to individuals, as employees of organizations are regularly targeted in this way and the method is responsible for an increasing share of data breaches.
Cyber criminals are showing a more general interest in simply stealing employee credentials as a launch point for data breaches, rather than trying to hack their way in via software vulnerabilities. Business email compromise is still at the head of attempts to defraud organizations, but mobile package tracking scams have become the second-largest category (according to recent analysis by Capterra) and are gaining ground. Vulnerabilities will eventually be patched, but there is never a shortage of employees that can be baited into following a malicious link.
The answer is, in part, increased employee awareness of what unsolicited SMS phishing approaches look like, and having procedures in place for alternative methods of contact to verify that a message is legitimate. A possible mobile industry changeover to Rich Communication Services may also help to put a dent in this avenue of cyber crime, but until then organizations can help to boost employee awareness with periodic simulated SMS attacks.