In the last few months, we’ve seen many of our customers being targeted by Fedex/DHL impersonations. These attacks typically involve a hacker trying to impersonate one of these physical delivery services to infect the endpoint with an advanced persistent threat such as ransomware. The attackers will go to lengths to ensure that the email's sender and subject seem authentic and urgent, to increase the likelihood that the employee will open the message.
Malicious emails constructed to look like delivery information or confirmations from a legitimate shipping service
These emails will usually include Fedex/DHL in the sender of the email. For example:
“Fedex.com Online Services”
“FedEx International Ground”
“DHL Customer Service ©.”
The subject of the email will also be constructed to appear legitimate. Here are some typical examples:
“DHL Package Has Arrived”
“Unable to delivery your item”
“Problems with item delivery”
The sender will usually have an email address that is not associated with these delivery companies. However, it is common that the recipient does not notice the sender email, and simply clicks on the attachment. At that point, the computer might already be infected with ransomware. The most common attachments that contain the ransomware are compressed files, such as .rar, .zip, .7z and .ace, but we have also seen more common file types such as pdfs or Office documents.
Similar to other zero-day hacks, such as resume attacks, it appears that the hackers are targeting specific organizations and employees where there is a high likelihood the email will get opened, and the organization will be infected. This attack targets all industries, with an emphasis on those that ship physical goods or documents. Manufacturing, retail, electronics, and professional services are most often affected, and the most frequent targets within these organizations tend to be the employees who deal with the delivery services. The hackers do not necessarily target the executives in these companies, and in many instances prefer to attack lower level employees that have a lower awareness of IT security best practices.
The best way to protect against Fedex/DHL impersonators is to deploy a third-party security solution, such as Barracuda Essentials for Email Security or Essentials for Office 365. We also recommend training your employees against phishing and impersonation attacks, perhaps with ongoing awareness exercises for employees who deal with delivery services. If you use Office 365, we recommend running Barracuda's free Email Threat Scanner, which allows you to scan your Office 365 mailboxes and determine whether you are already under attack.
Learn more about Barracuda security solutions on our corporate site here.
Asaf Cidon is vice president of content security services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Barracuda Sentinel utilizes artificial intelligence to learn the unique communications patterns inside customer organizations to identify anomalies and guard against these personalized attacks. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.