The holiday shopping season always means big business for phishers, who tend to find increased success this time of year with a time-honored lure about a wayward package that needs redelivery. Here’s a look at a fairly elaborate SMS-based phishing scam that spoofs FedEx in a bid to extract personal and financial information from unwary recipients.
Louis Morton, a security professional based in Fort Worth, Texas, forwarded an SMS phishing or “smishing” message sent to his wife’s mobile device that indicated a package couldn’t be delivered.
“It is a nearly perfect attack vector at this time of year,” Morton said. “A link was included, implying that the recipient could reschedule delivery.”
Attempting to visit the domain in the phishing link — o001cfedeex[.]com — from a desktop web browser redirects the visitor to a harmless page with ads for car insurance quotes. But by loading it in a mobile device (or by mimicking one using developer tools), we can see the intended landing page pictured in the screenshot to the right — returns-fedex[.]com.
Blocking non-mobile users from visiting the domain can help minimize scrutiny of the site from non-potential victims, such as security researchers, and thus potentially keep the scam site online longer.
Clicking “Schedule new delivery” brings up a page that requests your name, address, phone number and date of…