November 4, 2021

The holiday shopping season always means big business for phishers, who tend to find increased success this time of year with a lure about a wayward package that needs redelivery. Here’s a look at a fairly elaborate SMS-based phishing scam that spoofs FedEx in a bid to extract personal and financial information from unwary recipients.

One of dozens of FedEx-themed phishing sites currently being advertised via SMS spam.

Louis Morton, a security professional based in Fort Worth, Texas, forwarded an SMS phishing or “smishing” message sent to his wife’s mobile device that indicated a package couldn’t be delivered.

“It is a nearly perfect attack vector at this time of year,” Morton said. “A link was included, implying that the recipient could reschedule delivery.”

Attempting to visit the domain in the phishing link — o001cfedeex[.]com — from a desktop web browser redirects the visitor to a harmless page with ads for car insurance quotes. But by loading it in a mobile device (or by mimicking one using developer tools), we can see the intended landing page pictured in the screenshot to the right — returns-fedex[.]com.

Blocking non-mobile users from visiting the domain can help minimize scrutiny of the site from non-potential victims, such as security researchers, and thus potentially keep the scam site online longer.

Clicking “Schedule new delivery” brings up a page that requests your name, address, phone number and date of birth. Those who click “Next Step” after providing that information are asked to add a payment card to cover the $2.20 “redelivery fee.”

After clicking “Pay Now,” the visitor is prompted to verify their identity by providing their Social Security number, driver’s license number, email address and email password. Scrolling down on the page revealed more than a half dozen working links to real fedex.com resources online, including the company’s security and privacy policies.

While every fiber of my being hopes that most people would freak out at this page and go away, scams like these would hardly exist if they didn’t work at least some of the time.

After clicking “Verify,” anyone anxious enough over a wayward package to provide all that information is redirected to the real FedEx at Fedex.com.

It appears that sometime in the past 12 hours, the domain that gets loaded when one clicks the link in the SMS phishing message — returns-fedex[.]com — stopped resolving. But I doubt we’ve seen the last of these phishers.

The true Internet address of the link included in the FedEx SMS phishing campaign is hidden behind content distribution network Cloudflare, but a review of its domain name system (DNS) records shows it resolves to 23.92.29[.]42. There are currently more than three dozen other newly-registered FedEx phishing domains tied to that address, all with a similar naming convention, e.g., f001bfedeex[.]com, g001bfedeex[.]com, and so on.

Now is a great time to remind family and friends about the best advice to sidestep phishing scams: Avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly.

If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.


26 thoughts on “‘Tis the Season for the Wayward Package Phish

  1. Werthers Originals

    “While every fiber of my being hopes that most people would freak out at this page and go away, scams like these would hardly exist if they didn’t work at least some of the time.”

    Elderly family members and friends. Every single time it’s a gamble, will they or won’t they.

    Reply
    1. Gannon (J) Dick

      I’m not positive the “if they didn’t work they wouldn’t exist” was ever a truth cast in stone. (Sorry Krebs). The Spam Industry was born vertically integrated. “Third Party Suppliers”, to the extent they were necessary had to be paid COD to deliver the con to consumers. The best business plans were DIY to the greatest extent possible. Nobody liked my theory way back when either, but there is new evidence: Facebook discontinued their Facial Recognition Technology yesterday. This was wise for two reasons 1) it was proven stolen goods, and 2) a fence’s accounting department tends to save incriminating meta data without regard to fallout.

      I got the same phish as LOUIS MORTON. I live nearby. No biggie, however a mob of 30+ nieces, nephews and greats have been informed that they are getting Toilet Paper for Christmas. It’s in short supply you know !

      At least if I have to flee to my prepper compound in New Zealand I’ll be doing it for all the right reasons.

      Reply
  2. Larry

    This “elderly” stamp is a media myth. As an “elder”, I have coached many clueless youngsters on this issue. When they get scammed, nobody feels sorry for them and they don’t make good media stories either. So we never hear about them.

    Reply
    1. Etienne

      As a fellow elder with similar experiences, I must applaud your comment. We’re not all clueless technophobes, but the media seems to think that a clueless technophobe millennial simply doesn’t exist. I know my fair share of those.

      Reply
      1. Major Generalization

        FTR nobody said “all people of age are clueless technophobes”
        Was not said, was not implied, but elderly people have the benefit/liability combo
        of not growing up with web3.0 right in their face making them pay attention,
        didn’t have the potential liability of a life-altering event from reading their mail, etc.

        It’s not a put down of those savvy fractions of their generation that “understand”
        these threats and take appropriate action every time, it’s a mention that there’s actually
        a VERY LARGE GROUP of such people in this country who have email and aren’t careful,
        and the group I mentioned was related to my own experiences. I could be wrong, am I?
        The folks in my example use online banking and whatnot, but yet are not “careful” really.
        If that’s not you, it was not descriptive of you nor was I trying to drag an entire generation.
        It is a threat and AFAIK it’s increasingly a problem, and targeted.

        https://www.aspentechpolicyhub.org/project/protecting-older-users-online/
        https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/elder-fraud

        If you’re tech savvy, kudos. Most people are not of all cohorts. Some are larger.
        That is all. It’s not a societal debate on whether older folks deserve respect, fair?

        Reply
    2. JamminJ

      No, it’s not such an absolute. Some people get the impression that “all” elderly are susceptible. And some people also get the impression that “all” media are pushing this absolute narrative.

      Of course the reality is more nuanced. If you actually look, very few if any media articles written claim that the elderly are “all” technophobes. Rather it’s a stereotype that persists and is reinforced by the very act of being “outraged” that the elderly are being labeled.

      The truth is not so absolute nor extreme. And as usual, stereotypes do exist for a reason.
      The elderly ARE targeted more often. For various strategic reasons. It’s simple statistics that technophobes are more likely to be much older than the rest of the population. Not “all”. But “most” is a reasonable claim.

      Reply
    3. Carl Kreider

      Clearly, not all “elderly” people are susceptible to scams, but I have a friend who certainly is. And his wife. In fact, I’m the only one I know in our 70’s who is knowledgable, so you should not be too offended by the “elderly” stamp.

      Reply
  3. Bill Clayton

    Wouldn’t it be nice for FedEx to do some public service announcements every year that the post undeliverable notices on your door?

    Reply
  4. VoiceOfReason

    One step further: According to ARIN, 23.92.29(dot)42 is owned by Linode Cloud Computing. They are a hosting company located in Philadelphia, PA. I’m wondering what their legal department thinks of all this…?

    Reply
  5. The Sunshine State (For god sake stop raining !)

    The use of “social engineering” is a very powerful thing on naive people.

    Reply
    1. JamminJ

      And even smart people, technically capable, who are vigilant against scammers… Can become victims, if the social engineering is good enough.
      Jim Browning, a world famous scam baiter, became a victim recently.

      Reply
      1. shya labouf says just Do it

        all hacks are based off real life con artist scams
        think shell card games, smoke and mirrors magic tricks,
        now apply that to tech and b hat hackers have a large bags of tricks to create their
        new payload and delivery systems.

        the best advice i would give to any grasshoppers, paddawon or potential
        siths – good luck – cuz it all leaves a digital trail, cya every day…

        Reply
  6. Dave Horsfall

    I block Linode outright as they are riddled with compromised Windoze boxes (as if there’s any other sort) and whitelist the few people dumb enough to use them with whom I need to correspond.

    Reply
  7. Gary

    Linode is a VPS (Virtual Private Server). I doubt there are windows servers on it since they don’t officially provide the OS.

    https://www.linode.com/community/questions/17248/can-i-spin-up-a-windows-server-linode

    Like any VPS, the plan is you give them money and they provide an operating system (versions of Linux) and IP space. Until someone complains about the IP address to Linode, nothing will happen. When you are charging $5 for such a service, it isn’t like you have resources to employ a human investigate each user.

    A home user should never block VPS domain space. There are many legitimate users of Linode, Digital Ocean, Vultr, AWS, etc. On the other hand, if you run a website or email, you should block all VPS and hosting companies from the browser ports and all email ports other then 25. I accept email from any IP that has a reverse pointer with the exception of those who match a regex for dynamic reverse pointer services.

    Reply
    1. Dave Horsfall

      I think you just contradicted yourself. And last I looked not only do they provide Windoze (and had patched it against that firmware attack earlier on) but also offer FreeBSD (a real OS).

      Reply
  8. Sunman42

    It’s at times like this that I celebrate not celebrating Christmas in any way. Makes it really easy to spot the scams.

    Reply
  9. Chris Johnston

    First go to google. When I want to go to Fedex, my bank, credit union, etcetera- First I go to a major search engine and then search for the site.
    This helps me avoid typo-squatters and phony web sites.

    Reply
    1. Quid

      @Chris Johnson
      That method usually works, but beware of search engine poisoning (SEP) aka search engine optimization poisoning (SEO poisoning).
      To ensure you are not being spoofed or your data intercepted, go to: https://www.grc.com/fingerprints.htm
      Read the article to understand the purpose. Then once you have confirmed that the website’s fingerprint shown in your browser matches the intended site’s fingerprint shown on the GRC website, you can be sure that at least you are not being intercepted by your employer, proxy server, of VPN. Then bookmark/favorite the site.
      Each browser is different on finding the fingerprint. The instructions on the Chrome/Edge Chromium browsers are not current, which now requires pushing F12, open DevTools and going to “Security” in the menu, then “View certificate”.
      The instructions are still good for Brave & Opera.

      The GRC site doesn’t necessarily guarantee you are not on very realistic looking fake site that has a matching fingerprint in both places. A “Let’s Encrypt” certificate that is a few days old is a sign of potential fraud. You can check that on whois.domaintools.com

      HTH
      Quid

      Reply
    2. Moike

      A bookmark is more reliable than Google – imagine that someone buys a prominent ad for a big brand name and directs it to their phishing site. Big names might detect this, but could fly under the radar for local chain or credit union.

      Reply
    3. miscer

      That helps google track exactly wtf you do in your ENTIRE life and sell that..
      but I guess if I were just too lazy to type out a domain that’d be useful? :{P
      Trusting any search as 1-stop security advice is just a funny concept to me.
      Whatever… works..

      Reply
  10. Mathe Nachhilfe Solingen

    The best way to be secure is, when you install an good antivirus app on your Phone.
    It will block viruses, will block spam sms and will even block these scam websites.

    I have installed an free antivirus my grandmothers smartphone, so that she will me a victim of a scam.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *