A new phishing campaign disguised as package notification is on the rampage. Initially discovered in Denmark, the malicious venture notifies users that they are expecting a package delivery. The phishing attempt came to light when a Denmark cell user received the following SMS : The message reads: “We were unable to deliver your package DK-XXXXXX as it had been shipped with too little postage. Pay the shipping fee now to have your package delivered.” Right beneath the message, is a link called ht7.biz (domain sanitized by Heimdal Security) that presumably redirects the user to the package center. However, right before the browser lands on the package center’s search page, it’s being routed via another domain, called ai6.net (domain sanitized and blocked by Heimdal Security), before calling pakketinfo.paketexclusivo.com website. The link takes the user to a package search page (see the picture below)
At this point, the user is required to search for the package’s number. The text above reads: “Quick and easy. Write your parcel number below. Search after shipping ID, address, postcode, etc.” Once the user writes down the parcel number flagged down in the SMS and presses the “Search” button, he will be redirected to the following screen :
The message reads: “Your package is on its way. Status: not sent from the Distribution Center – stopped in X post office, failing payment of 20 Danish crowns ($3). The package will be shipped when the fee is paid.” Motivated to pay the remaining postage fees, the user will press the “BETAL NU” (Pay now) button. Once again, the browser redirects the user to another website – dk.price-live.com (domain sanitized and blocked by Heimdal Security). Price Live’s payment processing page was specifically engineered to mimic a legitimate page. Notice in the picture below the credentials included to reinforce the illusion: Norton secured badge, SSL encryption certificate, PCI compliance, Verified by Visa, and MasterCard SecureCode and supported payment methods such as Visa, Visa Electron, MasterCard, Maestro.
In essence, the phishing campaign works like this: having received an SMS on the phone, the user clicks on the appended link to verify the status of the package. A brief search reveals that the delivery has been denied on account of insufficient postage. The user is then redirected to another website where he can post the due fee.
Domain forensics reveal that Price Live was created on the 10th of December 2019 in the UK, under TUCOWS, INC. Tucows Domains Inc. It has two CloudFlare name servers, both of them calling out approximately 21 million domains. IP address analysis points to Fasthosts Internet Limited as being the ISP. The subsequent IP change history reveals that there have been 10 changes on 10 unique addresses during the last 5 years. Registrar’s current status: client transfer and update have both been prohibited. Furthermore, the registrant has been listed as REDACTED FOR PRIVACY.