Waiting for a package? Don't click this phony UPS email

The rear gate of a UPS truck during a delivery run on a Chicago city street.
(Image credit: Jonathan Weiss/Shutterstock)

A clever crook has been dropping malware on unsuspecting victims who get tricked into clicking a legitimate-looking UPS tracking-number link that leads to the real UPS.com website.

Normally, you can avoid phishing and malware scams by checking the URL, or web address, of the site they take you to. It's usually a dead giveaway when the URL and purported site don't match.

But in this case, reports Twitter user Daniel Gallagher via Bleeping Computer, the victim lands on the real UPS website, and hence may be more inclined to trust the malicious Word document that gets downloaded as the tracking-number page is opened. 

Reader Offer: Save 68% on Aura identity theft protection

Reader Offer: Save 68% on Aura identity theft protection
Aura provides everything you need to protect your identity, data and devices online with malware protection, a password manager and a VPN all included. Tom's Guide readers can save up to 68% when they sign up.

Preferred partner (What does this mean?)

That Word doc itself is deliberately unreadable until the reader clicks "Enable Content", which downloads yet more files. 

Gallagher called this "one of the best phishing emails I have seen in a long time."

UPS.com has since fixed the particular flaw that permitted the crook to inject malicious code right into the company website, and most of the best antivirus software detects the malicious Word doc. But it won't be the last time this method is used in phishing and "malspam" (malicious spam) campaigns.

How the phish works — and how to avoid it

The deception begins with a convincing-looking email message notifying you that "your package has experienced an exception," defined as "when a package or shipment encounters an unforeseen event." 

You are invited to "download and print out the invoice to pick up the package at the UPS Store" or to click the tracking-number link.

The only tip-off that this is bogus is the address of the email sender, which includes "unitedparcelservice" but has a different dot-com name. However, it wouldn't be that difficult for the sender to "spoof" a legitimate UPS.com email address if they wanted to.

Normally, you can avoid email-based phishing scams by hovering your mouse cursor over the link in the body of the message. That will display the destination URL at the bottom of your screen. 

But in this case, you'll see a real UPS.com web address when you hover over the tracking number or the invoice link. Click on either, and you land on a page on the UPS website telling you that "Your download will start shortly." 

The crook has exploited a cross-site scripting (XSS) flaw in the UPS site to add their own code, which reaches out to another website to fetch and deliver a Word document to the site visitor.

Malicious macro

Here's where this scheme becomes more of a regular phishing/malspam scam, and where it's easiest to avoid.

Open that Word doc, and the text will be so blurry that you won't be able to read it. Microsoft Word will tell you that macros — small scripts that can run in Office files — have been disabled, but the Word file tells you to "Enable Content" to see the text.

Needless to say, you should never Enable Content on some random Word, Excel or PowerPoint document downloaded from the internet.

But if you do, a macro in the Word doc downloads a possibly malicious .png image. Unfortunately, by the time Bleeping Computer was able to repeat the process, the image was no longer available, so we can't be exactly sure what it contained. 

Given the amount of deception and misdirection that it took to get to this point, it's a fair bet that the image was nothing good.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.