Group-IB has identified a widescale phishing campaign targeting users in the Middle East by impersonating postal services from Bahrain, Egypt, Kuwait, Qatar, Saudi Arabia, Israel, Jordan, and the United Arab Emirates. Since as early as 2020, the Group-IB Computer Emergency Response Team (CERT-GIB) analysts have detected over 270 domains making use of the regional delivery and postal service brands. All the domains were part of a single massive phishing infrastructure. CERT-GIB has sent notifications to relevant regional Computer Emergency Response Teams.
Phishing schemes exploiting the delivery topic became one of the highest ROI activities for fraudsters. Globally, CERT-GIB identified more than 400 domains impersonating postal brands as part of this phishing campaign, with more than half of them (276) intended for the users in the Middle East. Attackers have been spotted employing over 30 brands of post services and relevant delivery organisations from over 20 countries worldwide to target their victims. In the Middle East specifically, scammers have impersonated over 13 different delivery brands, postal operators, and public companies from at least eight different countries in the GCC.
Using its patented Network Graph Analysis tool Group-IB researchers were able to unveil the links between infrastructures used for attacks in the Middle East:
In fact, most of the 276 websites identified are inactive at the time of the analysis. These domains are short-lived by design to complicate detection and instead, new websites are regularly created. According to Group-IB, the latest resource impersonating a Middle Eastern postal brand appeared on July 14, 2022.
Customers awaiting an order may receive an email or an SMS from the national postal service requesting payment for a delivery or customs clearance fee. Following the link from the message, customers are redirected to a phishing page that requests their bank card details in order to process the payment. As soon as the customer submits the form, the sum of the “fee” is deducted from their bank account and transferred to cybercriminals, along with their bank card details.
Additionally, these phishing templates are thoroughly localised: a user in the UAE would see their local postal brand and currency.
In addition to these scams being highly targeted, cybercriminals have also been using a method to bypass OTP verification via a technique called ‘Man-in-the-Middle’. Through this technique, payment card data entered on a phishing website by a victim is manually or automatically inserted into the real website by the scammer to initiate a transaction. The victim subsequently enters the OTP onto the phishing page which might suggest that the alleged fee is instead transferred to the cybercriminals’ bank account.
