Akankasha Dewan 09 April 2021 13:04:44 AEST 5 MIN READ

Parcel delivery scam strikes again: Phishing email impersonating Aramex claims ‘package was not delivered’

MailGuard has intercepted a phishing email impersonating multinational logistics and package delivery company, Aramex.

Using a display name of ‘Aramex’, the email is titled ‘Package was not delivered’, along with the name of the recipient. Addressing recipients directly, the claims that their package is ready to be shipped. However, certain information required to complete the delivery is missing. Recipients are directed to click on a provided link in order to provide the missing information. While the email contains the company’s logo and branding, it contains several spacing and formatting errors that point to its illegitimacy. The email actually originates from a server hosted by Digital Ocean, with a domain registered pretty recently on Namecheap, a domain name registrar and hosting company.

Here’s what the email looks like:

Aramex_Social

 

Unsuspecting recipients who click on the link are led to a Google Firebase link, which automatically redirects to a second intermediary page. This page is designed to look like one belonging to Aramex, complete with the company’s logo and branding. However, the domain used in the page’s URL does not belong to Aramex – a red flag pointing to its illegitimacy. We found that while this page was also registered with Namecheap, it appears to use hosting across a few different smaller hosting platforms – a technique most likely employed in case one of the companies receives an abuse report and takes the page down.

The page contains several details about the package in question, including sender details and the package’s weight, height etc. Users are informed once again that to complete the delivery of this package, they are required to provide some missing information. Another link is provided for them to do so, titled ‘Pay Fee’.

Here’s what it looks like:

Aramex_1

After clicking on the button to ‘Pay Fee’, users are led to a registration page which asks for an email address and password. They are then led to a similar page that asks users to enter their address and credit card details. Here are screenshots of these pages:

Aramex_2

Aramex_3

 

Once again, the domains used in the URLs of these pages do not belong to Aramex. These are phishing pages designed to harvest users’ confidential information. They are registered with GoDaddy and are hosted with Cloudflare. After users finish entering their shipping and payment details, they are led to warning pages telling them their credit card has been declined. Users are then directed to try entering the details of another credit card, as per the below:

Aramex_4

Aramex_5

Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.

Well-known companies such as Aramex are popular targets for scammers to impersonate because they are trusted names with large customer bases. With the recent spike in online shopping, triggered by the closure of many physical stores due to the COVID-19 pandemic, it is not uncommon to receive notifications related to package deliveries like these. At MailGuard, we regularly intercept parcel delivery scams like this one intercepting DHL, and this one involving Australia Post.

In this case, cybercriminals are preying on the curiosity of Aramex customers who may actually think a package has not been delivered because of some missing information. This motivates them to enter their confidential financial details without hesitating.

Here are some techniques that cybercriminals behind this scam have employed to trick users:

  • The use of a display name like “Aramex” along with the mention of several package details (like its weight). These are common elements of notifications belonging to well-established organisations like Aramex, boosting the email’s credibility and helping to convince recipients that there is a legitimate package awaiting delivery,
  • An alarming subject & body; informing recipients in an email titled “Your package could not be delivered” that their package is ready to be shipped creates a sense of curiosity and urgency, motivating users to take action immediately without checking on the email’s authenticity. The presence of the recipient’s name in the subject line helps to further convince users that this email isn’t a generic notification but is in fact directed to them, and
  • The incorporation of Aramex’ logo in the email and in the phishing pages. This helps to enhance the email’s legitimacy, motivating users to think that those pages actually belong to Aramex.

To stay protected from scams like these, Aramex lists the following advice on its support page:

“Aramex does not, and will not request you to provide any personal or payment information through traditional mail or via email. Being aware and protecting your sensitive information is the best way to prevent fraud. If you receive a request for personal or payment information through these types of communications, please do not reply or cooperate with the sender and immediately report the case to Aramex Global Customer Care Center at (GlobalCareCenter@aramex.com).”

 

Another parcel delivery scam?

Fake parcel email scams are a favourite of cybercriminals. We all love getting something (aside from a bill) in the mail, and with online shopping more popular than ever, it’s sometimes hard to keep track of what parcels we’re expecting. The criminals behind this scam prey on people’s busy lives and curiosity.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from, and
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

 

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates