Attackers impersonate Canada Post to Steal Sensitive Data and Payment Information
Scammers are impersonating Canada Post to send malicious links to victims. The goal is to collect sensitive personally identifiable information (PII) and steal payment cards.
The Canada Post phishing email looks convincing as it spoofs legitimate Canada post branding. The messaging even uses CAPTCHA codes and fake two-factor authentication to increase credibility. if the victim is fooled by the phishing email and follows the instructions sent to them in a series of steps the scammers steal their personal data, billing details, payment card numbers, and even the two-factor authentication (2FA) code sent to them.
Attacks like these are successful because people have turned to online shopping in increasing numbers due to the pandemic. With so many retail locations closed or operating with limited hours, scammers have more opportunities to take advantage of unsuspecting victims.
“This attack is made to look like a legitimate notification through the use of images and the inclusion of a security code. The malicious link is hidden behind the text “Please click here” and utilizes a SendGrid redirect link,” says the report from cyber security researchers at Abnormal Security/
The fake Canada Post email informs the target that their package won’t be delivered as expected and that they need to schedule another delivery attempt. The message instructs the reader to click on a link to schedule another delivery date. If the victim is tricked by the fake notification, they are taken through a few steps before their computer is compromised.
Canada Post Phishing Attack
- If the reader clicks on the link in the email, they are redirected to a password protected PDF file
- The PDF has information including a fake barcode and instructions to click on another link to schedule the new delivery date
- Clicking on this link pops up a CAPTCHA code to add credibility. The reader is informed that the CAPTCHA code is for their own information security and to guard against SPAM
- After the user types in the CAPTCHA code number in the pop-up window, taps the “confirm” button, they are redirected to a spoofed Canada Post account creation page
- The page prompts the user to enter in their email address, password, date of birth, and billing information
- Once the victim fills out the information, the form redirects them to an SMS text 2FA code
- Another pop-up form prompts the victim to enter their 2FA verification code so the scammers can steal that as well
What is Canada Post?
Canada Post is the primary postal service in Canada. It was originally known as Royal Mail Canada and is separated from the government.
What is phishing?
Phishing is a term that covers a type of cyberattack in which scammers attempt to collect (fish or phish) sensitive information from a victim. Phishing scams can use email campaigns, SMS Text (smishing), and even voice phone calls (vishing) to contact targets. The object of phishing is to steal usernames, passwords, bank account credentials, credit card numbers, online account logins, to corporate accounts, email credentials etc.
Social engineering is often used in combination with phishing to target a victim.
Malicious phishing emails circulate constantly. The messaging, targets, and the organizations the scammers impersonate changes. Since the start of the pandemic, healthcare and COVID-19 related messaging has been a favorite amongst fraudsters.
What to do if you get a suspicious email?
Be suspicious of any email or text that prompts you to click on a link or open an email attachment. Canada Post does not email people unless requested and does not send unsolicited emails requesting personal information. This phishing attack is crafted to evade SPAM detection filters.