Missing A Delivery

12 Febuary 2025

By Samantha Clarke, Ankit Gupta, Hiwot Mendahun and Mimecast Threat Research team

Campaign Flow

Mimecast Threat Researchers have observed a phishing campaign using the lure of a missed package delivery to trick users into clicking malicious links and stealing financial information. The campaign is being distributed via Biglobe, a Japanese telecommunications company frequently exploited by threat actors. The attackers capitalise on underground marketplaces such as fishersender[.]com to purchase compromised accounts, granting them legitimate access to Biglobe's infrastructure. This access enables them to send malicious emails that evade most email authentication protocols.

The links found in this campaign point to legitimate Amazon Simple Storage Service (S3) URLs. Amazon S3 is a cloud storage solution that supports the storage, management, and retrieval of objects like HTML files. It’s widely used to host static websites, providing public storage. Threat actors abuse S3 buckets to host malicious files or pages, leveraging its reputation as a trusted service to bypass security verification.
 
In this campaign the S3 buckets have been used to store an HTML file which is designed as a redirect to another malicious URL when accessed by a user.

The file sets up a blank webpage (<body style="display: none">) that is hidden from the user to avoid suspicion, and not visible via search engines
 
The JavaScript dynamically constructs a malicious URL by concatenating variables together e.g., la = "emaili", muie = "ng.targ" etc. By breaking the malicious URL into parts and concatenating them, the script attempts to bypass simple detection mechanisms or basic keyword matching.

Once redirected the user is presented with a very well-structured phishing page which only asks for the postcode of the user. Once the user inputs the information, they will be redirected to another page asking for financial details, to complete the delivery, which are then stolen.
 
The campaign activity shows significant spikes in malicious hits, particularly during late August and early September, with continued sporadic activity into October.

Tactic Techniques and Procedures:

T1598.002 - Phishing for Information
T1583.001 - Acquire Infrastructure: Domains
T1584.004 - Compromise Infrastructure: Trusted Relationship
T1204.001 - User Execution: Malicious Link
T1586.002 - Compromise Accounts: Email Accounts
T1041 - Exfiltration Over C2 Channel

Mimecast Protection  

We have identified several attributes in the campaigns which have been added to our detection capabilities. 

Targeting:  

UK, Predominantly Not for Profit and Housing sectors  

IOCs:

URL’s

hxxps://s3.amazonaws[.]com/a1zx6ttriopl/parcel.html hxxps://s3.amazonaws[.]com/hfdfbdf8/2/envi7.htm hxxps://s3.amazonaws[.]com/effdafab/9/reschedule4.htm hxxps://s3.amazonaws[.]com/a16130f3d/3/schedule0.htm hxxps://s3.amazonaws[.]com/oginokazunori/input.html hxxps://s3.amazonaws[.]com/e959ec93/4/envi4.htm hxxps://s3.amazonaws[.]com/isoebstao/hermes.html hxxps://s3.amazonaws[.]com/ceciliacha/courier.html

Recommendations  

• Ensure you have an URL Protect policy is set to protect the organization. 
• Search through your URL Protect logs to determine if any of the abused services have been accessed by your users.
• Educate end users around the continued trend of legitimate tools being used in malicious campaigns.