If you’re sitting at home right now, sheltering from the coronavirus pandemic – and there’s a good chance you are – then you are probably either thinking about a home delivery, or waiting for one. Paul Ducklin, Principal Research Scientist at Sophos, warns on how scammers are targeting home deliveries.
In the UK, for example, even people who have no symptoms of the virus, and who haven’t been in contact with anyone who’s infected, have been instructed to make their shopping outings “as infrequent as possible”.
Indeed, many stores considered non-essential have been forced to shut, including electronics shops, so the new HDMI cable or the replacement mouse you need for working from home may only be available online.
So, with home delivery companies seriously stretched and long shipment times, we suspect that lots of people will be anxiously watching their phones for text messages like this one:
The URL in this case was a short domain name with a brief coded sequence of letters and numbers at the end – pretty usual for links in text messages, which are typically shortened to fit in the limited length of an SMS.
And given that no one wants to see their lovingly awaited shipment of toilet rolls go astray at the very last step of the way for something as minor as an address glitch, it’s tempting to click through to check what’s going on.
As you can see, the site has a reassuring HTTPS padlock, meaning that transmission to and from the site is secure, but the site itself is just a visual ripoff of the Canada Post/Postes Canada brand (this SMS was received by SophosLabs in Vancouver, BC): In case you are wondering about that HTTPS certificate, here’s what it looks like – we used Firefox on our laptop, where clicking on the padlock in the address bar makes it easy to inspect the details:
The server is running on the popular cPanel web hosting service, which provides a web certificate automatically (that’s a good thing, because unencrypted web traffic can be snooped on and tampered with far too easily).
Highlighted above is the fact that the certificate was created on 2020-03-24, the very same day that this scam campaign went out. Anyway, your delivery is held up by a mere US $3 shortfall, which is the sort of amount you’d probably consider paying anyway and arguing about later, if the alternative is to lose your delivery slot.
If you do proceed, then the crooks first want you to confirm your address, as stated in the original SMS message and then they want to “process” your $3 payment by capturing your credit card details to complete the transaction:
What to do?
- Don’t be fooled just because you’re expecting a delivery.The crooks don’t have to know you are waiting for a delivery to get the timing right. Especially during the coronavirus pandemic, they can simply assume you are and they’ll be right for a lot of people a lot of the time.
- Treat delivery SMSes as notifications instead of links.It’s a bit more hassle, but avoid clicking on links at all in messages like these. When you order items online, make a note of the right website to use for tracking the item, and go there yourself if there is any problem reported with delivery.
- Check the URL in the address bar.These days, most cybercriminals are using HTTPS websites, because everyone expects a padlock in the address bar. But the padlock doesn’t say you are on the correct site, merely that you are on a site with an HTTPS certificate. Consider going to your laptop if you can, and checking out the link from there. It’s worth the extra trouble because the address bar is bigger and tells you more.
- Use a third-party security product on your phone.Sophos Intercept X for Mobile adds to the built-in protection in your phone because it helps to keep you away from risky websites to start with.
- Report compromised cards immediately.If you get as far entering any banking data into a “pay page” and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)
P.S. Don’t forget that just typing data into a web form exposes it to crooks because they can “Keylog” what you type into a webpage even if you never press the [Finish] button.
Write to us firstname.lastname@example.org