Phishers have been defrauding customers after UPS leaked their details. The result was some convincing SMS messages that contained the private info.
Looks like a bug allowed a bad actor to manipulate URLs and extract data by brute force. Devs should avoid consecutive object references and add entropy.
Ops should detect brute force attacks and shut ’em down or tarpit them. In this week’s Secure Software Blogwatch, we ask what Brown can do for us?
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: What if light was really slow?
UPS SMS oops
What’s the craic? Sergiu Gatlan reports — “UPS discloses data breach”:
Shipping company UPS is alerting Canadian customers that some of their personal information might have been exposed via its online package look-up tools. … UPS found that the attackers behind this ongoing SMS phishing campaign were using its package look-up tools to access … recipients' personal contact information, between February 2022 and April 2023.
UPS customers worldwide have been affected by these phishing attacks, as shown by online reports showing the threat actors using their names, phone numbers, … postal codes [and] info on recent orders. … The company has now implemented measures designed to restrict access to this sensitive data.
UPS Canada … shared the following statement after the article was published: “We are constantly vigilant when it comes to phishing and other attempts from bad actors. … UPS has been working … to understand how that fraud was being perpetrated, … to identify the cause of this scheme, and to put a stop to it. … Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada.”
16 months ago? Brian Krebs cycles in — “SMS Phishers Harvested Phone Numbers, Shipment Data from UPS”:
“Being coy about what it knows”
As early as April 2022, [I] began receiving tips from Canadian readers who were puzzling over why they’d just received one of … these shipping fee scam messages … that referenced information from a recent order they’d legitimately placed. … The inclusion of big-name brands in the domains of these UPS smishing campaigns suggests the perpetrators had the ability to focus their lookups on UPS customers who had recently ordered items from specific companies.
Alex, the CEO of a technology company in Canada who asked to leave his last name out of this story … said he believes UPS Canada either doesn’t fully understand what happened yet, or it is being coy about what it knows. [He] said it’s likely that whoever is responsible figured out how to query the UPS Canada website for only pending orders from specific brands, perhaps by exploiting some type of … API that UPS Canada … made available to its biggest retail partners.
Meh. Smishing. So what? Scott Ikeda explains why Dev and Ops should care — “Stolen Customer Information Was Abused”:
“Tied to specific brands”
At this point, most people have likely seen an SMS phishing attempt sent under the guise of a package delivery notification. Most of the time, these messages contain a made-up tracking number. … The attack is greatly enhanced if the hacker has access to tracking information for an actual package that is en route, however.
Their approach was to demand money from the recipient in order to keep the delivery moving forward, usually asking for a small fee in the range of $1.50 or so. The incidents appeared to be tied to specific brands such as Apple, LEGO and Nike. … UPS also believes the data breach only impacts a “small group” of shippers and “some of” their customers.
How do we know about the customer letter? From Brett Callow, who is not amused:
So UPS Canada sent me a letter about phishing and smishing. Turns out it wasn't simply intended to be educational: In the 4th paragraph, it became apparent that it was actually a data breach notification.
This is not what a data breach notification should look like. They should immediately make clear what they are or else people will do what I almost did and put them in the recycling unread.
You can see his point. And rkagerer agrees:
Talk about burying the lead! This is a deliberate and downright sleazy attempt to downplay the breach.
Blame Canada? herberttlbd says the problem is bigger:
Canada? This is happening in the US, too. Ordered a phone from Verizon and got a text on the morning of the delivery. It was obviously a fake but it indicated the package was coming from Verizon so I knew it wasn't random.
That it was coming in on a number that only UPS had made me suspect UPS was compromised. … Now I know.
But an insecure API? Is that likely? Peter has a better suggestion:
On the UPS website, there is a way to track packages without the tracking number. They call this feature “Track by Reference Number” and I believe this might be how scammers are getting people’s information.
The reference number for a shipment can be literally any number the shipper chooses. So if they use a sequential number … it would be relatively easy for scammers to deduce what the reference number might be for a particular company.
Just to add a bit of fuel to this theory, if you go to the “Track by Reference Number” section on UPS Canada’s website today it has a message at the top stating: “Upcoming Changes: Limiting the display of reference number tracking details for improved security. UPS is changing how the reference number tracking results are displayed to provide additional protection: Tracking details will be mostly masked with only basic reference number tracking details available.”
Ahhh, so it’s the old “manipulate the URL with sequential numbers” gag? Yikes. habosa isn’t surprised:
When I moved into my new apartment building I had a lot of deliveries, so I signed up for FedEx Delivery Manager. I put in my address but did not verify that I lived here.
When I loaded my account settings in the “delivery instructions” it said “garage code 12345”. So that’s how I learned the garage code to my own building. These delivery companies are shockingly loose with customer data, not surprised by this story.
Is this an isolated incident? Thelasko worries it might not be:
My UPS driver was telling me the other day that they outsourced a bunch of their software development … and that company has been screwing up bad. Lots of issues with the code.
To the point where the drivers can't trust the bar code scanners to provide the correct information anymore, and they have to verify everything manually. Package delivery is already organized chaos, but things have gotten much more chaotic at UPS recently.
Meanwhile, Wannabe techguy nitpicks the spokesdroid’s wording:
“Out of an abundance of caution” seems to be the standard phrase companies use when there is a problem — and makes me think they are hiding something. Maybe it’s just me.
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or email@example.com. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Get up to speed on key trends and understand the landscape with The State of Software Supply Chain Security 2024. Plus: Learn about ReversingLabs Spectra Assure for software supply chain security.
- Update your understanding: Buyer's Guide for Software Supply Chain Security
- Join the Webinar: Why you need to upgrade your AppSec for the new era
- See Webinar: State of Software Supply Chain Security Webinar
- See the Webinar: State of Software Supply Chain Security 2024
- See Gartner's guidance on managing software supply chain risk