Fraudsters have been exploiting the United Parcel Service (UPS) shipment tracking tool in Canada to gather personal information and send targeted SMS phishing messages, known as “smishing,” that impersonate UPS and other reputable brands. These fraudulent messages typically use recipients’ names, include details about recent orders, and urge them to pay an extra delivery fee to ensure their packages are shipped. UPS Canada has recently alerted its customers about these fraudulent text messages and stated that it is investigating the issue alongside its delivery partners to understand how the fraudsters obtained the information.
The company discovered that individuals who used the package look-up tool or searched for a specific package may have unknowingly provided access to more information, including recipients’ phone numbers. This sensitive information can be easily misused by third parties in phishing schemes like smishing. Consequently, UPS has taken steps to restrict access to this information. The company believes that the data exposure affected a small group of shippers and customers between February 1, 2022, and April 24, 2023.
Starting in April 2022, Canadian individuals began reporting receiving smishing messages that contained information from their recent online orders. One recipient named Dylan, who had ordered building blocks from Lego.com, received a message demanding a $1.55 delivery fee to release his Legos. The message included his name, phone number, and postal code. Dylan suspected that UPS might be leaking information about upcoming deliveries to scammers. Another person named Josh, who works for a company that ships products to Canada, also noticed that his customers were targeted with fraudulent UPS text messages after placing orders. The messages contained a link leading to a counterfeit payment collection page.
Further investigation into the domain used in the smishing messages revealed a connection to multiple smishing-related domains based in Russia. Domains such as upsdelivery[.]info, legodelivery[.]info, and crocscanadafee[.]info, among others, were found to share a common Internet host. These domains indicated that the fraudsters had the ability to target UPS customers who had recently ordered from specific well-known brands. When attempting to access these domains with a web browser, they failed to load. However, accessing them on a mobile device or through a virtual machine revealed the initial stages of the smishing attack. Users were prompted to solve a CAPTCHA and then asked to provide their personal information, including full name, date of birth, credit card number, address, email, and phone number.
Alex, CEO of a technology company in Canada, received smishing messages soon after ordering Airpods directly from Apple’s website. He found it peculiar that the messages not only referred to the orders but also included the names of the recipients he had specified for the gifts. Alex believes that UPS Canada may not fully understand the situation or is withholding information. He suspects that the fraudsters were able to query the UPS Canada website for pending orders from specific brands, possibly by exploiting an application programming interface (API) provided by UPS Canada to its major retail partners. He emphasized that the targeted smishing attacks occurred shortly after placing the orders, indicating that the fraudsters may have been alerted to the existence of the orders.
UPS has not disclosed whether customers outside of Canada were affected by this scheme. The company is working with third-party experts, law enforcement, and its delivery partners to understand and stop the fraud. UPS is also sending notification letters to potentially impacted individuals in Canada as a precautionary measure. Brian Hughes, Director of Financial and Strategy Communications at UPS, stated that law enforcement has observed an increased number of smishing attacks, not specific to UPS, affecting various shippers and industries. UPS encourages its customers and the general public to visit the UPS Fight Fraud website to learn about ways to protect themselves against such attempts.