Holidays are over, but don’t let employees’ guard drop over fake shipping emails

The December holidays are over, but don’t expect phony malware-filled shipping emails to stop being sent to your employees.

In fact, researchers at Cofense say in a report released today, these phishing messages threaten several industries all year round and only increase slightly during holiday periods.

These are messages with subject lines such as “Important Shipment,” and “Invoice attached,” with messages claiming to be from well-known package handling firms — including DHL, Maersk, and FedEx — about invoices, air waybills (AWB), and bills of ladings (BoL).

The goal is to get an employee to download the supposed document — which is malware — or enter personal information.

The researchers did a three-year analysis, from 2021 to 2023, looking at phishing trends for this type of attack against several industries.

“Manufacturing stands out from the other industries as the most significant targeted industry in the three-year sample,” the analysis found.

“Despite the marginal increase during the holiday seasons, shipping-themed emails remain a consistent threat all year round, with significant volumes appearing in June, October, and November.”

After manufacturing, the top industries targeted were, in order, finance, insurance, metals and mining, and financial services.

The most common payload is the Agent Tesla keylogger, followed by FormBook, both of which are used for stealing data from infected computers. The third most common payload is malware that steals credentials.

The most popular delivery mechanism is Microsoft Office documents that try to exploit unpatched versions of the Office Equation Editor (CVE-2017-11882).

The second most popular way of delivering malware is through HTML files, through a technique called HTML smuggling, the report says. Infosec pros should note that usually this technique delivers credential phishing as attachments or via an infection URL embedded into the email. During the analysis it was seen that the total volume of HTML files and credential phishing were almost identical. This suggests that shipping-themed emails with credential phishing have a better chance of being delivered via an HTML file.

“Employees should always be prepared for when they receive a malicious email, whether personal or business, at any point in the year,” the report says. “Shipping-themed emails remain a significant year-round threat that may infect company assets and lead to more significant threats like ransomware if employees are not adequately trained.

“Practicing email security by detecting and reporting malicious emails all year round will decrease the likelihood of a malware infection or unauthorized access.”