Cybercriminals pose as postal services to target Middle East consumers

Messages sent from fake websites posing as postal service and delivery firms hit unwitting shoppers

Shoppers across the Middle East have been hit by a widespread phishing scam by cybercriminals who exploited a surge in online shopping.

More than 400 domains impersonated well-known delivery companies and postal services central to the online buying boom, including 276 intended to con users in the Middle East.

Sophisticated frauds were localised to add a veneer of authenticity, with one UAE user reporting the local postal brand and currency was used.

Cybercriminals also used a method to bypass One Time Password verification through a technique called “Man-in-the-Middle”.

With this technique, card data entered on the phishing website by a victim is manually or automatically inserted into the real website by the scammers to initiate a transaction.

When victim subsequently enters the One Time Password on the phishing page, the “fee” is instead transferred to the cybercriminals’ bank account.

In March, online shopping website dubizzle issued a warning to its customers to be on alert for fake messages from them as well as Emirates Post.

“Over the last few weeks, many scammers have been contacting advertisers on dubizzle with offers to deliver goods through Emirates Post,” the email said.

“Please beware of such messages and do not engage in any kind of transactions unless you already have the product in hand if you’re buying or have received the value of the product you’re selling.

“We do not engage with our users on WhatsApp with random numbers. If you receive such a message with a random number, block that number immediately and report it to us.”

The site encouraged users to safeguard themselves by using dubizzle Chat to hold conversations with prospective buyers and sellers.

Tips to stop fraudsters

• Users are advised to stay vigilant when clicking on links from emails or text messages, regardless of the sender.
• Users should only employ official websites to track their packages, which also include the contact details of customer support teams.
• Usually, legitimate delivery companies do not send payment requests by text message or email.
• Shortened URLs and long chains of redirects are red flags. Do not click on such links and do not enter sensitive information unless you are 100 per cent confident that the website you are dealing with is legitimate.
• Have a dedicated disposable virtual card with predetermined limits for safe online shopping so that, if it is compromised, the scammers will not be able to access your savings.

Scammers created sites imitating at least 13 delivery brands, postal operators and public companies from the UAE, Bahrain, Egypt, Israel, Jordan, Kuwait, Qatar and Saudi Arabia.

Details of the fraud were reported by Singapore-based cybersecurity experts Group-IB, which has a research centre in Dubai.

“In line with the responsible disclosure protocol, Group-IB always does its best to mitigate these threats,” the company said.

“In this case, Group-IB alerted the regional computer emergency response teams of the active phishing domains and continues to monitor the infrastructure for the appearance of new malicious resources exploiting the delivery theme.”

Details of the widespread fraud were revealed by Group-IB, with the latest fraudulent attempt reported as recently as July 14.

Last week, Sharjah Police said household names including Aramex and Emirates Post had been impersonated by hackers, sending customers links to bills via WhatsApp or text message for a small delivery charge of Dh10 ($2.70) and then stealing bank account or card details.

Customers prompted to pay customs fee or tax

Customers awaiting an order may receive an email or a text message from the national postal service requesting payment for a delivery or customs clearance fee.

Following the link from the message, customers are redirected to a phishing page that requests their bank card details to process the payment.

As soon as the customer submits the form, the sum of the “fee” was deducted from their bank account and transferred to cybercriminals, along with their bank card details.