SMS Phishers Harvested Phone Numbers, Shipment Data From UPS Tracking Tool (krebsonsecurity.com) 12
An anonymous reader quotes a report from KrebsOnSecurity: The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. "smishing") messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn't be shipped unless the customer paid an added delivery fee. In a snail mail letter sent this month to Canadian customers, UPS Canada Ltd. said it is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered, and that it has been working with partners in its delivery chain to try to understand how the fraud was occurring.
"During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient's phone number," the letter reads. "Because this information could be misused by third parties, including potentially in a smishing scheme, UPS has taken steps to limit access to that information." The written notice goes on to say UPS believes the data exposure "affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023." [...]
In a statement provided to KrebsOnSecurity, Sandy Springs, Ga. based UPS [NYSE:UPS] said the company has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it. "Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries," reads an email from Brian Hughes, director of financial and strategy communications at UPS. "Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted," Hughes said. "We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website."
"During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient's phone number," the letter reads. "Because this information could be misused by third parties, including potentially in a smishing scheme, UPS has taken steps to limit access to that information." The written notice goes on to say UPS believes the data exposure "affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023." [...]
In a statement provided to KrebsOnSecurity, Sandy Springs, Ga. based UPS [NYSE:UPS] said the company has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it. "Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries," reads an email from Brian Hughes, director of financial and strategy communications at UPS. "Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted," Hughes said. "We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website."
open API (Score:3)
Just guessing: They totally left open some API intended for customer support, and someone discovered it.
Re: (Score:2)
If what the commenter is saying below is true, that UPS outsourced their software development to India, then someone didn't "discover" it, they were "told" about it.
My Driver Says (Score:5, Interesting)
Package delivery is already organized chaos, but things have gotten much more chaotic at UPS recently.
Re: (Score:2)
Hmmm ... outsource your software development to the scam capital of the world, get scammed soon after. Coincidence?
SMS is insecure. Stop trusting it. (Score:5, Insightful)
Canada? (Score:2)
This is happening in the US, too. Ordered a phone from Verizon and got a text on the morning of the delivery. It was obviously a fake but it indicated the package was coming from Verizon so I knew it wasn't random. That it was coming in on a number that only UPS had made me suspect UPS was compromised so, with this, now I know.
A compelling scam, except for one thing (Score:2)
This is a really compelling scam, except for one thing. The "delivery fees" the scammers are asking for are so much less than the brokerage and other fees UPS normally demands.
a.k.a. "smishing" (Score:1)
Since when? And can we fire whomever first proposed that term?