Suspicious UPS scam SMS are suspicious

Recently I expected a package from UPS from a domestic provider. In the course of this delivery I got two scam SMS, the first just hours after a SMS from UPS about a pending delivery. Based on the close proximity to an actual delivery times and the received text messages on my phone, I find it hard to believe this was a coincidence.

A short ~murder~ mystery story.

# What happened

  • On 21.03.2024 (Thursday) I received a legitimate SMS from UPSPkgInfo about an incoming package for the next day.
  • On the 22.03.2024 (Friday) during the night I received a scammy text message from a German phone number (???) stating that I should visit mijn-pakket.info to pickup the package. The Website is a scam trying to convince people to pay non-existing customs. I decided to ignore the text message, but the delivery didn’t came that day, so I started to question my decision. Still I wanted to be safe and decided to wait until the next week before doing anything.
  • On the 24.03.2024 (Sunday) I received another text message, now from a Dutch 06 number about pending customs. It tried to lure me to go to another scammy site, mijnpakketophalen.com. Again a scam site, trying to make me pay false customs.
  • The actual UPS package arrived on the 25.03.2024 (Monday). Of course I didn’t had any customs to pay

The customs are of course a scam. They tried to lure people into paying them. For this package I knew there are no customs due, because it’s shipped domestically.

# Scammy sites are scammy

Both domains references in the SMSes are a scam. A quick search revealed several complains on trust rating websites, some people even explicitly warning about the ongoing scam.

A friend of mine pointed out the cool crt.sh service, which allows the fellow nerd to see a time correspondence of the TLS certificates. This tool reveals some nice insights about the domains:

Screenshot of the listed certificates from crt.sh of mijn-pakket.info Screenshot of the listed certificates from crt.sh of mijnpakketophalen.com

Notice something?

Both sites are new and have no history. mijn-pakket.info was used at some point in time in 2020, then left abandoned for 4 years and only recently reactivated on the 2024-03-21. Just days before I got the first SMS. This is highly suspicious and suggests this domain was used for a specific scam campaign. Same is also valid for the other site.

And now for comparison, this is how a highly legitimate site (TM) looks like:

Screenshot of the listed certificates from crt.sh of www.feldspaten.org

This is my blog because of course it is. It has a decent history of certificates, is registered for a long(er) time and in general looks awesome :-)

# The time correspondence suggests a leak

I never got such scam SMS before. And the fact that I got two while I was waiting for a package is highly suspicious. The first SMS came only hours after the legitimate UPS SMS. While it is theoretically possible, that I was just unlucky and got those scammy SMS just by coincidence exactly hours after I received a notification about a pending package, I believe the likelihood is somewhere in the “winning the lottery twice in the same week” category. Possible, but actually no. This doesn’t happen.

So, this leaves me with three possibilities on where the attackers could have obtained the necessary information for creating such an attack

  1. My email was hacked
  2. The telephone provider was hacked
  3. UPS was hacked

After investigating, the first possibility appears unlikely to me because in the email correspondence with my seller there are not enough information. My phone number is missing (but could theoretically be found elsewhere, somewhere in my Sent folder or something, possibly). But, the timing of the delivery was totally unknown to the attacker. I never got any delivery information via email. The delivery timing was a crucial for the first scam SMS and this information could not have been obtained from my email account.

The second possibility is also feasible, but I find it difficult to estimate the likelihood of it though. I find it possible but unlikely.

The third possibility is thinkable. UPS or an affiliate partner could leak their delivery information, thus allowing such scam campaigns. I believe those deivery information are a lucrative attack target, and the number of bad actors out there with a hunger for such information is given. However I’m not suggesting anything concrete - this is just a hypothesis. UPS for sure invests a lot of resources in keeping their systems secure. I am not saying UPS has a security breach, I am saying that given how close those scammy SMS have been to a expected delivery, somewhere the attackers must have obtained delivery information. And a possible UPS hack would be a thinkable option.

I am not pointing fingers, and this is definitely NOT a smoking gun. I’m just a random guy on the internet sharing his thoughts, and they can be completely wrong.

# What did I do

  • I reported the scammy sites to the provider and the CSIRT
  • In the evening aleady, Firefox warned people about ongoing scam on the sites
  • I reached out to UPS on Monday and tried to contact them about this story. I’m still waiting for a response.

Contacting UPS is not easy. I used their bulky contact form, needed to register an account, and could only write 500 characters. This was barely enough to write them that I have reasons to believe, their system could be compromised and invited them to contact me via email for more details. I’m still waiting for a reply.

Update: UPS didn’t reacted. I tried to reach out to them but didn’t hear back. I waited for more than a week and now decided to publish this blog post.

Update 09.04.2024: I got an email from UPS from their fraud section stating that this is a legitimate communication. I assume that in the flood of daily mails they receive they just looked at the first picture.