Hacker News new | past | comments | ask | show | jobs | submit login
SMS phishers harvested phone numbers, shipment data from UPS tracking tool (krebsonsecurity.com)
219 points by todsacerdoti 12 months ago | hide | past | favorite | 89 comments

I was sent one of these SMS today. I usually ignore but today I was in weird mood and started pulling apart the site. Stuff I found:

Google is the domain registrar. (reported)

Hotlinked to ups.com images, logos and css... Opportunity for some fun here UPS! (reported)

Uses hCaptcha on the landing page. (reported)

Nginx server with Plesk, and a plesk login page, no obvious stuff like ssh exposed, all latest versions, I'm not much of sec hacker so I didn't get very far. Started sending malformed and large requests to the credit card processing endpoint to see if I could break it, slowed it down a little, but then the captcha got blocked.

Of all of those hCaptcha was the first to respond and act, they've already banned the site's account within 5mins of my email... and this renders the site useless, so here's for hCaptcha! fighting fraud while the behemoths are slow and complicit... I know it's whackamole but it was a little bit of fun.

also FYI a lot of places dont place limits on the size of their POST requests or timeouts.

I have been able to send scammers 500MB+ POST requests just by making the password field password=888888888888888888888888888888 (etc til its 100s of MB of data).

Use a tool like OWASP ZAP or Burp Suite and you can easily slam a scammers website full of 500mb+ requests that will quickly fill up their log files and cheap VPS harddrive and eventually the website will get an hdd full msg or just go offline til they fix it.

Cheap and easy way to take their website offline to prevent more people from getting scammed.

I’m pretty sure this is a felony. I’m not against the spirit but want to warn others that you could get slapped.

If you use a password field can’t you reasonably argue that you want to actually have a really secure password? ;-)

I’m sick and tired of these 12b character limits on password complexity!

I'm sure it is, but a scammer or hacker committing a crime is most likely not going to report this. They would certainly get in trouble too.

To quote Nacho Varga: "I like ripping of thieves. They can't go to the cops. They have no recourse."

What exactly would the scammer/hacker say to the police/their lawyer? "Could you please help? I'm trying to scam innocent people out of their money, but some greyhat has filled up my server's logs with junk!"

Their ISP/host may report it.

How would the ISP know what data was sent over a https connection? The host may, but I doubt they care since the customer pays for the bandwidth.

Huge ingress traffic to a website which normally just serves stuff stands out from a pattern. Also, bad actors are often profitable customers of hosting companies and can ask/demand action without revealing themselves to a 3rd party.

It’s now a felony to send api calls? Give me a break

It's a crime to intentionally drive a car over someone. Legal systems vary across the world but I would imagine most of them account for mens rea.

So, crafting API calls to intentionally bring down a system most definitely can be a criminal offence.

Now if you're objection was to the use of felony as opposed to misdemeanor, then ignore whatever I said above.

The US unfortunately has intentionally vaguely written laws about misusing computer systems which can be interpreted to punish hackers and pentesters pretty harshly.

The CFAA is controversial because of how vague the statue is. It has no carveouts for vigilantes or "hack back", last I heard -- even though some in Congress were trying to push for "hack back" rights.

The DoJ is unlikely to prosecute a vigilante of scammers, but they have prosecuted others (eg. Aaron Swartz) who were doing a debatably morally upright actions while violating the letter of the law.

It’s a felony to mail people things? Not usually, but if you send them a pipe bomb it sure is.

This is an absurd analogy from where this began... I'm at most slowing down a server in Russia that is trying to defraud people, no one is getting hurt, and It's unlikely I'm costing them any money. Come back to reality.


> the US government murdered him

Clarification: he suicided while awaiting trial after the DoJ (and possibly MIT and the journal/publisher) threw the book at him in an effort to get him to plea out to a lesser felony.

If you issue a GET to a child porn website, that is a crime. Intent, action, and outcome are all considered in legal matters, much in the same way that using a gun to hunt often is legal while shooting someone is rarely legal. An action doesn't end where you conveniently want it.

Aaron Schwartz was doing some pretty blatant and cheeky piracy, and the AG either wanted to make an example out of him or coerce a plea, and he chose to end his life under such pressure. It's an abhorrent event, and deserves criticism, but embellishing and outright lying about the reality is doing him no favors.

The US government did not murder Aaron Schwartz. The story is tragic enough without misrepresenting his mistreatment by the government.

Vigorously prosecuted till death.

Even better if they use AWS or other service, and end up with a huge unexpected bill at the end of the month

You'd have to find a reflection bug that makes them send everything back. Data into AWS is free https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer "Data Transfer"

Eh, the malicious actor would typically be using a compromised or carded account.

Then the billing spike will be spotted by the victim of that compromise and likely report it, I'd expect..

Which is another angle to suggest in reports to incentive quick action, because they’re losing money keeping the service up.

I always log requests as "http://example.com/foo/bar/... [1234 bytes]".

If a site is designed for scamming, it will likely log the contents of the form submissions -- sensitive fields like username + password combos or other PII.

You can also go after their ssl certificate provider if they have one. Doesn’t always work but it has at least once for me.

Unfortunately I’ve also observed a lot of Canadian phishing links will geo-redirect, so reporting them can sometimes go nowhere unless the checker uses the right vpn.

They almost all use LetsEncrypt, which has a documented policy of not terminating accounts for spam/fraud.

Gross. Why?

They have a published policy that explains it:


Because it’s not their problem and would set a bad precedent

Their arguments are the same that any other layer involved could use to sit it out.

“We shouldn’t be the police, let some layer above or below us be the police, just anyone but us!”

What they don’t really say is that an abuse team costs money to run.

When self-regulation doesn’t work, you risk ending up with legally-imposed regulation. I’m sure that will really delight them.

Ssl is like the lowest on the chain. You have the domain registrar and the end host and perhaps cloudflare in the middle - and for phishing the mail starting point. All of these are better choices to report abuse than let’s encrypt provided free ssl that’s open for any one to use. I would place that at the level of a phishing site using nginx who could realistically add code to block a list of phishing domains somewhere in their code because it might be used by phishing sites - just no.

> Google is the domain registrar. (reported)

I wonder if this is the reason Google is getting rid of it's domain registration service? I imagine this is quite a pain to deal with

No, they set up their fraud prevention pipeline before they even launched their registrar. It’s a very expected part of going into that business, and they knew it and handled it well. The product was cancelled because there are huge internal incentives for launching new products, and subtle punishment for teams who perform maintenance.

Thank you

You are the hero we need.


In Russia, against a website committing credit card fraud while reporting everything to service providers, and actively preventing people from being defrauded?... I really couldn't give a poop, if the USA wants to come prosecute me and aid international fraudsters so be it (if you can even find them).

This is FUD, and saying "This is a confession to a crime, just so you are aware." is really an overly strong statement that is not warranted.

Yes, the CFAA is famously lax in what it's definition of "unauthorized access" is, and I know in the past some idiot politicians have tried to prosecute for a journalist clicking "view source" to see the HTML of a webpage, but one shouldn't confuse prosecutorial misconduct for "confessing to a crime". There is nothing in the statement that you are replying to that says that the user actively broke access control.

It shouldn’t be a crime. If I pull a skimmer off an ATM am I engaging in active measures against someone’s property? How is this any different?

What do you do with the skimmer once you pull it off? How do you prove that you’re in felony possession of fraud device? You also would be contaminating a crime scene. Most skimmers have limited memory and are sometimes controlled via Bluetooth.

It’s best to leave it to the ones _authorized_ to fiddle with such things. I’m sure your fellow citizens appreciate your gumption though.

I agree with you but that's a horrible comparison.

Theft and vandalism no doubt! /s

IANAL, but what's the actual crime in this case?

They were doing some exploratory poking around a public system, and at no point did they access a system without authorization. All this information is available to anyone, and malformed requests can happen for many reasons.

I suppose intent to gain unauthorized access might be a problem, and I'm sure some lawyer could find a case there.

Intent matters. Sending a malformed request in an attempt to harm could probably be prosecuted.

In much the same way that you usually are not allowed to shoot robbers in the street, people who are doing nefarious things but aren't yet convicted of a crime are not "fair targets". Especially when it comes to the CFAA, I don't think there's a concept of self defense.

Is it a crime? Arguably. Does anyone care? Nah

That isnt a crime in the US.

I don't think anyone should be particularly concerned about "criminal" actions conducted against a httpd/server host platform that's physically in Russia, operated by literal phishing criminals. What is the US going to do, extradite you to Russia for screwing with low-rent russian organized crime?

As the other poster says, this is no more morally wrong than pulling a skimming device off an ATM.

I got one of these immediately after ordering something from Apple. Since I work in the industry, I contacted friends who can do something about it. I’m surprised at how long it took UPS to go public with this. It’s very obviously their fault and they are still not being truthful about the cause.

I would encourage anyone who sues large companies for a living to consider putting together a class action suit. I have received dozens of these high quality phishing attacks ever since that original Apple purchase. Doubtless many people have fallen for the attack and provided banking information to the attacker since that time.

+1. Always "near" to a relatively high-dollar Apple purchase being inbound.

When I moved into my new apartment building I had a lot of deliveries so I signed up for FedEx Delivery Manager.

I put in my address but did not verify that I lived here in any way.

When I loaded my account settings in the “delivery instructions” it said “garage code 12345”. So that’s how I learned the garage code to my own building.

These delivery companies are shockingly loose with customer data, not surprised by this story.

I must be doing something wrong with FedEx Delivery Manager, because it doesn't actually let me manage deliveries. Unless your deliveries were all in-house through FedEx? I get a lot of shipments from other websites through FedEx and I can't "manage" the deliveries on those, not even a note to put the deliveries somewhere inconspicuous.

I recently received phishing texts from someone pretending to be UPS telling me that my delivery had been missed and I’d need to pay to reschedule it. The website I was taken to was remarkably polished, it looked almost exactly like the real UPS site.

The thing I couldn’t stop ignoring is that it was perfectly timed the day before I was expecting a UPS delivery. It could have been coincidental but I doubt it.

Same here. The combo of “actually having an important package scheduled” plus a convincing phishing page easily hijacked my brain into filling out the personal info form without even checking the full domain. I only snapped out of it when it asked me for a credit card number.

Quite probably the first mass phishing scam I’ve fallen for in nearly 20 years. Kinda horrifying to think how many non-tech people have gotten caught up by this.

> The website I was taken to was remarkably polished, it looked almost exactly like the real UPS site

"Fake Login Page" site generating scripts are pretty close to slightly customized versions of "Save Page As..." (plus some find/replace logic to fix domains, JavaScript, etc). They have been around for at least 2 decades. The big logistics companies (USPS, UPS, FedEx, DHL) almost certainly all have FLP generator scripts that are optimized for each one of them by now.

I worked at a social media company and our developers were constantly watching the FLPs that targeted our users. We both built countermeasures so they stopped working and helped mitigate the damage to accounts that we knew were scammed by the FLP sites.

"Back in my day" It seemed like setting up a copy of a site for phishing purposes was a single metasploit command.

I got one of these yesterday, I have a warrantee replacement item coming in the mail for which I had to verbally dictate my address. Seriously made me think twice, they couldn’t have timed it better.

Their domain name is sketchy AF though.

I received one of these letters and nearly tossed it out before noticing the buried lede in the middle of the fourth paragraph indicating that my information had been compromised.

Came here to say this! Only after reading about the leak here did I find the admission in the letter they sent, hidden under all this marketing copy about keeping you safe is our priority

and I missed that paragraph entirely ... I've also received, what apparently matches the description of the "smashing" in the original article, attempts sent to me, too. They were, to me, so obviously scams (the hostnames were suspect) that it seemed unimportant to notice the _real_ tracking codes used.

Now I'm more interested to know how this data leaked ...

My best guess would be a compromise of a 3rd party service that acts as an intermediary for UPS (and possibly other shipping providers) and serves Canadian businesses. Another possibility is, again, a 3rd party which collects data for businesses for marketing and analytics purposes, wherein the businesses are feeding the shipping info to these 3rd parties. Or maybe a 3rd party which sends out emails or texts containing the shipping info... It seems unlikely that UPS itself was compromised considering they're unable to determine how the phishers are acquiring the shipping info in the first place, especially given this phishing campaign ran for over two years.

Many of these tracking numbers are actually enumerable if you know what to look for. All of their support staff are vulnerable to reasonable sounding social engineering. Applying the former at scale is easy today, while the second requires more targeted attention.

I run an e-commerce shop in France and get many support tickets of customers wondering why they have to pay an additional fee to receive their parcels. One day, one of the customers forwarded me a super obvious scam SMS asking to pay the additional fee but unfortunately, it wasn't obvious for her (most of my customers are over 40-50 years old). Seems like they are running these scams all over the world and probably found vulnerabilities in all the major post offices.

Not sure if they’re still a thing in France, but there was an epidemic of humans randomly calling French phone numbers claiming to be DHL or UPS or whoever about “a package being held”. Not even automated calls, actual people (probably in a lower-cost francophone country) doing the calls.

Fourteen months UPS? It took you fourteen months to stop this? That's longer than a package delivery! /s

Seriously, their security team must be nonexistant.

They’re probably really good, but there’s no direct and immediate connection to their own bottom line, soooo…

Kinda like I remember a bit Canadian telecom talking big about their big “fraud squad”, but that’s primarily protecting fraud against the company, not its customers.

On the UPS website, there is a way to track packages WITHOUT the tracking number. They call this feature “Track by Reference Number” and I believe this might be how scammers are getting peoples information.

The reference number for a shipment can be literally any number the shipper chooses. So if they use a sequential number such as an invoice number or order number, it would be relatively easy for scammers to deduce what the reference number might be for a particular company (such as Lego).

Just to add a bit of fuel to this theory, if you go to the “Track by Reference Number” section on UPS Canada’s website today it has a message at the top stating:

Upcoming Changes: Limiting the display of reference number tracking details for improved security.

UPS is changing how the reference number tracking results are displayed to provide additional protection:

Tracking details will be mostly masked with only basic reference number tracking details available.

Senders that have saved the shipment’s account number as a payment method in their profile, or in their company profile, will see the full tracking details.

A very similar event happened to me in the beginning of this year, involving the USPS (rather than the UPS). Actually, it was on the 5th of January, come to think of it. Instead of clicking on the link in the SMS, I visited the page on my computer. The page was obviously made to impersonate the USPS website, except the link led to a tracking page with a populated shipment number.

The domain is/was uspexlocrts.info and at the time, a whois lookup showed that it had been registered just a few hours before I received the SMS on my phone. There was a subsequent modification about a month later.

The whois information is largely redacted, with only the state/province and country field showing up as Beijing, CN.

I ended up submitting all the information via the (authentic) usps customer inquiry interface and basically asked them to deal with it however they saw fit.

A few days later, when I tried visiting the page again, I noticed that the site had been added to Chrome as a potential phishing site (attempting to visit the site first shows the all-red Chrome warning page instead).

Finally, on the 15th of March, I received a response from the USPS:

-- Dear <Customer>,

Thank you for contacting the USPS® Internet Customer Care Center.

"Smishing", a form of phishing, is an unsolicited SMS (text) message. Victims will typically receive a deceptive text message that is intended to lure the recipient into providing their personal or financial information. These scams often attempt to impersonate a government agency, bank, or other company to lend legitimacy to their claims. Common lures include “your account has been suspended,” “there is suspicious activity on your account”, "there is a problem with your shipping address" and “there is a package waiting for you at the Post Office.” To report USPS-related smishing: Please visit the United States Postal Inspection Service ® smishing page at https://www.uspis.gov/news/scam-article/smishing/ for additional information and reporting steps.

If you have any additional questions or concerns, please contact us again.

Thank you for emailing your Postal Service™,

USPS Internet Customer Care Center

Some of these tracking websites (not UPS) require fairly simple data to reveal the sender & recipient.

I'm sure with enough time & patience you could enumerate the hell out of them or use data from previous leaks to get your hands on the good stuff. It's all about rate limiting, but that can also be defeated pretty easily.

That seems unlikely to me as UPS certainly would have spotted that kind of activity in their logs (enumerating). However, it may not be entirely impossible either. UPS tracking numbers are long but not completely random, they encode a lot of info about the shipment which can greatly reduce the search space.


Yeah so the existence of URLs for specific retailers like Lego and Adidas suggest to me that they ordered from the shipper, got their account number, then just got a botnet to enumerate (or randomly query) with different package identifiers.

Wasn't talking about UPS but smaller shipping companies here in EU.

Here is the full text of the letter: https://imgur.com/a/Je4Z1JR

Talk about burying the lead! This is a deliberate and downright sleazy attempt to downplay the breach.

I never give my phone number when filling order forms. Just an obvious non-number like 0777777777

Has it occurred to you that the delivery driver being able to call you is actually pretty helpful.

Anecdotal, but I’ve never once had a driver call me once






spear phishing

clone phishing


Every year we get new ones, and I'm convinced it's so that companies can sell a new phishing training to corporations every year.

Wouldn't this instance be technically called "spear-smishing"?



This is why is pisses me off when shippers demand a phone number for ups or fedex. YOU DON’T NEED IT

Why are people putting a phone number on things to be shipped? I never understood this, and I've never gotten a call or a text about a package. So in recent years I've taken to putting bogus phone numbers when a site insists on one. I still get all my packages.

IMO this is responsible disclosure and the real bug bounty

My guess is a leaky api

I'm surprised we still post articles from Krebs on here. I'm also surprised people think SMS is a safe mechanism for verification or validation

Is Krebs bad?

Probably referring to the use of poor sources in its past reporting, notably with Ubiquiti.


The Register is one of the last publications that you should trust to make claims about the quality of other news sources.

I've personally had them grossly misrepresent a technical writeup I'd posted online, and then completely ignore attempts to correct them.[1] I've heard similar accounts from other people who work in information security.

I don't even read their articles anymore. They're the IT equivalent of the National Enquirer, if you ask me.

[1] I'd written up a discovery about how (back in the early 2010s) Motorola phones sent and received sensitive data insecurely, including data related to any configured Exchange ActiveSync account. The Register claimed (in the headline as well as the article!) that the issue was related to Exchange, i.e. that Microsoft was partly responsible, when the issue was entirely limited to communication between the phones and Motorola's internet-facing APIs. Literally every other publication got it right, but The Register, a supposed tech news site, took it as a chance to dunk on Microsoft and wouldn't correct their claims.

Every news source is, especially when you find yourself the subject of their reporting.

Krebs doesn't always get it right, but he tries. Trust-but-verify.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact