I received a handful of strange emails over the weekend. They appear at first glance to be a typical phishing attempt, but the link goes to what looks like a genuine tracking attempt for what appears to be a genuine courier company. I started to think that ” this is a bit weird”. Have the phishers made a mistake and forgotten to put the phishing link in and left the “proper” link in place. It all starts with an email with the subject of Tracking No: RR360001458GB coming from Citi Link Couriers – Spain <firstname.lastname@example.org>
Update 5 October 2016: Getting another handful of these emails today pretending to come from Citi Link Couriers – Spain <email@example.com> with the same Reply-To: firstname.lastname@example.org that was in previous emails, but actually coming from a series of compromised / hacked computers and servers. I still do not know what they want or how this scam actually will work.
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
One of the emails looks like:
From: Citi Link Couriers – Spain <email@example.com>
Date: Sun 18/09/2016 23:04
Subject: Tracking No: RR360001458GB
Attachment: none Link in body of email to: http://citilinkcourier.com/track.php
We wish to inform you that we have a package that was
returned as our agent failed to deliver the package to you.
You can check details of the package with the below:
Tracking No: RR360001458GB
You are hereby advised to contact our office with your complete
address for verification so that a re-delivery of package will be
Mr. Andreu Oriol Sainz
If you follow the link you see a webpage looking like:
Lets input the tracking number and see what happens:
We get this page telling us the parcel is waiting in Spain
OK, lets see what info they want to be able to scam us by registering. Nothing much except a name and email address
The website was set up in August 2016 and is hosted on OVH http://whois.domaintools.com/citilinkcourier.com That definitely makes it very suspicious.
This scam is relying on a recipient getting confused. The name is very similar to what was a genuine UK based courier service called city link that went bust at Christmas 2014 But I have no idea what the end result is expected to be. They don’t ask for any financial information anywhere. They don’t ask for any passwords, except one you create to sign up. All I can think of is that it is a 419 scam where you will get a series of emails telling you the parcel was sent by a UK or US serviceman in Iraq and contains ££££ or $$$$ or something very valuable and you need to pay a customs fee or handling fee to get it. There have been several similar ones using the phone numbers in this email, but they normally ask you to reply to the email and are very obviously fraud.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.