By Nathaniel Raymond
The importance of fast and efficient shipping solutions has increased for households and businesses. This is especially true during the holiday season when demand for shipping services is high. Cofense Intelligence asked whether malicious shipping-themed emails increased during the holiday season. This sparked a three-year trend analysis from 2021 to 2023 that targeted several industries. While it might seem logical that the number of malicious emails related to shipping would increase during this time, the trend analysis suggests that the increase in malicious email volume only increases slightly during the holiday season. It also indicates that malicious shipping-themed email volumes significantly threaten several industries all year round as volume trends tend to be consistent, with higher volumes in June, October, and November and the lowest in April.
Manufacturing stands out from the other industries as the most significant targeted industry in the three-year sample. Shipping-themed emails often deliver malware like Agent Tesla Keyloggers or delivery mechanisms such as the CVE-2017-11882 that uses exploits in Microsoft Office to deliver malware. The emails also may contain credential phishing, although it is not as popular as delivering malware to businesses. The analysis may also suggest that credential phishing in shipping-themed emails may be delivered via an attached or downloaded HTML file.
Shipping emails come with various subject lines that use parts of the shipping process, including processes for shipping internationally, such as air waybills (AWB), bills of ladings (BoL), and even invoices to get the user to download malware or enter personal information. Malicious emails may also use known shipping brands such as DHL, Maersk, FedEx, and others for brand spoofing to add a layer of legitimacy. Figure 1 shows an example of an email with an attached archive file containing an Agent Tesla Keylogger sample.
Figure 1: Sample Email that Delivers Agent Tesla Keylogger
Figure 2: Credential Phishing Sample via Attached HTML file
The trend analysis below covers a three-year trend from 2021 to 2023. Figure 3 shows the combined total of each month in the year range to showcase the heaviest and lightest months by volume and to identify volume trends throughout the sample range. Looking at Figure 3, it is evident that shipping-themed emails tend to be lower at the beginning of the first quarter and pick up in the middle of the second quarter. After it picks up in the second quarter, the volume remains reasonably consistent across the third quarter months until the fourth quarter, when volume increases slightly then decreases as the year ends, remaining consistent until the new second quarter increase.
Figure 3: Total Yearly Shipping-Themed Emails by Volume
Figure 4: Total Yearly Shipping-Themed Emails by Volume Breakdown
The number of shipping-themed emails sent out yearly can vary, with volumes increasing, decreasing, or remaining relatively stable month-to-month. Figure 3 and Figure 4 both show similar trends in 2021 and 2022. However, in 2023, the fourth quarter breaks away from this trend and stands out as an exception. Figure 4 highlights two unusual months: April, which had the lowest number of shipping-themed emails, and June, which is one of the months with the highest volumes. October and November agree that shipping themes increase, albeit slightly, during the holiday months.
It is important to note that phishing emails related to shipping, both for commercial and personal purposes, can differ in their intent and target. For instance, a potential victim may receive an email or SMS related to shipping for a perceived personal purchased item; the email could contain phishing links that aim to steal personal data like addresses, contact information, and credit card details. However, our analysis focuses on the targets of these phishing emails that target commercial businesses across various industries that deal with international shipping while using keywords mentioned earlier that are part of that process, such as the example in Figure 1. Figure 5 shows that significant malicious emails were found in inboxes belonging to the manufacturing industry over the three years we analyzed.
Figure 5: Top 5 Industries Targeted
It is standard for attackers to use well-known shipping brands to deliver credential phishing scams to households that aim to steal personally identifiable and financial information. However, our analysis shows that credential phishing emails using shipping themes are not as prevalent for businesses. However, credential phishing remains in the top 5 threats, accounting for 12% of the total threats Cofense has observed in shipping-themed emails from 2021 to 2023. Figure 1 is an excellent example of an email tailored for a business that lures the victim to download the attached archive containing an Agent Tesla Keylogger sample that runs when the victim has been tricked by following the instructions in the email. While malware and credential phishing aim to steal information, malware such as Agent Tesla and FormBook aim to steal as much as possible rather than focusing on credentials for a single account. This can increase the chance that threats can access company assets for further exploitation or to sell for financial gain. In Figure 6, we observe that malware is more common in shipping-themed emails than credential phishing in businesses and industries.
Figure 6: Top Threats Delivered
Not only is malware more prevalent than credential phishing in this instance, but Agent Tesla Keyloggers and FormBook, a type of information stealer, are the two top malware being delivered via shipping-themed emails. This includes Loki Bot, Snake Keylogger, and Remcos RAT, which are used to initiate the exfiltration of company information, grant unauthorized access, and continue the infection that may lead to other threats, such as ransomware.
Other threats loom inside shipping-themed emails as delivery mechanisms that facilitate malware delivery through exploitation or executing attached or downloaded downloaders. Figure 7 shows that the most popular delivery mechanism is Microsoft Office documents that utilize the prevalent exploitation of the Office Equation Editor outlined in CVE-2017-11882.
Figure 7: Top Delivery Mechanisms
While CVE-2017-11882 is the most popular choice in delivery mechanisms, the second most popular is that of the HTML file. HTML files can deliver malware through an attack vector known as HTML smuggling. However, HTML has a more extended history of delivering credential phishing as attachments or via an infection URL embedded into the email. During the analysis, it was seen that the total volume of HTML files and credential phishing were almost identical. This suggests that shipping-themed emails with credential phishing have a better chance of being delivered via an HTML file.
Cofense can conclude that shipping-themed emails increase during the holiday seasons, albeit only slightly. For the most part, the yearly trends suggest that these emails follow a particular trend throughout the year with varying degrees of volumes, with the most significant volumes being in June, October, and November. While shipping services are in high demand during the holidays, there is a difference between personal shipping and business shipping that may alter the emails and their payloads. Personal shipping emails may include credential phishing to steal accounts, passwords, and personally identifiable and financial information. However, the three-year trend analysis was done on several industries where it was found that Agent Tesla Keyloggers, the information stealer FormBook, and the delivery mechanism CVE-2017-11882 exploit were the most prevalent threats these industries faced.