According to La Poste, this is a first combining physical and digital support. A scam with a false delivery notice from the postal company has just been foiled, after the disclosure on social networks of its modus operandi. This unprecedented phishing maneuver intended to steal bank identifiers was spotted near Montpellier.
This August 28, Flavio Perez shares on Twitter the funny passing notice he received. The document, which uses La Poste’s graphic charter, invites you to scan a QR code or enter a long web address starting with laposte.fr to confirm a new “delivery” of a registered letter with acknowledgment of receipt.
Oh it looks like a nice scam on the back of La Posre (@lisalaposte how do we do?. Received in my box. Very easy to believe it and end up giving your credit card information! pic.twitter.com/5V6WlL43wI
— Flavio Perez (@flablog) August 28, 2022
Innovative scam
As Flavio Perez notes, the link and the QR code then redirect to a malicious site, laposteaide.fr. The Internet user is then invited to enter his bank details to pay the sum of 0.97 euros, supposedly allowing the redirection of mail. “Very easy to believe in it”, remarks the Internet user, who however was not trapped.
The scam, which is particularly innovative according to specialists, is primarily based on paper, a guarantee of credibility for the victims. This document has been particularly worked, for example by mentioning a tracking number used as an example by La Poste on its website.
The known scams for the false delivery of a package have so far relied on sending an SMS or an email. As noted by the government platform Cybermalveillance, these scams target the theft of personal and banking information.
Computer vulnerability
The cybercriminals behind the fake paper delivery notice then took advantage of a flaw in the configuration of laposte.fr, which authorized web redirection without control. A well-known vulnerability. The Open redirect technique is commonly used in phishing attempts. Witness, for example, this malicious exploitation against one of the FBI sites noted by the specialized journalist Brian Krebs last July.
The postal company claims to have since deployed a patch preventing the creation of a redirection web address with a root in laposte.fr. If La Poste has not given technical details, let us quote the definition of a white list or the prohibition of certain characters as classic parades. The fraudulent site laposteaide.fr is also no longer accessible. Finally, the company reminds never to ask for money for a new presentation of a registered letter or a parcel.