ITP Techblog

It was a reasonably convincing scam on the face of it. Then the facade started to crumble.

On Saturday morning I checked my mailbox and muttered bitterly about the fact that my parcel from e-commerce operator Lightinthebox.com still hadn't arrived after nearly six weeks. A couple of others from different providers were similarly delayed in transit.

About 30 minutes later I received a text message.

 

Oh great, I thought, at least the package has been delivered to "our drop-off street", which seemed like odd language, but nevertheless kindled some hope that the package was finally at the courier's depot and close to being delivered.

I clicked on the link to find out the tantalising details about "your pick-up". Maybe I could drive down to the courier depot and finally get my hands on the three shirts that had been dispatched from China, or maybe the rare copy of The Great Romance, a 19th century New Zealand sci-fi novel I bought on eBay.

Clicking on the link took me to an odd URL - not DHL or some recognisable shipping company, but an official-looking parcel tracking page nonetheless. I'd used a similar-looking one recently to track yet another delayed package.

When I tapped on the Track Your Item badge it displayed a message explaining that my parcel had been held up because customs duty to the tune of $3 was owing on it. The parcel would not be released until the sum was paid.

I was half thinking at this point that the message was a scam. But I had three parcels held up so this wasn't beyond the realms of possibility. I tapped on the link to find out more about this $3 fee.

That brought me to a page with the URL best.getofferslive.com. That was the real red flag. Then the amount required to pay was "1.5$" not the $3 as initially claimed. Then I started tapping around the screen. The "hamburger" menu button which should have given me more information about the company didn't work. The social media tabs at the bottom of the page didn't work. They just returned me to the same page I was on.

It was a total scam, one of several delivery scams that started circulating as far back as 2019 but which proliferated last year as parcel deliveries soared during the pandemic. Experts call this "smishing" - the SMS equivalent of the phishing emails sent to try and trick you into divulging your credentials. 

This one was fairly easy to pick. As recently as September 22, NZ Post was reporting email versions of the delivery alert scam that, more creatively, used its branding. But I cursed myself at the social engineering the scammers were undertaking. I was expecting a parcel anyway, frustrated that it had been held up for weeks, and willing to pay a small amount to be able to clear the way for it to be picked up. The scammers know that many people are in my situation and that at least a handful will take the next step and plug their credit card details into the payment screen.

Scammy scenarios

What will happen then? It's likely a screen pop would pop up thanking me for my payment and that the parcel has been cleared for pick up. But what may really happen behind the scenes of this bogus website is that the credit card details will be used to make a $1.50 payment from the credit card to some front company. Scammers like to try a small transaction on a credit card to test that it will go through, before attempting to process a bigger amount.

Somewhere in the world, someone could have been sitting in front of a screen looking to see which small payments went through, then using the stolen credit card details to make a bigger, unauthorised payment to their company, quickly removing the transferred funds. But banks have had to deal with this sort of thing for years. I once had a $400 charge to my credit card for a hotel room in the US. The first thing I knew about it was when I received a call from my bank asking if I'd just made a hotel booking. I hadn't and the transaction was quickly reversed. Scammers know that route isn't very fruitful anymore.

There's another scenario. Say I had entered my personal details and credit card number into the online form. On Monday morning they call me posing as a fraud agent from my bank to let me know there's been suspicious activity on my credit card. A persuasive scammer talks me into transferring a large sum of money out of my bank account into another "safe" account they will use to protect it from whoever is trying to defraud me until my account can be restored.

That's how the scam has played out overseas. It has amassed many victims. With millions of people waiting on parcels at the moment, it is a fertile hunting ground, even if the scammers by necessity must take a scattergun approach.

There's a third scenario, the most likely one according to CERT NZ, who I reported the smishing attempt to. They suggested the biggest threat is malware being downloaded from that bogus site to my computer. My phone is a computer, so I've done a virus scan of it to make sure there's nothing nasty lurking on it. The scan came up clean.

The tell-tale signs

There were plenty of telltale signs that pointed to this text and website being dodgy.

- The language was clunky. Your parcel was delivered "to our drop-off street". It just struck me as being wrong, and it was.

- The URLs. The text message I received took me to a website with the URL olurit.xyz, which then took me to another website with the URL best.getofferslive.com. Both addresses just gave off that scammy vibe.

- The price they quoted $3 was different to the "1.5$" I was asked to pay on the credit card payment page.

- The parcel tracking page was a walled garden, with a fake menu and social media tabs. They didn't want me doing anything other than entering my credit card details.

One victim, one big payday

Digging a bit further, it turned out that olurit.xyz had been registered on Sept 24, 2021, the day prior to me receiving the text message. When I called the Australian number the text message was sent from, the number had already been disconnected. The websites were gone too. These scams rely on easily acquired domain names and SMS delivery services. It's all low cost and anonymous to set up, use and move on quickly from.

Assuming thousands of text messages were sent out, it would only take a small handful of people falling for the scam and entering their credit card details to yield a shortlist of targets. It would only take one person willing to transfer a decent sum of money to make it all worthwhile.

New Zealand Customs knows this phishing scam well and has been warning people about it for over a year. It was initially based around emails but progressed to SMS text messages when scammers realised that many people receive texts from courier companies, so mimicking that activity was likely to achieve better results.

The tech-savvy will roll their eyes at people who fall for these scams. But spare a thought for stressed-out, locked down people around the world, who are waiting on parcels, bombarded with emails and messages from a host of e-commerce providers. It's easy to see how it happens. Meanwhile, my shirts remain "in transit".

If you get a dodgy SMS message like this, be sure to let CERT NZ know and also forward the message to the Department of Internal Affairs by texting it to 7726.