When Scams Borrow Legitimacy
I work in software, developing and integrations specifically. That means that security is usually pretty high on my list of things to be aware of. I don’t always just dismiss phishing attempts, because I like to see how they work, and what the latest techniques are. But today - today, I had something completely different happen.
I’m waiting for a package from Canada Post. This is actually unusual for me, I normally don’t deal with packages like that. Today, I got a text from (seemingly) Canada Post asking me to click a link and reschedule a delivery. But… I’d been all day. I did not immediately click the link. Instead, I decided to find out what kind of legitimacy this link had.
First Step: the Plausibility
Was I expecting a package? Yes. Is it late? Phenomenally. I’ll call this step a wash. Mostly circumstantial, and didn’t really affect my decision making either way.
Second Step: the Link
Time to examine the link. It’s an SMS and the link isn’t very hidden. It’s got a somewhat random prefix, points to unitedmesseng*r.com, and has a slash with some random characters (an opaque token.) A quick look on Google shows that United Messengers is indeed a courier company that deals with Canada Post. I go to an incognito session, and type in the website core. It redirects to Canada Post when I go to it.
On a whim, I decide to try the prefix that it had [redacted and changed] something.unitedmesseng*r.com; that too redirected to Canada Post.
I’ll call this step a qualified win; you’ll see why in a moment, but at this point something didn’t “feel” right.
Third Step: the Console
Because something didn’t feel right, I decided I was going to check on the console log of the website, and this is what I saw:
A malicious actor’s redirect Now it makes sense.
The initial domain performed:
- a 307 redirect (temporary, preserving the method),
- followed by a 301 redirect (permanent),
- followed by a 302 redirect to the Canada Post site.
In other words, a third party walked me into a legitimate site while appearing to be the origin the entire time.
This is what I’d call borrowed authority via redirect chaining.
Fourth Step: But Wait? Weren’t They Legit?
At this point I thought to myself, “wait, weren’t they legitimate. Why would they do these redirects?”
This is the sleight of hand, and it’s the same sleight of hand I did to you, the reader, earlier. unitedmessengr.com is NOT a legitimate end point. That company is unitedmessengrs.com. The SMS came from the same area code. The company was similarly named. But the missing “s” makes all the difference. A quick WHOIS against the target site, and it was revealed to be registered to a broker for privacy’s sake. Clearly I was not dealing with whom I thought I was.
And that site is standing right next to a legitimate site, letting the legitimate site’s credibility wash over it.
Fifth Step: Delete the SMS At this point, I deleted the SMS and moved on with my day.
So Why Did I Write This? I’ve been involved in computers for a long time; I’ve been coding since 1982 and I’ve seen the evolution of these things first-hand. I’ve only ever fallen for one phishing attempt, that was in 2004, and I knew it the second I fell for it.
But this one was different.
It didn’t rely on panic or urgency. It relied on plausibility, timing, familiar names and legitimate destinations. I could’ve fallen for this one, the first in a long time.
Conclusion
I’m not saying “don’t ever fall for anything”, and I’m certainly not making any moral claims about falling for scams. But what I do want to do is tell people that the scams are getting smarter, and they’re borrowing credibility.
Modern scams do not fake legitimacy. They escort you to it.
Consider this: not only did this particular scam borrow credibility from Canada Post, it attempted to use that to vouch for itself by borrowing from a legitimate courier company. All while performing a completely banal service, in the middle of the day.
I don’t know what would’ve happened if I’d clicked that link. And I don’t want you to find out.