Every day, billions of people rely on postal and courier services to deliver everything from handwritten letters to high value online orders.The rapid growth of global e-commerce has made parcel delivery services a critical part of everyday life.
According to the Universal Postal Union’s State of the Postal Sector report, postal services now support approximately 7.3 billion people worldwide.
Industry data from Statista also shows that about 161 billion parcels were shipped globally in 2022, with China, the United States, and Japan accounting for a significant share of deliveries.
However, this massive reliance on courier services has also created new opportunities for cybercriminals.
Security researchers have identified a surge in fake shipment tracking scams across the Middle East and Africa (MEA), where attackers use SMS phishing campaigns to steal banking credentials, payment data, and personal information.
The attack typically begins with a text message claiming that a package delivery has failed. Victims are told that their parcel was returned after several attempts and must update their address or pay a small fee before the package can be redelivered.
These messages often include urgent instructions and a link to a fake tracking page designed to look like a legitimate courier service. Once users click the link, they are directed to a phishing website optimized for mobile devices.
The page usually displays convincing shipment details such as:
After entering personal details, victims are asked to provide payment information to release the package. At this stage, attackers capture credit card numbers, banking credentials, CVV codes, and even one-time passwords (OTPs).
Technical analysis of the phishing pages revealed sophisticated data theft techniques embedded in the site’s HTML code.
Researchers discovered scripts that establish a WebSocket connection with attacker-controlled servers using a command similar to wss://{domain}/wswss://{domain}/ws.
Investigators also observed the generation of unique UUID tokens for each visitor session. This enables operators to track individual victims and manage stolen data more efficiently, indicating the operation is organized and automated.
To deliver the scam, the attacker sends a phishing link to victims via SMS using various spoofing or bulk-message techniques.
This persistent connection allows the phishing page to transmit victim data instantly. Every keystroke entered on the form including card numbers, login credentials, and OTP codes can be captured in real time and sent directly to the attacker.
Attackers use several techniques to make phishing messages appear legitimate. One common method involves sending SMS messages from anonymous but regionally formatted numbers that resemble local mobile carriers. For example, victims in Egypt may receive messages from numbers using local prefixes.
Another tactic involves Sender ID spoofing, where attackers manipulate the sender name so the message appears to come from a trusted courier brand.
In many cases, the malicious SMS merges directly into existing message threads from legitimate delivery services, making the scam harder to detect.
While the exact threat actor behind the campaign remains unknown, researchers identified similarities between the phishing infrastructure and the Darcula phishing kit, a Chinese-language Phishing-as-a-Service (PhaaS) platform.
Darcula reportedly provides cybercriminals with more than 20,000 counterfeit domains and hundreds of phishing templates that imitate major brands such as postal services, banks, airlines, and government platforms.
The toolkit has been linked to attacks in over 100 countries and is often distributed through underground Telegram channels.
Many phishing domains used in the campaign rely on low-cost top-level domains such as .xyz, .shop, .top, .click, .sbs, and .cc, which allow attackers to deploy disposable websites that mimic legitimate courier portals quickly.
Researchers warn that shipment tracking scams are only part of a broader phishing ecosystem. The same infrastructure has been used to target online shopping platforms, transportation services, telecom providers, subscription services, and utility payments.
Security experts advise users to avoid clicking unsolicited tracking links sent via SMS. Instead, customers should verify shipment status directly through official courier websites or through tracking links provided by legitimate e-commerce platforms.
The rapid growth of these scams highlights how cybercriminals are exploiting consumer behavior and delivery anxiety to drive phishing engagement at scale.
Businesses are also encouraged to strengthen domain monitoring, customer awareness campaigns, and anti-phishing protections to reduce the impact of these increasingly sophisticated social engineering attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Hot this week
GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.
Company
Trending
Categories
Copyright @ 2016 – 2026 GBHackers On Security – All Rights Reserved