According to La Poste, this is the first combination of physical and digital support. A false delivery notification scam from a postal company has just been uncovered following social media exposure of its working methods. This unprecedented phishing maneuver to steal bank IDs was spotted near Montpellier.
On August 28 of this year, Flavio Perez tweeted a funny notification he received. The document, which uses La Poste’s graphic charter, prompts you to scan a QR code or enter a long web address starting with laposte.fr to confirm a new “delivery” of a registered letter with acknowledgment of receipt.
Oh this looks like a beautiful backside La Posre scam (@lisalaposte how do you do that? Received in my box Very easy to believe this and end up giving your credit card info! pic.twitter.com/5V6WlL43wI
— Flavio Perez (@flablog) August 28, 2022
As Flavio Perez points out, the link and QR code are then redirected to the malicious site laposteaide.fr. The Internet user is then prompted to enter their bank details to pay an amount of 0.97 euros, allegedly allowing mail to be redirected. “It’s very easy to believe,” notes the netizen, who, however, did not fall into the trap.
Fraud, which according to experts is particularly innovative, is primarily based on paper, which is a guarantee of the victims’ trust. This document has been particularly elaborated, for example by mentioning the tracking number used by La Poste as an example on their website.
Notorious false package delivery scams have so far relied on sending an SMS or an email. As noted by the government platform Cybermalveillance, these scams aim to steal personal and banking information.
The cybercriminals behind the fake paper delivery notification then exploited a flaw in laposte.fr’s configuration that allowed uncontrolled web redirects. Known vulnerability. The open redirect technique is commonly used in phishing attempts. Take a look, for example, at this malicious exploitation of an FBI website, flagged by specialist journalist Brian Krebs last July.
The postal company claims to have since installed a patch preventing the creation of a redirect web address rooted in laposte.fr. If La Poste hasn’t provided technical details, here is the definition of whitelisting or banning certain characters as classic parades. The scam site laposteaide.fr is also no longer available. Finally, the company reminds you never to ask for money for a new presentation of a registered letter or parcel.