An updated version of the FakeSpy Android malware family is actively targeting Royal Mail app users, according to Computer Weekly. Evolving rapidly, this new version of FakeSpy is significantly more powerful than previous iterations. Researchers from Cybereason’s Nocturnus have found that the malware’s developers are coding in new evasion and obfuscation techniques, and releasing new versions on a weekly basis. Having initially targeted Android users in Japan and South Korea, the malware has now begun are exploiting the brands of postal services companies in many other countries, including France’s La Poste, Germany’s Deutsche Post, and the US Postal Service, as well as Royal Mail in the UK. FakeSpy relies on smishing, such as fake notifications of a held package or missed delivery, to worm its way inside its victims’ devices.
The challenge for the individuals and organisations building delivery apps such as the ones targeted by the latest FakeSpy variation is building a process that enforces MFA without introducing too much end-user friction; balancing the risk and user-acceptance is key. For example, using an MFA solution that supports Adaptive Authentication with a variety of options ranging from hard tokens to mobile apps to SMS messages will allow a new system to be rolled out quickly across the workforce without impeding the workforce productivity. A key security requirement with the mobile workforce (which we now all are to a certain extent due to the COVID-19 restrictions) is identity. Validating who and what is trying to connect into the companies technology environment in this case postal service providers. This is where 2-factor authentication comes into play — validating the identity of the end-user, combined with the device connecting in. Leaders in this field also validate the security posture of devices trying to get access, reducing risk of malware-infected devices gaining access. In addition to this, users of these apps should ensure they engage with proper password hygiene and do not reuse passwords across multiple accounts which may hold sensitive information.
Fake texts from postal services work extremely well, as the victims expect an unknown number, and – even if they haven’t ordered something – they assume the message is genuine, clicking through to any given links.
As more of us shop online than ever before, it is easy to lose track of the sheer number of parcels ordered, increasing the possibility of a slip-up. However, the security advice remains the same. You must always remain vigilant to any message received, as it’s not just phishing emails that contain dodgy links.
Most scam artists won’t know details such as your name and address, but this doesn’t mean it is not a scam if those details are embedded in the message. If the message is genuine, there will usually be a physical note left behind for missed deliveries. Better still, individuals should log on to the genuine delivery website without clicking on any given link in a text, and look up the expected deliveries from there. If they don’t exist on the site, then you can block the scam text number.
If users feel they have been conned into giving away details, they should think about upping their security and changing any passwords if they were divulged