Just as no man is an island, no company can perform core functions without other organizations’ help. This fact is highlighted in today’s age of outsourcing, partnership, and third-party connections. Unfortunately, threat actors have also found a massive opportunity in these relationships. Targeting a third-party vendor often allows them to target the vendor’s clientele.

In this post, we used our Third-Party Risk Management (TPRM) solutions to look at some of the popularly used express mail courier services that several companies worldwide partner with—FedEx, DHL, China Post, and UPS. These companies are often targeted since they have thousands, if not millions, of personally identifiable information (PII) in their records. In August 2020, for example, a Canadian courier became a victim of a ransomware attack, giving threat actors access to its customers’ personal details.

Potential “Unknowns” in the Digital Footprint of FedEx, DHL, China Post, and UPS

We gathered a total of 24,601 domains and subdomains containing the words “fedex,” “dhl,” “chinapost,” and “ups.” A vast majority of the subdomains were not owned by any of the courier companies, as confirmed by a bulk WHOIS lookup.

Indeed, only 40 domains appeared to be managed by the legitimate companies, as they matched WHOIS record details with the official couriers’ domain names. This number represents less than 1% of the total number of subdomains in our dataset. The table below shows the breakdown.

TLD

We studied the top-level domain (TLD) distribution of the domains and subdomains obtained and ran them against the most abused TLDs known to direct visitors to phishing and botnet command-and-control (C&C) servers. Seven of the most abused TLDs made up more than half (53%) of the total number of subdomains.

The pie chart shows the TLD distribution of the subdomains under the .com, .net, .org, .de, .ru, .info, and .eu TLDs against all other TLDs not included in the list of most abused.

All seven TLDs were among the most abused by botnet operators. The .com TLD was also most favored by phishers. It also figured in 35% of the four couriers’ potential loopholes.

Common Terms Used

Some words commonly appeared along with the courier names. The chart below shows the 10 most commonly used terms revealed.

Among the runners-up were “secure,” “account,” “delivery,” “portal,” and “export.” Aside from these, subdomains with random numbers appearing alongside the couriers’ names were also common. Around 5,000 subdomains contained random strings of numbers, including:

• ups5183[.]carlsoncraft[.]com
• ups518598[.]bmlink[.]com
• dhl007[.]stage-env[.]com
• dhl00[.]static[.]otenet[.]gr
• chinapost1[.]chinapost1[.]org
• fedex13111422[.]bxgjs[.]com
• fedex13111521[.]tjastgg[.]com

This characteristic is consistent with the use of a domain generation algorithm (DGA) commonly employed by botnet operators.

Registrar Distribution

According to a bulk WHOIS lookup, the subdomains were registered under over 100 domain registrars. Among these are 18 of Spamhaus’s top 20 most abused registrars for botnet-related activities. The table below shows the root domain distribution for the top 10 most abused domain registrars.

Domain Age

The bulk WHOIS lookup also revealed that 9.4% of the root domains were created within the past year. Some of them were only a month old at the time of analysis. About 19% were less than five years old and the rest were created before 2015. While all subdomains may require deeper investigation, newer domains can be given a higher priority since newly registered domains (NRDs) are often abused.

This study powered by Third-Party Risk Management (TPRM) solutions reveals that subdomains containing the terms “fedex,” “dhl,” “chinapost,” and “ups” could pose risks to organizations working with these top four courier service providers. Indeed, those brand names could be misused to give a false sense of trust as part of phishing and related attacks.