View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 22, 2023updated 27 Jun 2023 10:00am

Royal Mail-owned logistics company GLS hit by infostealing cyberattack

The logistics company's staff and customers are being targeted with phishing emails from apparently legitimate sources.

By Claudia Glover

Royal Mail-owned logistics company GLS has apparently been hit by a cyberattack using infostealing malware, Gozi. Screenshots shared online show that cybercriminals are using legitimate company email addresses and phone numbers to implement a phishing scam targeting employees and customers of the organisation.

Royal Mail international dispatch partner GLS hit by infostealing cyberattack. (Photo by Kamil Zajaczkowski/Shutterstock)

The goal of the attack appears to be to infect victims with Gozi malware, a banking trojan that has been updated to lift credentials and implement spyware. The criminals behind the attack appear to have access to emails and phone numbers of customers and staff.

GLS operates across 41 European countries, as well as in the US and Canada. It is a subsidiary of International Distributions Services, Royal Mail’s parent company, and posted revenue of €4.2bn in the 2021/22 financial year.

How GLS group was breached in infostealing cyberattack

The attack is targeting Italian employees and customers of GLS with nefarious emails and texts.

The malware being used, Gozi, is “a well-known banking trojan which now has many variants, and capabilities such as info-stealing, keylogging and malicious redirects,”  explains Louise Ferrett, threat intelligence analyst at Searchlight Security. “Recipients are prompted to download the attachment titled “rimessa cassegni” (Italian for cashier’s remittance) as the method of malware delivery,” she says. 

Screenshots of the nefarious emails and the malware cloaked within them are circulating online. 

One of the emails, translated from Italian, reads:

“There have been attempts at fraud with the unauthorised use of the GLS name and brand inserted in communications via email and SMS, which therefore appears to come from our company,” it reads.

“We remind you that GLS does not send emails or text messages requesting payments through links pointing to online sites. We therefore invite our customers and recipients not to release and provide personal or bank details.”

This attack comes just two months after ransomware gang LockBit’s devastating attack on the Royal Mail, which targeted its international dispatch services

The company has admitted to Tech Monitor that GLS Italy is currently suffering “several phishing campaigns using the company’s name to send fake e-mails targeting random Italian citizens. GLS Italy is taking all necessary measures to address the issue and has informed the local authorities to investigate the matter. We would like to highlight that we have no evidence of a data breach or a successful cyber-attack at GLS,” explained a spokesperson.

Gozi is one of the oldest malware families

There is “clear evidence that an attack has taken place,” says Jon DiMaggio, chief security officer at security vendor Analyst1. “Criminals appear to be weaponising modified banking malware that is paired with domains that can’t be taken down, in order to conduct an attack,” he says.

Gozi is one of the oldest malware families, having been active for more than twenty years. It was ranked 2020’s second most active strain of malware, responsible for more than 30% of malware infections, according to a blog post from Blackberry.

Also known as Ursnif, Dreambot, Papras and Snifula, Gozi first appeared in 2000. Since then its source code has been disclosed publicly on several occasions, meaning it is one of the most commonly modified malware strains. The Gozi family of malware includes a growing number of highly effective variants with a wide array of modular features, and in 2021 it was highlighted as a top malware strain of concern by the US government’s CISA cybersecurity agency.

Read more: So what are Labour’s tech policies, exactly?

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.