Royal Mail-owned logistics company GLS has apparently been hit by a cyberattack using infostealing malware, Gozi. Screenshots shared online show that cybercriminals are using legitimate company email addresses and phone numbers to implement a phishing scam targeting employees and customers of the organisation.
The goal of the attack appears to be to infect victims with Gozi malware, a banking trojan that has been updated to lift credentials and implement spyware. The criminals behind the attack appear to have access to emails and phone numbers of customers and staff.
GLS operates across 41 European countries, as well as in the US and Canada. It is a subsidiary of International Distributions Services, Royal Mail’s parent company, and posted revenue of €4.2bn in the 2021/22 financial year.
How GLS group was breached in infostealing cyberattack
The attack is targeting Italian employees and customers of GLS with nefarious emails and texts.
The malware being used, Gozi, is “a well-known banking trojan which now has many variants, and capabilities such as info-stealing, keylogging and malicious redirects,” explains Louise Ferrett, threat intelligence analyst at Searchlight Security. “Recipients are prompted to download the attachment titled “rimessa cassegni” (Italian for cashier’s remittance) as the method of malware delivery,” she says.
Screenshots of the nefarious emails and the malware cloaked within them are circulating online.
One of the emails, translated from Italian, reads:
“There have been attempts at fraud with the unauthorised use of the GLS name and brand inserted in communications via email and SMS, which therefore appears to come from our company,” it reads.
“We remind you that GLS does not send emails or text messages requesting payments through links pointing to online sites. We therefore invite our customers and recipients not to release and provide personal or bank details.”
This attack comes just two months after ransomware gang LockBit’s devastating attack on the Royal Mail, which targeted its international dispatch services.
The company has admitted to Tech Monitor that GLS Italy is currently suffering “several phishing campaigns using the company’s name to send fake e-mails targeting random Italian citizens. GLS Italy is taking all necessary measures to address the issue and has informed the local authorities to investigate the matter. We would like to highlight that we have no evidence of a data breach or a successful cyber-attack at GLS,” explained a spokesperson.
Gozi is one of the oldest malware families
There is “clear evidence that an attack has taken place,” says Jon DiMaggio, chief security officer at security vendor Analyst1. “Criminals appear to be weaponising modified banking malware that is paired with domains that can’t be taken down, in order to conduct an attack,” he says.
Gozi is one of the oldest malware families, having been active for more than twenty years. It was ranked 2020’s second most active strain of malware, responsible for more than 30% of malware infections, according to a blog post from Blackberry.
Also known as Ursnif, Dreambot, Papras and Snifula, Gozi first appeared in 2000. Since then its source code has been disclosed publicly on several occasions, meaning it is one of the most commonly modified malware strains. The Gozi family of malware includes a growing number of highly effective variants with a wide array of modular features, and in 2021 it was highlighted as a top malware strain of concern by the US government’s CISA cybersecurity agency.