in News

No, your SL Post delivery hasn’t been suspended

45k Views

In what appears to be another widespread smishing attack, a fraudulent SMS has been making the rounds claiming that SL Post packages are stuck in delivery due to an incorrect address. The text in question reads something along the lines of, “Delivery of your item has been suspended due to a missing street number on the item. please update [link].” While the keen-eyed may notice the dubious nature of text immediately, it doesn’t take much to be duped by such a message.

https://twitter.com/sanjiva/status/1700337643933077906?s=20

The attack looks to emulate Sri Lanka Post where the short link included in the SMS would direct unsuspecting users to a webpage that’s identical to the official site. Of course, the domain itself is a dead giveaway considering it’s slpostgovlk[dot]top instead of the actual site, slpost.gov.lk. Chances are, if you attempt to browse the link on a desktop your antivirus may issue a “phishing” attack warning. Even its SSL is a three-month certificate that was issued as recently as the 5th of Septemberthe same day the site was created.

The Sri Lanka Post of it all

But for anyone who had the misfortune of falling victim and visiting the fraudulent webpage, it’s worth noting that you wouldn’t need to submit the form to have your data scrapped. The site saves your input when you fill out the text fields before the “Update Immediately” button is even clicked. If you do proceed, the site will eventually ask for your credit card details for an “online payment.” With some losing as much as LKR 110,000, any unsuspecting user is more than likely to get duped.

Screenshot of a phishing site that emulates SL Post's official website
The phishing site looks almost indistinguishable from the actual SL Post website

According to @ishanmarikar on Twitter, this attack shows some eerie similarities to another scheme that took place in Romania a few months ago. Meanwhile, SL CERT has already issued a warning in light of the SL Post smishing attack as well as SL Post itself. SL Post previously published an alert around June, warning users against the same scam. Incidentally, this smishing attack predates even further, dating back to January 2022.

Commenting on the incident, SL CERT’s Chief Information Security Officer Nirosha Ananda says that the matter has been escalated to the Computer Crime Investigation Division in hopes of taking legal measures. This includes suspending the identified numbers that initiated scam SMS through telcos and “initiating actions to take all fraudulent web portals offline through respective Hosting Service Providers.” He further states that SL CERT is also “investigating the matter comprehensively.”

But this is only the latest iteration of a widespread scamming effort. During the past couple of years alone, scams have taken all shapes and forms in Sri Lanka, ranging from the Ceylon Electricity Board getting defrauded to crypto scams sponsoring national cricket leagues. With some of these scams managing to swindle as much money as LKR 15 billion from Sri Lankans, authorities have also started being more proactive around the subject. Unfortunately, it’s not always at the same pace. For instance, when issues around MTFE’s Lanka Premier League sponsorship were raised, the Central Bank of Sri Lanka only published a warning against the operation once the tournament concluded.

Lagging digitalization efforts

Another part of this comes down to the digitalization factor, particularly with regard to state enterprises. While the COVID-19 pandemic and last year’s #EconomicCrisisLK pushed digital adoption forward, many of the e-government initiatives continue to lag. Additionally, many of the existing government websites are accompanied by outdated designs with the UI/UX doing little to instill confidence among the general populace. It certainly doesn’t help when an alarming number of them don’t even have a valid SSL certificate.

In the case of SL Post, a modernized package tracking system and a stronger online presence would have gone a long way in mitigating the effectiveness of the smishing attack. However, ideas of modernizing SL Post have been in conversation for years. Even back in early 2020, there were talks of updating SL Post by introducing e-bikes for postmen and an official app for managing package deliveries. Almost four years later, neither has come to fruition. What’s worse, the lagging digital footprint has left malicious actors open to exploit everyday citizens.

Reporting suspicious activity

If you suspect fraud in relation to Sri Lanka Post, you can report to the department via the following,

Hotline: 1950
IT Unit, Sri Lanka Post: 011 2542104, 011 2334728, 011235978, 0112687229, 011 2330072 WhatsApp: 0742496323
Email: [email protected]

Alternatively, you can report to SL CERT via email to [email protected] or dialing the hotline 101.

[Update 09/09/2023]: Updated article to include comment from Sri Lanka CERT. We also added more context about the phishing site collecting credit card details to siphon money out of users.

Report

What do you think?

1 Point
Upvote Downvote

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Newbie

Written by Neville Lahiru

You'll often find him immersed in all things tech and interactive media. Spends his off-hours trying to catch up on the annual Goodreads reading challenge (and fails) or gaming the night away with Apex Legends. Also, spends too much time on Twitter.

Regulation on curbing fake news is (worryingly) one step closer

SL government emails lose data with no backups due to “administrative problems”