After a colleague fell victim to the same CDEK delivery scam I investigated several years ago, I decided to translate my findings for a wider audience. Original article (in Russian) is available here.

We’ve all been there: anxiously awaiting a package and then receiving a seemingly legitimate message about a delivery issue. But what if that message is a trap? Recently, I encountered a sophisticated phone phishing scam using the CDEK(popular delivery company in Belarus and Russia) name, and I decided to investigate. I was suspicious from the start, and what I uncovered revealed a well-orchestrated operation designed to trick unsuspecting victims. I hope my article will be useful and help someone avoid losing money.

So, let’s begin. About two days after I posted the ad for selling the table in a marketplace called Kufar.by, I received a message on Viber from a Ukrainian number from a woman named Margarita, who said she was interested in my ad. After a few usual questions about the condition of the item, Margarita said she wanted to buy the children’s table and asked if I would consider sending the item via courier delivery. I replied that I had never done that and didn’t quite understand the process. Margarita sent me a screenshot from the CDEK website and briefly explained the process. She said the amount would be transferred to the CDEK service account, and after I sent the item, I would receive the money. So, in this scenario, CDEK acts as an intermediary and guarantor of our deal. It seemed logical.Margarita added that she would fill out the delivery form for me, as I wasn’t very knowledgeable about it. For this, she asked for my full name and home address. Shortly after, Margarita wrote that she had made the payment and sent me a link to a page. Below is a screenshot of the page.

Here, a few things caught my attention.
First, the domain of the service https://cdek.tel, while in Belarus, the CDEK service website is located at https://cdek.by. To be honest, I was somewhat reassured by the padlock icon in the browser’s address bar, which indicated that the site had a trusted TLS certificate like normal sites.

I entered https://cdek.tel in the browser and was redirected to the site https://cdek.by. Here, I began to blame myself for being distrustful and torturing the honest buyer Margarita. Who knows? Maybe CDEK hosts some of its services for all countries on the domain cdek.tel centralized?

At this stage, I didn’t yet suspect what interesting things lay ahead.
For curiosity’s sake, I decided to compare the certificates on both sites. Hmm… Interestingly, https://cdek.by uses a free certificate from Let’s Encrypt, while https://cdek.tel uses a certificate from Cloudflare for sni.cloudflaressl.com.

Here, I suspected that Margarita was probably not who she claimed to be, as https://cdek.tel was very likely a fraudulent (phishing) site using a free CDN subscription from Cloudflare, which, besides CDN and DDoS protection, also allows for SSL offloading.

To go into more detail, https://cdek.tel is likely a simple HTTP site without a trusted (legitimate) TLS certificate. Also, the domain http://cdek.tel hosts its DNS zone on Cloudflare. So, when you access https://cdek.tel, you land on a Cloudflare load balancer that, in turn, sends traffic to the real site http://cdek.tel. The real site can be either on HTTP or HTTPS, but we cannot see this traffic because it all remains behind Cloudflare. This is the most typical scenario for using a load balancer. Below is a photo from the Cloudflare site explaining this method of traffic redirection.

The scenario when the site uses HTTP. Cloudflare calls this Flexible SSL. The traffic from Cloudflare to the real site is unencrypted.

The scenario when the site uses HTTPS. Cloudflare calls this Full SSL. The traffic from Cloudflare to the real site is encrypted.

You can read more about this here: https://www.cloudflare.com/ssl/.

Let’s get back to Margarita, or rather to our scammers. Out of curiosity, I decided to go further and clicked the “get payment” button. Here, a few things stand out right away.

• The site requires me to enter the CVC code of the card, which is not needed for receiving money. The CVC code is usually used for making payments.
• An incomprehensible set of characters is displayed in the chat window when you click the chat icon.

At this stage, I could have stopped, as everything was already clear, but I decided to go further and didn’t regret it. I entered false card details and clicked the “Get” button, hoping to get my 40 roubles….))))

And here we see that our scammers have absolutely no shame. Under the pretext of a security check, they ask for my card balance (PayPal is nervously smoking on the sidelines).In reality, the bad guys are trying to find out the balance on the card to withdraw that amount. We indicate that we have a million rubles and proceed.

At this final stage, our “friends” are trying to bypass 3-D Secure protection. You can read about 3-D Secure here: https://wikipedia.org/wiki/3-D_Secure. To briefly describe, it’s a protocol used as an additional layer of security in online purchases for two-factor authentication of the user. Usually, when making online purchases, the cardholder has to confirm the payment by entering an SMS code that comes to their mobile number specified when the card was opened. In our case, since the scammers don’t have access to our phone, they ask us to provide them with the SMS code.

If you noticed, for 3-D Secure authentication (to enter the SMS code), we are usually redirected to the bank’s page. In our case, some shady page https://cdek.tel/3ds is asking for the 3-D Secure SMS code.

On the page, regardless of what code you enter, the site returns an error page. This can be clearly seen by looking at the analysis of the HTTP traffic. Unfortunately, I forgot to save the screenshot with the error. Through traffic analysis, you can find out a lot more interesting things about this site. But more on that next time.

Thank you for reading until the end.