2020 seems to have made everyone go a little bit crazy. I know I feel it. My treat intel feed alone would drive a monk to drink. Cybercriminals (and their more traditional counterparts) have been ramping up their attacks since February, seeking to capitalise on our incessant state of tension and distraction. That make sense … normal people are far more likely to fall for a deception-based attack – like a phishing e-mail or a social engineering phone call – when we’re unfocused. Emotion-based lures are significantly more effective on victims who aren’t giving their inbox their full attention. Between the increase in the quality of attacks our increased vulnerability, it’s wise to treat everything out of the ordinary as possible attack until proven otherwise.
That brings us, ridiculously enough, to The Mysterious Package What Arrived on Monday (a.k.a., TMPWAoM, or “tamp-wham” if you’re feeling cheeky). Here’s what happened:
For context, I’ve been working from home since February. I’m the only person in our family that can work exclusively from home. My “office” is a repurposed infant’s bedroom next to the front door. My monitor is right in front of the room’s only window, allowing me to spot the postal carrier, trash and recycling collectors, door-to-door salespersons, and political canvassers as they all come and go. That’s how I first noticed TMPWAoM get dropped off just outside my window.
For additional context, our neighbourhood experienced a run of stolen mail and packages a few years back. Children from two different families would regularly steal items off of other families’ porches and out of unlocked mailboxes, just to be annoying little vandals. Even though those hooligans have moved away, we all still have a neighbourhood norm that all items dropped off by one’s front door must be swiftly brought inside as a sort of pre-emptive defence against theft.
So, when one of our three usual FedEx delivery drivers (I know them by the sound of their preferred radio station by now) pulled up and tossed a package on my doormat, I dutifully paused my work and secured the package in accordance with Standard Operating Procedure.
Of course, we can’t ever be sure that a package left on one’s front step is actually yours. We’ve experienced several incidents of … let’s say “less than diligent” … delivery drivers giving us other people’s packages. Every time I secure a new delivery, I check the label to ensure it’s meant to be ours. If it isn’t, I’ll carry it over to the correct address. Sure enough, TMPWAoM was addressed to my oldest, so I thought nothing of it. We have a designated place to set all new deliveries and mail so everyone can spot their new stuff as soon as they return home. Again, SOP.
My oldest got home from work at half six, spotted his new package, and expressed surprise. “I not expecting anything,” he said. He double-checked the label to confirm it really was meant for him, hefted the item, and looked very confused. “I have no idea what this is,” he told us.
At this prompt, the entire family went into security analyst mode. TMPWAoM had arried in a normal FedEx polymer envelope. It looked to be a box of tissues by its peculiar dimensions. It was addressed correctly and had been delivered by a liveried driver in a marked FedEx van. All of its trappings made it seem legitimate. Being unexpected, however, violated the “context violation rule” that I teach in phishing defence: whenever a new item appears in your inbox referencing a subject that you’re neither expecting nor familiar with, treat it as suspicious content and start looking for indicators that it’s an attack. The same principle applies to physical packages. If you weren’t expecting it, consider it dodgy.
We all stopped eating dinner and watched while my oldest opened the envelope. The only thing inside it was a box … A box of crimson-dyed, disposable, paper surgical masks. My oldest looked perplexed. He commented that he’d never ordered any such thing and we believed him. His employer issues their staff new single use masks every day. My wife crafts custom reusable face masks for … everyone, really. I have a half dozen here on my desk custom made for me.
Strangely, there was no standard Amazon shipping document inside the envelope. Had TMPWAoM been a gift – weird as that might have been – there would be a printed gift note with the item(s). Here, nothing. Doubly mysterious.
We began speculating as to what kind of fraud this might be (if, indeed, it was malicious). We’re all versed in office supply scams. I had to shut down a half dozen toner subscription scams back when I worked in government service. Maybe this was an attempt to fake an order for a very common consumable so they later could invoice us for 5X or 10X times its actual market rate. Maybe the scammer mistook our home address for a local business and was trying to “evidence” an office supply scam. Masks, though … cheap ones are kinda common these days.
We then examined TMPWAoM for possible physical hazards. I ran a military mail room once, one where we had to deal with mailed death threats, fake package bombs, and even fake biological weapons. We scrutinized the “box of masks” (“as if that’s your real name!”) for weight, balance, signs of leakage, exposed wiring, the presence of powder or liquid stains, strange smells, evidence of tampering … and found nothing. TMPWAoM was just a very light box wrapped in plastic that appeared wholly unadulterated. Like a box of cheap masks.
Dinner was cold by this point, but no one cared. The whole house – even our dog! – was fascinated by the possibilities implied by TMPWAoM’s arrival. What the heck was going on?
After some haranguing, my oldest retrieved his laptop and searched through his Amazon order history. Eventually he managed to piece together what had probably happened by correlating the “package shipment” history records on multiple recent orders:
The week before, he’d purchased a movie. Specifically, the Blu-Ray edition of 1975’s The Rocky Horror Picture Show. Due to it being out of stock and the usual pandemic shipping delays, Amazon said, this order wouldn’t be completed until the following week. My oldest didn’t need the disc until the following weekend, so he put it out of his mind and hadn’t associated it with TMPWAoM until he correlated the “your package was delivered on” e-mail with his TRHPS order. It came early! … Sort of.
As near as we could figure, somehow some underpaid, overworked, and probably infected Amazon “fulfilment centre” worker had gone looking for the movie to complete this order and substituted a box of bright red face masks for an optical disk adored with Tim Curry’s visage. I mean … I can kind of see a connection … Tim Curry wore bright red lipstick for most (all?) of his performance in TRHPS … masks are meant to be worn over one’s mouth … all the masks in this box were all lipstick red … so … maybe this was a quasi-logical substitution? Perhaps the tenuous connections drawn by a fever-addled nightshift worker’s mind? Maybe?
Whatever the cause, the end result was surreal. My oldest had ordered a $10 movie and received a $25 box of disposable face masks instead that was probably earnestly needed elsewhere. We lost a half hour of our evening wracking our brains trying to figure out what the criminal’s intent might be with the bizarre package while our pasta got cold. Not the worst surprise you can experience a bloody global pandemic by miles. Funny, too, once we sorted it.
That being said, our little Crimson Mask Mystery illustrates just how we’ve all had to change our lives since the pandemic began. Phishing attacks alone increased 350% during the first six weeks of the crisis and have only gotten worse (I’ve heard estimates of up to 6,200% increases against some sectors). In the larger scheme of things, all types of fraud attempts have mushroomed. Every type of scam, swindle, and social engineering that might make a buck has been on the rise throughout 2020 … and our reactions to the rising threat – as individuals, as families, and as businesses – have had to ramp up proportionally. In many cases, the increased vigilance hasn’t been sufficient to counter the threat.
Why? Because we’re constantly under pressure thanks to the incessant, demoralizing newsfeed of everything happening in the world. As the famous “Criminologist” character from TRHPS grimly opined about Tim Curry and company’s singing house of horrors: “Emotion: Agitation or disturbance of mind; vehement or excited mental state.” That’s what we’re all drowning in right now. Emotional pressure to cope with far too much for far too long without a break. That’s why we’re distracted, and that’s what makes us especially vulnerable to a well-crafted ruse. That’s also why we have to take the little things – like a mysterious box of unsolicited masks – seriously. For a while, anyway.
Sure, the odds of one box of unordered disposable masks doesn’t seem much like a harbinger of doom. It seems kind of normal compared to out-of-control infection rates and rising authoritarianism and BREXIT and the looming spectre of economic collapse and another ill-conceived Batman movie … But, then, that’s why such a little thing works so well a prop in an insidious fraud scheme. In and of itself, it looks harmless … so you’re less likely to pay attention until it’s too late.
The same principle applies to, say, an innocuous looking e-mail from your bank urging you to “confirm your contact details” on a new server in Serbia. Like the three rather convincing credential theft phishing e-mails I received – ostensibly from my bank – in the time it took me to type the first page of this column.
The moral here is that we must understand and accept that we’re constantly being attacked, all of us, and we have to recognize every attempt every time. Therefore, we have to take precautions and consider the worst-case possibilities every time we encounter something peculiar. The baddies aren’t about to let up; they’re determined to steal our money, our information, and our access by any means possible. Pandemic world is their ideal hunting grounds … and if we stop being appropriately sceptical, they’re eventually going to get one by us. Stay vigilant.
Pop Culture Allusion: Richard O’Brien and Jim Sharman, The Rocky Horror Picture Show (1975 cult classic film)
