"Phishing Alert! XSS Vulnerability in UPS.com Distributes Malicious Invoice"

Phishing remains one of the most common ways for cybercriminals to spread malware and steal personal information. A Cross-Site Scripting (XSS) vulnerability in UPS.com is being used by fraudsters to distribute fake United Parcel Service (UPS) Invoice Microsoft Word documents. The fake malicious UPS Invoice appears legitimate as it contains elements and links that are close to an actual invoice. However, the document itself does not perform any malicious action. The tracking number links to the UPS website containing the JavaScript XSS exploit. XSS attacks involve injecting client-side scripts into web pages viewed by other users. The exploitation of an XSS vulnerability could allow attackers to bypass access controls, such as the same-origin policy. This article continues to discuss the abuse of an XSS vulnerability in UPS.com to distribute a malicious invoice-like document. 

CISO MAG reports "Phishing Alert! XSS Vulnerability in UPS.com Distributes Malicious Invoice"