Search Tools Links Login

Rising USPS Phishing Threats


Recently, US Postal Service (USPS) customers have been increasingly targeted by a growing number of phishing scams. A prominent SMS phishing campaign is attempting to extract users' personal and financial details by impersonating the USPS and various postal services across more than a dozen countries.

KrebsOnSecurity was alerted by a user who received an SMS seemingly from USPS, indicating a package issue. Following the included link led to a domain usps.informedtrck[.]com.

This phishing site, mimicking the USPS branding, instructs users to update their address details. After gathering these, the scam progresses to solicit further personal and financial data. Notably, while most buttons on this deceptive page link to the authentic USPS site, the primary intent is malicious.

This recent phishing domain has obscured ownership details. But, using Developer Tools present in browsers like Firefox and Chrome, insights about this malicious operation emerge. The phishing page attempts to load resources from fly.linkcdn[.]to. An analysis at URLscan.io unveils a multitude of related phishing domains, including:

usps.receivepost[.]com
usps.informedtrck[.]com
usps.trckspost[.]com
postreceive[.]com
usps.trckpackages[.]com
usps.infortrck[.]com
usps.quicktpos[.]com
usps.postreceive].]com
usps.revepost[.]com
trackingusps.infortrck[.]com
usps.receivepost[.]com
usps.trckmybusi[.]com
postreceive[.]com
tackingpos[.]com
usps.trckstamp[.]com
usa-usps[.]shop
usps.infortrck[.]com
unlistedstampreceive[.]com
usps.stampreceive[.]com
usps.stamppos[.]com
usps.stampspos[.]com
usps.trckmypost[.]com
usps.trckintern[.]com
usps.tackingpos[.]com
usps.posinformed[.]com

Interestingly, informedtrck[.]com encounters an error loading a Google Analytics code — UA-80133954-3, originally linked to the legitimate usps.com. This same code has appeared on several phishing sites over the years. Some of these deceptive domains were registered internationally, from Nigeria to Indonesia.

Further investigation into suspicious domain registrations through Alibaba reveals a significant number, around 300, claiming to be based in "Georgia, AL" - a nonexistent location. These sites target not only USPS but also international postal services, such as Australia Post and PostNord. Additionally, some pose as sites collecting road tolls and fines for various governments.

One individual reported that data submitted to one such phishing site, usps.receivepost[.]com, was transmitted using an automated Telegram bot. Simultaneously, researchers from DomainTools uncovered a separate SMS phishing scheme against USPS users believed to be orchestrated by Iranian cybercriminals.

Given the broad appeal of national postal services, phishers often exploit their familiar brand names. As the holiday season approaches, consumers are advised to exercise caution: refrain from clicking unexpected links and verify any suspicious messages directly through trusted channels.

About this post

Posted: 2023-10-11
By: dwirch
Viewed: 213 times

Categories

Security

News

Privacy

Attachments

No attachments for this post


Loading Comments ...

Comments

No comments have been added for this post.

You must be logged in to make a comment.