Fake USPS Software Responsible
Recent weeks have witnessed an alarming rise in phishing scams, with the United States Postal Service (USPS) customers forming the primary targets. The ongoing operation seeks to amass personal and financial information from victims by masquerading as the USPS software and the postal services of 12 other countries.
KrebsOnSecurity, the reputable cybercrime insider, revealed the story of a reader who received a text message alleging to be from USPS. The message claimed that a package destined for the recipient was facing issues. A link was provided in the text which, when clicked, redirected the user to the domain usps.informedtrck[.]com.
Advanced Massive Phishing Techniques
The phishing link redirected users towards a makeshift USPS page. It claimed the recipient’s package was being held due to incorrect recipient address details, asking the user to update the correct info via a link. The other buttons on the phishing page cleverly direct to the authentic USPS.com website to further perpetuate the deception.
The phishing domain was found to have been newly registered, with virtually nonexistent ownership records. However, the extent of this operation can be hinted at by investigating the webpage’s code and operations using Developer Tools – a built-in feature in browsers like Firefox, Chrome, and Safari.
Slightly Broken, but Still Successful
Evidence from the inspection shows that the phishing site encountered difficulties in loading external resources, including images from a link called fly.linkcdn[.]to. A URLscan.io search indicated that this domain is connected with a number of USPS-themed phishing domains.
Further inspection showed the site attempted to load Google Analytics code, UA-80133954-3, but failed since it pointed to an invalid domain. dnaLytics.com reveals this same analytics code has been used on several almost identical USPS phishing pages in the past. DomainTools.com further revealed that usps.informedtrck[.]com website was registered to someone in Nigeria in September 2018.
Interestingly, the same Google Analytics code appears on another domain, peraltansepeda[.]com, this time registered in 2021. Similar to its predecessor, it was operating a set of phishing pages targeted at USPS users. The website was registered by phishers based in Indonesia.
Moreover, DomainTools identified stamppos[.]com, a USPS phishing domain, was registered in 2022 via Alibaba.com, based in Singapore. The questionable part was the listed registrant’s city and state as “Georgia, AL” – a nonexistent location.
It was found that close to 300 recent postal phishing domains carrying the same misleading location of “Georgia, AL”, were registered via Alibaba. Other nations’ postal services seemed to have fallen prey to the scam too, including Australia Post, An Post (Ireland), Correos.es (Spain), Costa Rican post, the Chilean Post, the Mexican Postal Service, Poste Italiane (Italy), PostNL (Netherlands), PostNord (Denmark, Norway, and Sweden), and Posti (Finland).
But Wait, There’s More!
But the story doesn’t end here. Scanners targeted the websites that claimed to collect outstanding road toll fees and penalties on behalf of Australia, New Zealand, and Singapore governments too. This was done by mimicking official-looking portals.
Indeed, one curious reader submitted fictitious information to the phishing site usps.receivepost[.]com. The subsequent any.run analysis showed that the phished data got sent over to a Telegram bot user @chenlun. The user seemingly offers the sale of customized source code for creating similar phishing pages.
Concurrently, another phishing campaign targeting USPS customers is underway, this time managed by cybercriminals based in Iran according to a report by DomainTools.
This entire fiasco should serve as a good reminder to avoid clicking on suspicious links received via email, text, or any other medium. If confronted with a suspicious message, instead of clicking the link, try to visit the website manually — ideally, using a reliable bookmark. This sound practice can guard against potential phishing attacks, especially in the forthcoming holiday shopping season which typically sees a surge in these scams.
