Phishers Spoof USPS, 12 Other Natl’ Postal Services – Krebs on Security

By admin

Recent weeks
DATE

have seen a sizable uptick in the number of phishing scams targeting

U.S. Postal Service
ORG

(

USPS
ORG

) customers. Here’s a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the

USPS
ORG

, as well as postal services in

at least a dozen
CARDINAL

other countries.


KrebsOnSecurity
ORG

recently heard from a reader who received an SMS purporting to have been sent by the

USPS
ORG

, saying there was a problem with a package destined for the reader’s address. Clicking the link in the text message brings one to the domain usps.informedtrck[.]com.

The landing page generated by the phishing link includes the

USPS
ORG

logo, and says “Your package is on hold for an invalid recipient address. Fill in the correct address info by the link.” Below that message is a “Click update” button that takes the visitor to a page that asks for more information.

The remaining buttons on the phishing page all link to the real USPS.com website. After collecting your address information, the fake

USPS
ORG

site goes on to request additional personal and financial data.

This phishing domain was recently registered and its

WHOIS
ORG

ownership records are basically nonexistent. However, we can find some compelling clues about the extent of this operation by loading the phishing page in

Developer Tools
ORG

, a set of debugging features built into

Firefox
ORG

,

Chrome
ORG

and

Safari
ORG

that allow one to closely inspect a webpage’s code and operations.

Check out the bottom portion of the screenshot below, and you’ll notice that this phishing site fails to load some external resources, including an image from a link called fly.linkcdn[.]to.

A search on this domain at the always-useful URLscan.io shows that fly.linkcdn[.]to is tied to a slew of USPS-themed phishing domains. Here are just a few of those domains (links defanged to prevent accidental clicking):

usps.receivepost[.]com

usps.informedtrck[.]com

usps.trckspost[.]com

postreceive[.]com

usps.trckpackages[.]com

usps.infortrck[.]com

usps.quicktpos[.]com

usps.postreceive].]com

usps.revepost[.]com

trackingusps.infortrck[.]com

usps.receivepost[.]com

usps.trckmybusi[.]com

postreceive[.]com

tackingpos[.]com

usps.trckstamp[.]com

usa-usps[.]shop

usps.infortrck[.]com

unlistedstampreceive[.]com

usps.stampreceive[.]com


usps.stamppos[.]com
GPE

usps.stampspos[.]com

usps.trckmypost[.]com

usps.trckintern[.]com

usps.tackingpos[.]com

usps.posinformed[.]com

As we can see in the screenshot below, the developer tools console for informedtrck[.]com complains that the site is unable to load a

Google Analytics
PRODUCT

code —

UA-80133954
PERSON

-3 — which apparently was rejected for pointing to an invalid domain.

The valid domain for that

Google Analytics
ORG

code is the official usps.com website. According to dnslytics.com, that same analytics code has shown up on

at least six
CARDINAL

other nearly identical

USPS
ORG

phishing pages dating back

nearly as many years
DATE

, including onlineuspsexpress[.]com, which

DomainTools.com
PERSON

says was registered way back in

September 2018
DATE

to an individual in

Nigeria
GPE

.

A different domain with that same

Google Analytics
ORG

code that was registered in

2021
DATE

is peraltansepeda[.]com, which archive.org shows was running a similar set of phishing pages targeting

USPS
ORG

users. DomainTools.com indicates this website name was registered by phishers based in

Indonesia
GPE

.


DomainTools
PERSON

says the above-mentioned

USPS
ORG

phishing domain stamppos[.]com was registered in

2022
DATE

via

Singapore
GPE

-based

Alibaba.com
ORG

, but the registrant city and state listed for that domain says “

Georgia
GPE

,

AL
GPE

,” which is not a real location.

Alas, running a search for domains registered through Alibaba to anyone claiming to reside in

Georgia
GPE

,

AL
GPE

reveals

nearly 300
CARDINAL

recent postal phishing domains ending in “.top.” These domains are either administrative domains obscured by a password-protected login page, or are .top domains phishing customers of the

USPS
ORG

as well as postal services serving other countries.

Those other nations include

the Australia Post
ORG

, An Post (Ireland),

Correos.es
ORG

(

Spain
GPE

), the

Costa Rican
NORP

post,

the Chilean Post
ORG

,

the Mexican Postal Service
ORG

,

Poste Italiane
PERSON

(

Italy
GPE

), PostNL (

Netherlands
GPE

),

PostNord
ORG

(

Denmark
GPE

,

Norway
GPE

and

Sweden
GPE

), and

Posti
ORG

(

Finland
GPE

). A complete list of these domains is available here (

PDF
ORG

).

The

Georgia
GPE

,

AL
GPE

domains at Alibaba also encompass several that spoof sites claiming to collect outstanding road toll fees and fines on behalf of the governments of

Australia
GPE

,

New Zealand
GPE

and

Singapore
GPE

.

An anonymous reader wrote in to say they submitted fake information to the above-mentioned phishing site usps.receivepost[.]com via the malware sandbox any.run. A video recording of that analysis shows that the site sends any submitted data via an automated bot on the

Telegram
ORG

instant messaging service.

The traffic analysis just below the any.run video shows that any data collected by the phishing site is being sent to the

Telegram
ORG

user

@chenlun
ORG

, who offers to sell customized source code for phishing pages. From a review of

@chenlun
ORG

’s other

Telegram
ORG

channels, it appears this account is being massively spammed at the moment — possibly thanks to public attention brought by this story.

Meanwhile, researchers at

DomainTools
ORG

recently published a report on an apparently unrelated but equally sprawling SMS-based phishing campaign targeting

USPS
ORG

customers that appears to be the work of cybercriminals based in

Iran
GPE

.

Phishers tend to cast a wide net and often spoof entities that are broadly used by the local population, and few brands are going to have more household reach than domestic mail services. In

June
DATE

,

the United Parcel Service
ORG

(UPS) disclosed that fraudsters were abusing an online shipment tracking tool in

Canada
GPE

to send highly targeted SMS phishing messages that spoofed the

UPS
ORG

and other brands.

With

the holiday shopping season
DATE

nearly upon us, now is a great time to remind family and friends about the best advice to sidestep phishing scams: Avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly.

If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Update: Added information about the

Telegram
ORG

bot and any.run analysis.