In a series of recent cyberattack events, it has been reported that in the past few weeks, there has been an increase in phishing scams, majorly targeting U.S. Postal Services (USPS) customers. As per the sources (Domain-Tools Researchers), the attack has been conducted by Iran-based threat actors. This article covers the extensive SMS phishing campaign designed to steal financial and personal data by spoofing USPS and other national postal services.

The news was covered by KrebsOnSecurity reporting that an SMS purporting to have been sent by the USPS about a month ago informed a reader that there was a problem with a package destined for his address, as well as some early warning signs from the U.S. Postal inspector. One can access the domain “USPS” by clicking the text message link. Informedtrck[.]com.”

Phishing links generate landing pages with the USPS logo and a message, “Your package has been held due to an incorrect recipient address. Please provide the correct address by clicking on the link.” Below that message is a “Click update” button that leads to a more information-filled page.

All the buttons on the fake USPS site lead to the real USPS.com, where you are asked to input your financial and personal information.

In the context of phishing domains, this one has just been registered recently, and there is no information in the WHOIS about its ownership. Suppose we load the phishing page in Developer Tools, a set of debugging tools in Firefox, Chrome, and Safari that allow one to examine closely a webpage’s code and operation. In that case, we may find some compelling clues about the extent of this operation.

This domain is tied to several USPS-themed phishing domains found at URLscan.io. Here are some of them (links have been defanged to prevent accidental clicking):

USPS.receivepost[.]com

usps.informedtrck[.]com

usps.trckspost[.]com

postreceive[.]com

usps.trckpackages[.]com

usps.infortrck[.]com

usps.quicktpos[.]com

usps.postreceive].]com

usps.revepost[.]com

tracking USPS.infortrck[.]com

usps.receivepost[.]com

usps.trckmybusi[.]com

postreceive[.]com

tackingpos[.]com

usps.trckstamp[.]com

usa-usps[.]shop

usps.infortrck[.]com

unlistedstampreceive[.]com

usps.stampreceive[.]com

usps.stamppos[.]com

usps.stampspos[.]com

usps.trckmypost[.]com

usps.trckintern[.]com

usps.tackingpos[.]com

Usps.posinformed[.]com

An error message appears in the developer tools console of informedtrck[.]com concerning UA-80133954-3, which looks like a rejected Google Analytics code.

The official USPS website can use That Google Analytics code, which is a valid domain for that code. It is believed that the same analytics code has been used on at least six other nearly identical USPS phishing pages dating back nearly as many years, including the onlineuspsexpress[.]com domain, which DomainTools.com indicates was registered by a Nigerian individual in September 2018.

There was another domain registered in 2021 with the same Google Analytics code, peraltansepeda[.]com, which archive.org reports ran phishing pages targeting USPS customers. The domain name was registered by Indonesian phishers, according to DomainTools.com.

A website called DomainTools claims that the USPS mentioned above phishing domain stamppos[.]com was registered in 2022 via a Singapore-based company known as Alibaba.com. Still, the registrant city and state listed for that domain are listed as “Georgia, AL,” which is not an actual location.

If you search for domains registered through Alibaba to Georgia, AL residents, you will find nearly 300 recent postal phishing domains that end in “.top.” They are administrative domains with password-protected login pages or .top domains phishing USPS and foreign postal service customers.

In addition to these nations, there is the Australia Post, An Post (Ireland), Correos.es (Spain), the Costa Rica Post, the Chilean Post, the Mexican Postal Service, Poste Italiane (Italy), PostNL (Netherlands), PostNord (Denmark, Norway, and Sweden), and Posti (Finland).

Several domains located in Georgia, AL, at Alibaba, also contain spoof sites that claim to collect Australian, New Zealand, and Singaporean road toll fees and fines.

The malware sandbox any. run was used by an anonymous reader of the uses mentioned above. receivepost[.]com phishing sites to send fake information to a user’s computer via the malware sandbox. A video recording of that analysis shows that the site sends any submitted data via an automated bot on the Telegram instant messaging service.

Based on the traffic analysis below, the any.run video; it appears all the data collected by the phishing site is being sent to a Telegram user named @chenlun, who offers to sell customized phishing page source codes. Based on my analysis of @chenlun’s other Telegram channels, this account seems heavily spammed right now, possibly due to the public attention this story has generated.

Cybercriminals based in Iran are believed to be behind an apparently unrelated but equally sprawling SMS-based phishing campaign targeting USPS customers, according to researchers at DomainTools.

It is common for fraudsters to cast a wide net and spoof entities that locals widely use, and few brands have a greater reach in households than domestic mail services. In June, the United Parcel Service (UPS) reported that fraudsters were sending highly targeted SMS phishing messages spoofing UPS and other brands using Canada’s online shipment tracking tool.

It’s the perfect time to remind family and friends to avoid phishing scams as the holiday shopping season approaches: Don’t click on links or attachments that arrive uninvited in emails, texts, or other forms of communication. Phishing scams typically involve a temporal element that warns of adverse consequences if you don’t respond or act quickly.

Whenever you are unsure whether a message is legitimate, take a deep breath and manually visit the site or service in question – ideally, using a browser bookmark to avoid potential typosquatting sites.