Malicious ad for USPS fishes for banking credentials

Malvertising is used to carry out phishing by impersonating brands in search ads, targeting USPS package trackers. The campaign collects addresses, credit card details, and banking credentials through a dynamic phishing site. #USPS #JPMorganChase #Google #Cloudflare #Malwarebytes #АнастасіяІващенко

Keypoints

Malvertising via search ads impersonates brands (USPS) to lure victims to a phishing site.
The fake advertiser used a real-looking USPS identity; the official USPS logo and website are shown, but the advertiser has no relation.
Ad URLs appear as visual artifacts; Google’s URL precedes the advertiser’s URL, masking the real destination.
Victims are prompted to enter tracking numbers, then full address, a small 35-cent payment, and finally banking credentials.
The phishing pages adapt to card type (e.g., Visa with JP Morgan; MasterCard) to harvest bank credentials.
Solutions call for stronger search-engine controls, brand protections, and comprehensive security tooling (e.g., Malwarebytes) to disrupt the attack chain.

MITRE Techniques

[T1189] Drive-by Compromise – Malvertising redirects victims to a phishing site that collects data. Quote: “it redirects victims to a malicious site that first collects their address, credit card details and, requires them to log into their bank account for verification.”
[T1566.001] Phishing: Spearphishing Link – The ad leads to a phishing page; Quote: “When you click on the ad, the first URL returned is Google’s own which contains various metrics related to the ad, followed by the advertiser’s own URL.”
[T1036] Masquerading – Brand impersonation using USPS branding in ads. Quote: “the ad snippet contains the official website and logo of the United States Postal Service”

Indicators of Compromise

SHARE THIS STORY