Threat Research

Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself

admin

USPS is being impersonated through a large set of combosquatting domains, with DNS traffic to malicious USPS-themed domains nearly matching or exceeding traffic to the legitimate usps.com, especially during holiday peaks. Akamai’s DNS-traffic analysis reveals extensive use of USPS-branded domains for phishing campaigns and smishing attempts, highlighting how combosquatting drives significant abuse of a trusted brand. #USPS #combosquatting #phishing #DNS #Akamai #uspspostworld #uspspostme

Keypoints

  • Post-holiday analysis by Akamai found a large amount of DNS activity to domains purporting to be USPS, indicating widespread impersonation.
  • The researchers constructed a malicious USPS domains dataset by filtering for domain names containing USPS and matching it to non-USPS IPs, aiming to minimize false positives.
  • Malicious domains show a combosquatting pattern, with top domains like usps-post.world and uspspost.me driving a large share of queries (about 29% together).
  • Traffic was nearly equal to USPS’s legitimate domain on normal days and spiked during holidays, suggesting attackers time campaigns around peak parcel periods.
  • Two main hosting patterns emerged: traffic spread across many domains, and concentrated traffic on a few high-volume domains linked to Amazon or QuadraNet IPs.
  • Top TLDs and IPs indicate a mix of infrastructure used to support these phishing domains, underscoring a broad, adaptable phishing operation rather than a single site.
  • The study concludes that combosquatting against USPS is highly effective and widely used, with implications for brands and defenders during busy holiday seasons.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Link – “One of our team members recently received one of these attempts on their phone (Figure 1).”
  • [T1583.001] Acquire Infrastructure: Domains – “We filter this list down and keep only the domain names that contain the string ‘USPS’… Anything matching these filters is at the very least suspicious because they’re mimicking a legitimate entity without resolving to it”

Indicators of Compromise

  • [Domain] suspicious USPS impersonation domains – usps-post.world, uspspost.me, and 2 more domains (usps-deliveryservice.icu, uspshelp.vip)
  • [IP Address] malicious infrastructure for core domains – 155.94.151.28 (QuadraNet) and 99.83.178.7 (Amazon)

Read more: https://www.akamai.com/blog/security-research/phishing-usps-malicious-domains-traffic-equal-to-legitimate-traffic

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint