A spike in phishing scams targets USPS customers with SMS messages that spoof the postal service and direct users to deceptive domains to harvest personal and financial data, as well as targeting other national postal services. The operation uses USPS-branded pages, a network of spoofed domains, compromised Google Analytics references, and a Telegram-based exfiltration channel to collect and potentially sell data. #USPS #Phishing #Telegram #GoogleAnalytics #Alibaba #Iran
Keypoints
- Phishing SMS campaigns spoofing USPS have surged, expanding to postal services in multiple countries.
- The phishing page at usps.informedtrck[.]com uses USPS branding and asks visitors to submit address and other data.
- The site links to the real USPS site for some buttons, while collecting additional personal and financial information through a form.
- The phishing domain infrastructure includes a cluster of USPS-themed domains and registrations tied to Alibaba, indicating a broad, coordinated operation.
- A Google Analytics code (UA-80133954-3) associated with USPS appears on the phishing page, pointing to legitimate branding but loaded from a fraudulent page.
- Exfiltrated data is sent to a Telegram bot (@chenlun), where the operator appears to offer customized phishing code and services.
- Separately, Iran-based actors have been identified in related SMS phishing campaigns against USPS customers, illustrating a wider, multi-country threat landscape.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link – “Clicking the link in the text message brings one to the domain usps.informedtrck[.]com”. This describes the delivery of deceptive links to phishers.
- [T1036] Masquerading – “The landing page generated by the phishing link includes the USPS logo”. The page imitates a legitimate USPS interface to deceive victims.
- [T1041] Exfiltration Over C2 Channel – “the site sends any submitted data via an automated bot on the Telegram instant messaging service.” Data is exfiltrated via Telegram as part of the attacker’s C2/exfiltration channel.
- [T1071.001] Web Protocols – Data and communications to external services (Telegram/hosting domains) use web protocols as part of the phishing operation. [Quote: ‘Google Analytics code UA-80133954-3 … rejected for pointing to an invalid domain.’]
Indicators of Compromise
- [Domain] usps.informedtrck[.]com – example of a USPS-themed phishing domain used in the campaign.
- [Domain] fly.linkcdn[.]to – hosting/link CDN domain tied to USPS phishing infrastructure.
- [Domain] usps.receivepost[.]com – another USPS-themed phishing domain observed in the campaign.
- [Code] UA-801339-54-3 – Google Analytics tracking ID embedded on the phishing page, linked to USPS branding.
- [Service] any.run – malware sandbox used to analyze the phishing site’s data submission behavior.
- [Account] @chenlun – Telegram user receiving exfiltrated data and advertising phishing code services.
- [Domain] unlistedstampreceive[.]com, stamppos[.]com, usps.trckmypost[.]com – additional USPS-themed domains observed in domain tooling; many others exist.
Read more: https://krebsonsecurity.com/2023/10/phishers-spoof-usps-12-other-natl-postal-services/