Threat Research

Phishers Weather the Storm: The DNS Landscape of U.S. Postal Smishing Attacks

Infoblox

This article discusses the escalating threat of SMS phishing (smishing) attacks targeting the United States Postal Service (USPS). The rise of these attacks is largely linked to a phishing toolkit available on the dark web, utilized by various threat actors, predominantly Chinese and Iranian. Through domain analysis, researchers uncovered over 7,000 suspicious domains related to USPS phishing, revealing distinct techniques and tactics used by the perpetrators. Affected: USPS, SMS messaging platforms

Keypoints :

  • Significant increase in SMS phishing (smishing) attacks targeting USPS since July 2023.
  • Attacks driven by accessible phishing toolkits on dark markets, primarily utilized by Chinese threat actors.
  • Identification of over 7,000 USPS-related domains indicative of the scale of phishing campaigns.
  • Distinct tactics and infrastructure used by different threat actors observed in their DNS configurations.
  • The prevalence of lookalike domains and registered domain generation algorithms (RDGAs) in these phishing attempts.
  • Use of both common and uncommon registrants to obscure the actual ownership of phishing domains.
  • Detection methods involved correlating domain information and analyzing DNS data for suspicious activity.
  • Infoblox provides defenses against these USPS phishing domains through their BloxOne Threat Defense platform.

MITRE Techniques :

  • Reconnaissance (T1591): Threat actors leverage public sources and tools to acquire necessary information for phishing attacks.
  • Credential Dumping (T1003): Attackers may collect user credentials through phishing, gaining unauthorized access to sensitive information.
  • Web Service Hosting (T1102): Use of malicious infrastructure or lookalike domains to host phishing sites for credential harvesting.
  • Domain Generation Algorithms (T1483): Phishing campaigns utilized RDGAs to create multiple domains for evasion purposes.
  • Data Obfuscation (T1027): Threat actors employ registrant information anonymization to mask their identity.

Indicator of Compromise :

  • [Domain] usps[.]informedtrck[.]com
  • [Domain] ususuua[.]top
  • [Domain] uspops[.]top
  • [Domain] uspkas[.]top
  • [IP Address] 204[.]44[.]75[.]194

Full Story: https://blogs.infoblox.com/threat-intelligence/phishers-weather-the-storm-the-dns-landscape-of-us-postal-smishing-attacks/