Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself

Keypoints

• Post-holiday analysis by Akamai found a large amount of DNS activity to domains purporting to be USPS, indicating widespread impersonation.
• The researchers constructed a malicious USPS domains dataset by filtering for domain names containing USPS and matching it to non-USPS IPs, aiming to minimize false positives.
• Malicious domains show a combosquatting pattern, with top domains like usps-post.world and uspspost.me driving a large share of queries (about 29% together).
• Traffic was nearly equal to USPS’s legitimate domain on normal days and spiked during holidays, suggesting attackers time campaigns around peak parcel periods.
• Two main hosting patterns emerged: traffic spread across many domains, and concentrated traffic on a few high-volume domains linked to Amazon or QuadraNet IPs.
• Top TLDs and IPs indicate a mix of infrastructure used to support these phishing domains, underscoring a broad, adaptable phishing operation rather than a single site.
• The study concludes that combosquatting against USPS is highly effective and widely used, with implications for brands and defenders during busy holiday seasons.