A Georgia-based online operation promised USPS jobs and exposed a backend database with nearly 900,000 customers. Investigators traced the scheme to US Job Services and Next Level Support, with ties to a Pakistan-based developer and a Tennessee telemarketing firm. Hashtags: #Redline #USJobServices
Keypoints
- US Job Services leaked a backend database containing payment and customer data for about 900,000 people.
- The operation appears connected to a Tennessee telemarketing firm that promoted USPS job sites since 2016 and to Next Level Support Centers in Tennessee.
- Applicants were asked to deposit money (often $39.99–$100) to register for USPS job reviews and were told refunds would follow if not offered a job within 30 days.
- The FTC/USPS have a long history of taking action against USPS job-placement scams, with statements that such promises violate federal law.
- The exposed admin backend tied to Muhammed Tabish Mirza in Karachi, and a year-long malware activity (Redline infostealer) allegedly exfiltrating data to criminals in Russia.
- More than 160 users had access to US Job Services data, including Pakistan-based coders and a Tennessee call center, with numerous USPS-themed domains registered by associates.
MITRE Techniques
- [T1566.003] Spearphishing via Service – The operation engaged in emailing and text messaging people to sign up at USPS job sites. ‘Further investigation revealed a long-running international operation that has been emailing and text messaging people for years to sign up at a slew of websites that all promise they can help visitors secure employment at the USPS.’
- [T1003] Credential Dumping – The Redline infostealer was involved in collecting and exfiltrating credentials from a Windows device: ‘a Microsoft Windows device regularly used by Mr. Mirza and his colleagues was actively uploading all of the device’s usernames, passwords and authentication cookies to cybercriminals based in Russia.’
- [T1041] Exfiltration – The same Redline activity amounted to exfiltrating sensitive data to criminals in Russia: ‘uploading all of the device’s usernames, passwords and authentication cookies to cybercriminals based in Russia.’
- [T1078] Valid Accounts – Access to consumer and payment data was granted to multiple coders and employees across Pakistan and Tennessee, indicating use of valid accounts: ‘access to the consumer and payment data collected by US Job Services is currently granted to several other coders… in Pakistan, and to multiple executives, contractors and employees… in Murfreesboro, Tennessee.’
Indicators of Compromise
- [Domain] USPS-themed domains used in the operation – federaljobscenter.com, postal2017.com
- [Domain] Additional USPS-related domains registered by associates – postaljobscenter.com, usps-jobs.com
- [Email] Admin contact for US Job Services – [email protected]
- [Malware] Redline infostealer used to exfiltrate data – Redline