Beware, Scammers Are Targeting Holiday Shoppers With A USPS Phishing Scam
The holiday season at the end of the year is a busy time for online shoppers, between taking advantage of the best Black Friday and Cyber Monday deals and ordering gifts for friends and family. Sadly, threat actors have no qualms with taking advantage of the high volume of packages in transit during this time to conduct widespread cyberattacks against their recipients. We recently encountered one such attack in the form of a phishing campaign masquerading as a United States Postal Service (USPS) notification service. This particular phishing campaign is designed to lure users to a fraudulent USPS website, then trick users into handing over their credit card information.
We have received multiple reports of users receiving fraudulent text messages informing them that a package cannot be delivered because the shipping address could not be verified. The messages then direct recipients to resubmit their addresses for verification by following a hyperlink at the end of the message. The image below is a screenshot of one of these messages sent from a phone number serviced by T-Mobile with no associated name.
We have received multiple reports of users receiving fraudulent text messages informing them that a package cannot be delivered because the shipping address could not be verified. The messages then direct recipients to resubmit their addresses for verification by following a hyperlink at the end of the message. The image below is a screenshot of one of these messages sent from a phone number serviced by T-Mobile with no associated name.
The hyperlink at the end of each smishing (SMS phishing) message directs users to a website that mimics the official USPS website. This website asks users to enter their home addresses and bank card credentials under the guise of using this information to verify users’ home addresses for shipping purposes. However, this information is exactly what the scammers behind this scheme need to rack up fraudulent charges on victims’ credit or debit cards.
Based on the reports received by HotHardware, the scammers are using multiple domain names to carry out this phishing campaign, likely switching to fresh domains on a frequent basis, rather than sticking with a set of domains that would likely be flagged for malicious activity. According to WHOIS records, the domain name linked in the message shown above was newly registered only a day before that particular smishing message was sent. Now, just a day later, visiting the domain returns a 403 forbidden error, rather than displaying the fraudulent USPS website. Reports of these smishing messages received today specify different, and likely newer, domain names. We gather, then, that the threat actors behind this campaign are fast moving in the hopes of staying ahead of scam reports.
Anyone who believes they may have fallen victim to this phishing scheme should contact the issuer of their debit or credit card right away to have the card canceled and re-issued. Taking immediate action may prevent the scammers from imposing any faulty charges. Going forward, users should know that the official USPS website is located at usps.com. Users should avoid visiting any websites that appear or claim to be the USPS site but are located at different domains than the official site.
Users can also increase their chances of successfully disputing faulty charges and receiving full reimbursements by using credit cards online, as, unlike debit cards, charges applied to credit cards don’t directly pull funds out of card holders’ bank accounts. For cybersecurity purposes, a credit card with auto-pay enabled functions effectively like a debit card with a significant buffer period before funds are withdrawn.
Based on the reports received by HotHardware, the scammers are using multiple domain names to carry out this phishing campaign, likely switching to fresh domains on a frequent basis, rather than sticking with a set of domains that would likely be flagged for malicious activity. According to WHOIS records, the domain name linked in the message shown above was newly registered only a day before that particular smishing message was sent. Now, just a day later, visiting the domain returns a 403 forbidden error, rather than displaying the fraudulent USPS website. Reports of these smishing messages received today specify different, and likely newer, domain names. We gather, then, that the threat actors behind this campaign are fast moving in the hopes of staying ahead of scam reports.
Anyone who believes they may have fallen victim to this phishing scheme should contact the issuer of their debit or credit card right away to have the card canceled and re-issued. Taking immediate action may prevent the scammers from imposing any faulty charges. Going forward, users should know that the official USPS website is located at usps.com. Users should avoid visiting any websites that appear or claim to be the USPS site but are located at different domains than the official site.
Users can also increase their chances of successfully disputing faulty charges and receiving full reimbursements by using credit cards online, as, unlike debit cards, charges applied to credit cards don’t directly pull funds out of card holders’ bank accounts. For cybersecurity purposes, a credit card with auto-pay enabled functions effectively like a debit card with a significant buffer period before funds are withdrawn.
