Recently, the results of a security company investigation showing that the traffic of domains impersonating USPS was significantly higher than the actual traffic on the official website was reported in various global media, and it has become an issue.
In this article, we aim to explore how phishing attackers are exploiting USPS impersonation domains. Additionally, we will share how to use the Domain Search link scanner feature of the threat intelligence search engine Criminal IP to identify text scams exploiting suspicious phishing sites.
Subtle Techniques of USPS Phishing Sites and Text Scams
In 2001, USPS reportedly sent over 103.6 billion delivery status emails to users. This high volume indicates the widespread use of USPS services in the United States. Nowadays, with the prevalence of mobile text services that are more convenient than email systems, checking real-time delivery status has become easier. However, along with the convenience of mobile services, there is also a rise in text scams targeting parcel users. If you examine the URLs inserted in text messages sent as USPS text scams, you’ll often find domains using keywords like “Track,” “Monitor,” or “Package” to entice users waiting for their parcels to click on them.
According to a report, Akamai, a distributed computing specialist, analyzed suspicious USPS phishing SMS messages redirecting to domains containing malicious JavaScript code for five months. The analysis revealed that the total number of queries from USPS phishing sites using popular top-level domains (TLDs) such as “.com,” “.top,” “.shop,” “.xyz,” “.org,” and “.info” exceeded one million. Moreover, starting from late November into the winter holiday season, the total queries from phishing sites surpassed those from the official site usps.com. Clicking on the malicious URLs inserted in SMS messages could lead to the leakage of sensitive information such as user account details and card information linked to mobile devices.
Statistics of USPS Phishing Sites Detected by AI Link Scanners
We analyzed USPS phishing sites detected by the AI link scanner extension Criminal IP over the past 8 months. Similar to Akamai’s analysis insights, there was a significant increase in phishing sites during the year-end and early-year period when parcel usage was high. In January, which saw the highest detection of phishing sites, a total of 323 domains impersonating USPS were discovered in one month. Recently, there have been around 100 to 200 phishing sites detected per month.
The more famous the service, the easier it is for cyber attackers to be targeted by phishing attacks. Also, as can be seen from statistics, during periods when attacks occur a lot, the number of domains blocked due to victims’ reports or cyber investigations also increases, and more new phishing sites are created.
Identifying USPS Phishing Sites With a Real-time Link Scanner
Due to their notoriety, USPS phishing sites are swiftly generated and taken down. This rapid turnover means that victims are repeatedly targeted with new smishing attacks featuring freshly inserted phishing sites, making it increasingly difficult to discern legitimate links from fraudulent ones. What’s needed in such situations is a real-time link scanner and URL inspection tool. Criminal IP’s Domain Search allows users to input suspicious URLs and scan them to detect phishing sites in real-time. We recently scanned the domain of the USPS phishing site used in the smithing attack into Domain Search.
The URL for the phishing site is usps-pr [.] helptme [.] top/address.html, which uses the .top top-level domain, and the URI also contains USPS strings and keywords that induce users to click, such as helpme.
- Check the USPS phishing site link scanner scan results: https://www.criminalip.io/domain/report?scan_id=12637492
The scan results reveal that the site has been assessed with a critical domain score of 99% in terms of risk level and is a newly created domain, active for less than a month. Furthermore, within the HTML code, there are embedded redirection events commonly associated with malicious intent. The site’s favicon is also identified as a fraudulent favicon. Most importantly, the AI analysis indicates a very high likelihood of phishing with a Probability of Phishing URL at 96.38%.
Phishing attacks such as USPS phishing and text scams, which are popular among attackers, frequently employ new domains. Therefore, it’s wise to employ scanning tools or threat intelligence to prevent such attacks. If you receive a text containing an unsolicited package or mail delivery tracking link, it’s crucial to scan it with Criminal IP before clicking to verify the legitimacy of the elements mentioned.
It’s important to avoid clicking on domains used in phishing attacks because they can lead to the download of malicious code or the leakage of information just by accessing them. The Criminal IP link scan results include screenshot data, enabling you to view the access screen of the domain without actually visiting the phishing site. The left image shows the actual USPS official site’s shipment tracking screen, while the right image displays the screen of the phishing site scanned with Domain Search. Comparing the two screens, you can see that USPS phishing sites are crafted with sophistication, making them appear genuine enough to prompt victims to enter personal information without suspicion.
Prevent Text Scam With Criminal IP Domain Search
The rapid advancement of AI technology has led to a significant increase in domains impersonating not just USPS but also numerous global brands, resulting in a rise in phishing attack incidents. As phishing sites become more sophisticated and faster, it’s crucial to enhance prevention methods accordingly. When identifying suspicious domains, using Criminal IP’s Domain Search as a link scanner enables you to not only detect phishing but also access detailed security intelligence about each component of the domain. It is advisable to utilize Criminal IP Domain Search to scan the domain address and mitigate the risk of falling victim to text scams when accessing a suspicious site.
For more information, check out the article: Can Threat Intelligence Detect QR Code Phishing That Evades Spam Blocking Solutions?
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence.
Data source: Criminal IP (https://www.criminalip.io)
Related articles: