Sophisticated Smishing Attack Example — Fake USPS
TLDR; The USPS won’t ask you to pay for a package via text or otherwise. That’s just not how they do things. Undelivered packages have to be paid for and picked up at the post office directly.
I wanted to take a quick second to pull together a very recent smish (SMS phish) that I received. If nothing else, I want to show the sophistication that attackers can develop for these types of attacks. So, without further ado, let’s jump in!
I received this text message on my phone:
At first glance, it seems off, but it also feels like it has some legitimacy to it. So, being the curious cyber guy I am, I’ll go ahead and play along. Clicking on the link brings us to this:
Whoa! This seems even more legit now! I mean, most fake sites are obvious, but this one? Not so much. Hovering over any of the links in the navigation bar show that they are meant to send you to legitimate USPS.com.
Now, let’s stop right here for just a second. I want to point out how the layperson would be able to determine that this might be fake, right from the point of getting the message:
Something to remember here is that the URL sent in the text message was http[s]://heldshipment-reship[.com] (I’ve added the brackets for cyber-safety purposes). But, the page automatically goes to a tracking number?
ALERT! ALERT! That’s not how that works!
Let’s go ahead and look at some details of the site. It’s using HTTPS, so that means we have an SSL certificate of some sort. I pull that up and find that the certificate actually looks in
Whoa! These guys splurged! A certificate fully signed by DigiCert? Nice touch! But, any indication or mention of USPS.com on here? Nope. Tsk tsk tsk.
While I’m at it, why don’t I check the validity of this site within Talos? Don’t mind if I do.
And finally, let’s check out the WhoIs lookup. Here’s the USPS.com site, for comparison:
And here is the imposter:
Right off the bat, we see that the USPS.com site was registered on July 10, 1997, whereas HeldShipment was registered July 07, 2023. They’re also registered with two different registrars.
Continuing on, I went ahead and pulled up USPS.com on a separate page and threw the tracking number in and I got this:
Okay, so now we seem to have a basis of legitimacy from the real USPS.com site. Hmmmm…. how about we play the game a little longer?
Going back to the fake site, we see that the bottom of the page has a request for my shipping information to be updated.
Let’s smash that “Continue” button, shall we?
Okay, this doesn’t look too harmful. Clicking “Continue” on this page, without entering information, informs me that I can’t move forward without actually providing some info. So, I’ll go ahead and throw in some bogus deets and then try that “Continue” button again.
And thus, we have arrived! We have the crux of the whole attack. “It’s just a simple $0.50 charge to make everything better and we’ll get your package to you!”
Uh huh. I’m sure you will.
This page is trying to do one thing, and one thing only: get your credit card information. With the prior screen and this one combined together, the attacker has everything they need to charge away on your card.
I threw in some more bogus credit card information and clicked “Submit”. I was taken to a “Payment Processing” screen, which then thanked me for paying the “delivery fee” and redirected me to the real USPS.com page.
As I said before, this is just a post to bring awareness to these types of attacks. Normally, a company or organization shouldn’t be sending you a text message asking for you to make a payment at a link they provide. Most utilize email, phone, and/or physical mail to request payments. But even still, if you feel uncomfortable or uneasy about a communication that a legitimate business is sending you, then simply call them. Verify before handing out information. Because at the end of the day, the only person that’s going to look out for you the best is YOU!
Until next time!
-cr45hmurphy