Impacted Users: iPhone users in India
Impact: Possible financial loss; stolen information can be used for future attacks
Severity Level: Medium
The FortiGuard Labs Threat Research team recently observed a number of social media posts commenting on a fraud campaign targeting India Post users. India Post is India’s government-operated postal system. It is part of the Ministry of Communications and has a vast network of over 150,000 post offices across the country, making it one of the largest postal systems in the world.
In this campaign, iPhone users are being targeted by smishing attacks claiming to be from India Post. This scam involves sending an iMessage to iPhone users that falsely claims that a package is waiting at an India Post warehouse.
Public reporting suggests this campaign is being attributed to a China-based threat actor known as the Smishing Triad. This group has previously targeted other regions, including the US, UK, EU, UAE, KSA, and, most recently, Pakistan.
We have observed third-party email addresses such as Hotmail, Gmail, or Yahoo being used in phishing emails on iMessage. Apple allows users to create an Apple ID using these third-party email addresses as the primary email associated with their Apple ID. Once the Apple ID is created and configured for iMessage, the sender can use that third-party email address to send messages through iMessage. The messages often contain a short URL, leading to a fraudulent website.
Upon investigation, we discovered a significant number of newly registered domains being used for current and potential phishing scams. This blog highlights the tools and methods used to propagate such phishing campaigns and explores the scale of these operations, the tactics employed by threat actors, and other relevant insights.
Domain Names Impersonating India Post
Between January and July 2024, we found over 470 domain registrations mimicking India Post’s official domain. Among these, 296 domains were registered via the Chinese registrar Beijing Lanhai Jiye Technology Co., Ltd., followed by 152 registrations through Namesilo, an American domain registrar. The notable concentration of registrations through a Chinese registrar certainly raises substantial concerns about the underlying intentions. This activity exemplifies a homograph phishing attack, where domain names are created to look visually similar to legitimate ones.
- There was a clear spike in registrations during June and July 2024. Notable dates include:
- 26 June 2024: 42 domains
- 09 June 2024: 33 domains
- 13 June 2024: 32 domains
- 06 July 2024: 36 domains
- 04 July 2024: 26 domains
- 08 July 2024: 25 domains
The most frequently used top-level domains (TLDs) include ‘vip’ (200 registrations), ‘top’ (81 registrations), and ‘buzz’ (40 registrations).
The registration cost per domain varies: ‘vip’ TLDs typically range from USD 4 to USD 5 per domain, whereas ‘top’ TLDs cost between USD 1 and USD 2 per domain.
To calculate the total investment:
IP Address Analysis
Our analysis revealed that Tencent, a Chinese hosting service provider, hosts a significant number of these domains (232). Additionally, Tencent hosts 16 domains registered in Santa Clara.
Further analysis revealed that 262 domain names point to the IP address 119.28.68[.]187, also hosted on Tencent‘s servers.
Fraudulent Website Analysis
When investigating the phishing domain ‘indiapost[.]top,‘ which impersonates India Post through a cloned copy of the original website, it was discovered that the domain does not host any content. Instead, specific paths on the domain are utilized to host the phishing website that impersonates India Post.
While the domain name was registered on 28th November 2023, it is now actively being used in their operations. It is now likely to evade detection by antivirus engines as domains typically gain reputation over time.
The phishing site (on the left) is an identical copy of the original India Post website (on the right).
Continuing as a regular user, the fraudsters collect sensitive information such as name, full residential address, email ID, and phone number. This information can be leveraged in future operations for further scams, sending phishing emails, spreading disinformation/misinformation, or distributing malware.
On the next page, the fraudulent site requests debit/credit card information for a payment of INR 25.02, claiming it is a charge for redelivering the package.
Modus-Operandi
The threat actors begin by sending a message via iMessage directly to the recipients’ registered Apple ID email addresses. The sender ID could be a newly registered Apple ID or a compromised account. This method ensures that the message appears within the recipient’s Messages app as an iMessage, distinct from traditional email communications, provided both parties use iMessage-enabled devices and have their Apple IDs configured for iMessage.
Recommendations to Mitigate Phishing Scams
- Be Sceptical of Unexpected Emails: Do not open emails from unknown senders. Be cautious with unexpected emails, especially those requesting personal information or urging immediate action.
- Verify URLs: Before clicking on links in emails or messages, hover over them to see the actual URL. Ensure the link points to a legitimate website by checking for common signs of phishing, such as misspelled domain names or unusual URLs.
- Check for HTTPS: Ensure that websites where you enter personal information use HTTPS (look for the padlock icon in the browser’s address bar). However, HTTPS alone does not guarantee a site’s safety.
- Do Not Share Personal Information: Avoid sharing sensitive information like passwords, social security or other identification numbers, and credit card or banking details via email or messaging apps.
- Use Strong, Unique Passwords: Create strong, unique passwords for different accounts. Consider using a password manager to generate and store complex passwords securely.
- Enable Multi-Factor Authentication (MFA): Enable MFA on your accounts whenever possible to add an extra layer of security.
- Be Cautious with Attachments: Do not open attachments from unknown or suspicious sources, as they may contain malware.
- Update Software Regularly: Keep your operating system, browser, and software up to date with the latest security patches.
- Educate Yourself: Stay informed about common phishing tactics and scams. Familiarize yourself with the latest phishing techniques and how to recognize them.
- Report Phishing Attempts: Report any phishing emails or messages to the relevant authorities or service providers. This can help prevent others from falling victim to the same scam.
Conclusion
The investment in registering these domain names alone exceeds USD 1500, not to mention additional costs for hosting and development. This significant investment highlights the threat actors’ commitment, the phishing operation’s scale, and its potential long-term impact. As a result, we feel that the likelihood of numerous victims falling prey to these scams is increased, leading to substantial financial losses, data breaches, and other security issues for individuals and organizations targeted by these domains.
This operation may also serve as a strategic initiative to raise funds to fuel operations in China. Because of this, awareness and proactive measures are crucial to mitigating the risks posed by these phishing activities.
Fortinet Protections
The suspicious domains used in the campaign described in this report are detected and blocked by FortiGuard URL Filtering Service, utilized by FortiGate, FortiClient, and FortiMail, as:
WebFilter:Phishing
WebFilter:Spam URLs
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
In addition to these protections, we suggest that organizations have their end users undergo our FREE NSE training: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
IOCs
Sender Email Address
italenbabusik@hotmail[.]com
jessica467@qlq-online[.]de
marrotte436915@gmail[.]com
orozcoharryavw@hotmail[.]com
chermonahscales2980545@gmail[.]com
Domain Names
|
indiapost[.]xyz |
|
indiapost[.]online |
|
indiapost[.]live |
|
indiapost[.]biz |
|
indiapost[.]club |
|
indiapost[.]pics |
|
indiapost[.]homes |
|
indiapost[.]click |
|
indiapost[.]vip |
|
indiapost[.]buzz |
|
indiapost[.]sbs |
|
indiapost[.]skin |
|
indiapost[.]world |
|
indiapost[.]cfd |
|
indiapost[.]cyou |
|
indiapost[.]rest |
|
indiapost[.]site |
|
indiapost[.]mom |
|
indiapost[.]lat |
|
indiapost[.]lol |
|
indiapost[.]digital |
|
indiapostal[.]com |
|
indiapostdaily[.]com |
|
indiapostin[.]com |
|
indiaposte[.]com |
|
indiapostgdsonline[.]in |
|
indiapostcode[.]online |
|
indiapostalgds[.]com |
|
indiapostofficejob[.]org |
|
indiapostal[.]xyz |
|
indiapostrecruitment2021[.]xyz |
|
indiapostpayment[.]in |
|
indiapostfast[.]com |
|
indiapost-in[.]xyz |
|
indiapostin[.]top |
|
indiapostusa[.]xyz |
|
indiapostn[.]top |
|
indiapostgovv[.]top |
|
indiapostt[.]top |
|
indiapostgov[.]info |
|
indiapostgdsonline[.]ink |
|
indiaposte[.]top |
|
indiaposthuman[.]com |
|
indiaposti[.]icu |
|
indiapostgov[.]org |
|
indiapostalcode[.]org |
|
indiapostpogo[.]top |
|
indiapostgk[.]sbs |
|
indiapostij[.]top |
|
indiapostscv[.]top |
|
indiaposthy[.]top |
|
indiapostpv[.]top |
|
indiapostjx[.]top |
|
indiapostco[.]top |
|
indiapostcw[.]top |
|
indiapostkp[.]sbs |
|
indiapostkp[.]buzz |
|
indiapostbov[.]top |
|
indiapostnov[.]buzz |
|
indiapostgk[.]buzz |
|
indiapostscv[.]buzz |
|
indiapostsfv[.]buzz |
|
indiapostscv[.]sbs |
|
indiapostsfv[.]top |
|
indiapostfb[.]top |
|
indiapostwb[.]top |
|
indiapostxh[.]top |
|
indiapostyt[.]top |
|
indiapostgk[.]lol |
|
indiapostgv[.]lol |
|
indiapostbov[.]sbs |
|
indiapostnov[.]sbs |
|
indiapostkp[.]top |
|
indiapostlf[.]top |
|
indiapostbs[.]top |
|
indiapostbw[.]top |
|
indiapostcu[.]top |
|
indiapostem[.]top |
|
indiapostgl[.]top |
|
indiaposthk[.]top |
|
indiapostjd[.]top |
|
indiapostkg[.]top |
|
indiapostmc[.]top |
|
indiapostmr[.]top |
|
indiapostnj[.]top |
|
indiapostnn[.]top |
|
indiapostsc[.]top |
|
indiapostsy[.]top |
|
indiapostwy[.]top |
|
indiapostxf[.]top |
|
indiapostsx[.]buzz |
|
indiapostdgx[.]buzz |
|
indiapostsdu[.]buzz |
|
indiapostdes[.]buzz |
|
indiapostsx[.]icu |
|
indiapostdu[.]icu |
|
indiapostsdu[.]top |
|
indiapostcg[.]buzz |
|
indiapostgc[.]buzz |
|
indiapostnews[.]buzz |
|
indiaposttc[.]buzz |
|
indiapostdgx[.]lat |
|
indiapostvg[.]buzz |
|
indiapostcg[.]life |
|
indiapostvg[.]sbs |
|
indiapostbs[.]sbs |
|
indiapostvg[.]xyz |
|
indiapostjsx[.]xyz |
|
indiapostdm[.]buzz |
|
indiapostbm[.]buzz |
|
indiapostjsx[.]buzz |
|
indiapostdgx[.]cfd |
|
indiapostsx[.]cfd |
|
indiapostgx[.]cfd |
|
indiapostdgx[.]sbs |
|
indiapostdm[.]sbs |
|
indiapostjsx[.]sbs |
|
indiapostsx[.]sbs |
|
indiapostbm[.]top |
|
indiapostsx[.]xyz |
|
indiapostbm[.]xyz |
|
indiapostdgx[.]xyz |
|
indiapostdm[.]xyz |
|
indiapostlv[.]top |
|
indiapostmk[.]top |
|
indiapostil[.]top |
|
indiapostdgx[.]top |
|
indiapostkr[.]top |
|
indiapostlt[.]top |
|
indiapostgx[.]lat |
|
indiapostigu[.]xyz |
|
indiapostgx[.]world |
|
indiapostok[.]top |
|
indiapostrc[.]top |
|
indiapostah[.]top |
|
indiapostfw[.]top |
|
indiapostwl[.]top |
|
indiapostwm[.]top |
|
indiapostci[.]top |
|
indiapostdq[.]top |
|
indiapostjp[.]top |
|
indiapostmj[.]top |
|
indiapostnx[.]top |
|
indiapostos[.]top |
|
indiapostpy[.]top |
|
indiapostqr[.]top |
|
indiapostrq[.]top |
|
indiapostub[.]top |
|
indiapostwg[.]top |
|
indiapostyb[.]top |
|
indiapostyw[.]top |
|
indiapostzc[.]top |
|
indiapostzp[.]top |
|
indiapostsz[.]buzz |
|
indiapostzj[.]buzz |
|
indiapostgz[.]cfd |
|
indiaposteg[.]sbs |
|
indiapostsz[.]top |
|
indiaposteg[.]xyz |
|
indiapostges[.]xyz |
|
indiapostsz[.]xyz |
|
indiapostrg[.]xyz |
|
indiapostsge[.]xyz |
|
indiapostzj[.]xyz |
|
indiapostbg[.]vip |
|
indiapostrg[.]vip |
|
indiapostfd[.]vip |
|
indiaposthk[.]vip |
|
indiapostiw[.]vip |
|
indiapostfv[.]vip |
|
indiapostnz[.]vip |
|
indiapostfw[.]vip |
|
indiapostfj[.]vip |
|
indiapostux[.]vip |
|
indiapostox[.]vip |
|
indiapostdx[.]vip |
|
indiapostwe[.]vip |
|
indiapostwp[.]vip |
|
indiapostdt[.]vip |
|
indiapostpm[.]vip |
|
indiapostkx[.]vip |
|
indiapostpo[.]vip |
|
indiapostmr[.]vip |
|
indiapostym[.]vip |
|
indiapostmu[.]vip |
|
indiapostbl[.]vip |
|
indiapostjl[.]vip |
|
indiapostei[.]vip |
|
indiapostul[.]vip |
|
indiapostax[.]vip |
|
indiapostny[.]vip |
|
indiapostxt[.]vip |
|
indiapostik[.]vip |
|
indiapostir[.]vip |
|
indiapostns[.]vip |
|
indiapostqb[.]vip |
|
indiapost-update[.]com |
|
indiapostqq[.]vip |
|
indiapostdo[.]vip |
|
indiapostes[.]vip |
|
indiapostcp[.]vip |
|
indiapostfs[.]vip |
|
indiapost-updatemypost[.]com |
|
indiapost-trackmypost[.]com |
|
indiapostub[.]vip |
|
indiapostag[.]vip |
|
indiapostam[.]vip |
|
indiapostej[.]vip |
|
indiapostgt[.]vip |
|
indiapostgw[.]vip |
|
indiaposthn[.]vip |
|
indiapostlg[.]vip |
|
indiapostvb[.]vip |
|
indiapostxz[.]vip |
|
indiapostjo[.]vip |
|
indiapostne[.]vip |
|
indiapostps[.]vip |
|
indiapostby[.]vip |
|
indiapostoc[.]vip |
|
indiaposthd[.]vip |
|
indiapostxr[.]vip |
|
indiapostqw[.]vip |
|
indiapostmt[.]vip |
|
indiapostaz[.]vip |
|
indiapostvx[.]vip |
|
indiapostwq[.]vip |
|
indiapostuf[.]vip |
|
indiapostgi[.]vip |
|
indiapostjq[.]vip |
|
indiapostph[.]vip |
|
indiapostmz[.]vip |
|
indiapostdv[.]vip |
|
indiapostoi[.]vip |
|
indiapostrc[.]vip |
|
indiaposttg[.]vip |
|
indiapostbz[.]vip |
|
indiapostnt[.]vip |
|
indiapostek[.]vip |
|
indiapostld[.]vip |
|
indiaposttx[.]vip |
|
indiapostzv[.]vip |
|
indiapostjk[.]vip |
|
indiapostagov[.]icu |
|
indiapostusa[.]cfd |
|
indiapostwc[.]vip |
|
indiapostht[.]vip |
|
indiapostxf[.]vip |
|
indiapostib[.]vip |
|
indiapostgu[.]vip |
|
indiapostpq[.]vip |
|
indiaposteo[.]vip |
|
indiapostap[.]vip |
|
indiapostdf[.]vip |
|
indiapostjx[.]vip |
|
indiapostky[.]vip |
|
indiapostlj[.]vip |
|
indiapostmn[.]vip |
|
indiapostnr[.]vip |
|
indiapostqr[.]vip |
|
indiapostvg[.]vip |
|
indiapostzc[.]vip |
|
indiapost-trackpost[.]com |
|
indiapost-updatemyparcel[.]com |
|
indiapostusa[.]buzz |
|
indiapost-checkmypost[.]com |
|
indiapost-checkmymail[.]com |
|
indiaposte[.]buzz |
|
indiaposte[.]icu |
|
indiapostusa[.]icu |
|
indiapostlw[.]sbs |
|
indiapostgui[.]sbs |
|
indiapostigu[.]sbs |
|
indiapostgui[.]xyz |
|
indiapostdw[.]xyz |
|
indiaposte[.]xyz |
|
indiapostlw[.]xyz |
|
indiapostzd[.]vip |
|
indiaposteg[.]vip |
|
indiapostbv[.]vip |
|
indiapostur[.]vip |
|
indiapostiv[.]vip |
|
indiapostdd[.]vip |
|
indiapostqh[.]vip |
|
indiapostwg[.]vip |
|
indiapostsil[.]cyou |
|
indiapostru[.]vip |
|
indiapostbm[.]vip |
|
indiapostwh[.]vip |
|
indiapostmk[.]vip |
|
indiapostol[.]vip |
|
indiapostqs[.]vip |
|
indiapostlt[.]vip |
|
indiapostdw[.]top |
|
indiapostlw[.]top |
|
indiapostfr[.]vip |
|
indiapostbe[.]vip |
|
indiapostbs[.]vip |
|
indiapostcs[.]vip |
|
indiapostfn[.]vip |
|
indiapostfy[.]vip |
|
indiapostjd[.]vip |
|
indiapostjf[.]vip |
|
indiapostkm[.]vip |
|
indiapostkq[.]vip |
|
indiaposton[.]vip |
|
indiapostpj[.]vip |
|
indiapostpy[.]vip |
|
indiapostse[.]vip |
|
indiapostsq[.]vip |
|
indiapostss[.]vip |
|
indiapostvd[.]vip |
|
indiapostvy[.]vip |
|
indiapostxw[.]vip |
|
indiapostyr[.]vip |
|
indiapostsp[.]vip |
|
indiapostha[.]vip |
|
indiapostog[.]vip |
|
indiapostqf[.]vip |
|
indiapostut[.]vip |
|
indiapostwk[.]vip |
|
indiapostin[.]sbs |
|
indiapostin[.]xyz |
|
indiapostin[.]live |
|
indiapostsa[.]buzz |
|
indiaposta[.]buzz |
|
indiapostdw[.]buzz |
|
indiapostgv[.]buzz |
|
indiapostoffice[.]buzz |
|
indiaposts[.]buzz |
|
indiapostzh[.]buzz |
|
indiaposta[.]mom |
|
indiaposts[.]mom |
|
indiapostsa[.]mom |
|
indiapostzh[.]sbs |
|
indiaposta[.]xyz |
|
indiapostgv[.]xyz |
|
indiapostks[.]buzz |
|
indiapostgov[.]xyz |
|
indiapostgo[.]buzz |
|
indiapostgo[.]life |
|
indiapostgo[.]mom |
|
indiapostgds[.]org |
|
indiapostgo[.]xyz |
|
indiapostsge[.]cfd |
|
indiapostgv[.]cfd |
|
indiapostcp[.]buzz |
|
indiapostblog[.]buzz |
|
indiapostges[.]buzz |
|
indiapostsge[.]buzz |
|
indiapostsv[.]buzz |
|
indiapostoffice[.]hair |
|
indiapost-gov[.]life |
|
indiapostoffice[.]life |
|
indiapostgv[.]sbs |
|
indiaposty[.]xyz |
|
indiapostgy[.]vip |
|
indiapost-vip-in[.]buzz |
|
indiapostggs[.]cfd |
|
indiapostbs[.]cfd |
|
indiapostcp[.]sbs |
|
indiapostggs[.]sbs |
|
indiapost-i[.]com |
|
indiapostyxw[.]buzz |
|
indiapostgov[.]top |
|
indiaposti[.]com |
|
indiapost-gov[.]com |
|
indiapost-tel[.]com |
|
indiapost-in[.]com |
|
indiapost-gov[.]icu |
|
indiapost-in[.]net |
|
indiapost-postain[.]top |
|
indiapostiu[.]vip |
|
indiapost-indi[.]top |
|
indiaposttel[.]com |
|
indiapost1[.]com |
|
indiapost-i[.]net |
|
indiaposty[.]sbs |
|
indiapost-i[.]top |
|
indiapostoffice[.]top |
|
indiapost-ind[.]top |
|
indiapostaq[.]vip |
|
indiapostew[.]vip |
|
indiapostgf[.]vip |
|
indiapostlk[.]vip |
|
indiapostaw[.]vip |
|
indiapostds[.]vip |
|
indiaposter[.]vip |
|
indiapostjh[.]vip |
|
indiapostmf[.]vip |
|
indiapostnm[.]vip |
|
indiapostoj[.]vip |
|
indiapostop[.]vip |
|
indiapostqv[.]vip |
|
indiapostrl[.]vip |
|
indiaposttn[.]vip |
|
indiapostty[.]vip |
|
indiapostui[.]vip |
|
indiapostxc[.]vip |
|
indiapostxp[.]vip |
|
indiapostkz[.]vip |
|
indiapostq[.]xyz |
|
indiapostw[.]xyz |
|
indiaposta-in[.]top |
|
indiapost-gov-a[.]buzz |
|
indiapost-gov-in[.]buzz |
|
indiaposte[.]sbs |
|
indiapost-posta[.]top |
|
indiapostoffices[.]top |
|
indiapostgm[.]vip |
|
indiapostmh[.]vip |
|
indiapostbx[.]vip |
|
indiapostcb[.]vip |
|
indiapostjt[.]vip |
|
indiapostks[.]vip |
|
indiapostnh[.]vip |
|
indiapostnw[.]vip |
|
indiapostpt[.]vip |
|
indiapostrf[.]vip |
|
indiaposttj[.]vip |
|
indiapostwv[.]vip |
|
indiapostyx[.]vip |
|
indiapostyz[.]vip |
|
indiapostgx[.]vip |
|
indiapostpd[.]vip |
|
indiapostsl[.]vip |
|
indiapostvu[.]vip |
|
indiapostzy[.]vip |
|
indiapostvt[.]vip |
|
indiapostim[.]vip |
|
indiapostxn[.]vip |
|
indiapostqi[.]vip |
|
indiapostbj[.]vip |
|
indiapostyt[.]vip |
|
indiapostdk[.]vip |
|
indiapostnews[.]top |
|
indiapost-al[.]com |
|
indiaposty[.]cfd |
|
indiapostid[.]vip |
|
indiapost-ia[.]top |
|
indiapostk[.]com |
|
indiapost-gov-i[.]com |
|
indiapost-l[.]com |
|
indiapost-p[.]com |
|
indiaposta[.]com |
|
indiaposth[.]com |
|
indiapostl[.]com |
|
indiapostt[.]com |
|
indiapostos[.]com |
|
indiapostall[.]com |
|
indiapost-l[.]net |
|
indiapostgroup[.]net |
|
indiapostos[.]net |
|
indiapostkl[.]vip |
|
indiapostoffice[.]one |
|
indiapostpi[.]vip |
|
indiapostqo[.]vip |
|
indiapostyl[.]vip |
|
indiapostto[.]vip |
|
indiapostwf[.]vip |
|
indiapostnc[.]vip |
|
indiapostvm[.]vip |
|
indiaposttb[.]vip |
|
indiapostal[.]top |
|
indiapostao[.]vip |
|
indiapostit[.]vip |
|
indiapostec[.]vip |
|
indiapostsf[.]vip |
|
indiapostzu[.]vip |
|
indiapostic[.]vip |
|
indiapostix[.]vip |
|
indiapostil[.]vip |
|
indiapost-telgov[.]com |
|
indiapostos-in[.]com |
|
indiapost-h[.]com |
|
indiand[.]xyz/track/ |
|
dsfdg[.]sbs/i/ |
|
indiapostsi[.]top/IN/ |
|
indiapostin[.]com/in/ |
|
indiapost-id[.]top/BRblTi/ |
|
indiapost-i[.]net/in/ |
|
indiaapost[.]cyou/track/ |
|
indiaptgov[.]top/in/ |
|
indaai[.]live/track/ |
|
indiapost-al[.]com/in/ |
“`html
- MITRE ATT&CK TTPs – created by AI
- Phishing (T1071)
- Threat actors send fraudulent messages via iMessage to lure victims into providing personal information.
- Messages often contain links to phishing websites that impersonate legitimate services.
- Domain Spoofing (TLDs)
- Threat actors register numerous domains that mimic the official domain of India Post.
- These domains are used to host phishing websites that collect sensitive information from victims.
- Credential Harvesting (T1070)
- Fraudulent websites request sensitive information such as debit/credit card details under the pretense of package delivery fees.
- Collected information can be used for future scams or sold on the dark web.
- Social Engineering (T1203)
- Threat actors exploit trust by impersonating India Post to manipulate victims into taking action.
- Messages create a sense of urgency, prompting victims to click on malicious links.
“`
Source: Original Post