Summary: This content discusses a phishing campaign that targets the United States Postal Service (USPS) and highlights how the traffic to fake USPS domains is similar to or even higher than the legitimate site, especially during holidays.
Threat Actor: USPS Phishing Campaign | USPS Phishing Campaign
Victim: United States Postal Service (USPS) | United States Postal Service
Key Point :
- Phishing campaigns targeting USPS impersonate the legitimate service to trick users into revealing sensitive information or making fraudulent payments.
- During the 2023 holiday season, the traffic to fake USPS domains was almost equal to or even higher than the legitimate domains, indicating the effectiveness of the phishing campaign.
- Akamai Technologies started investigating USPS-themed phishing in October 2023 after an employee received a suspicious email.
Security researchers analyzing phishing campaigns that target United States Postal Service (USPS) saw that the traffic to the fake domains is typically similar to what the legitimate site records and it is even higher during holidays.
Phishing operations typically target people’s sensitive information (account credentials, card details) or try to trick users into making payments to fraudulent shops or covering fees supposedly required for clearing items that have been placed on hold for various reasons.
USPS phishing
During the 2023 holiday season, Akamai Technologies observed a significant volume of DNS queries going to “combosquatting” domains that impersonate the USPS service.
Akamai started investigating USPS-themed phishing in October 2023 after an employee received a suspicious SMS that redirected to a site containing malicious JavaScript code.
![Phishing SMS](https://www.bleepstatic.com/images/news/u/1220909/2024/Phishing/10/sms.png)
Akamai
Next, the analysts compiled a list of all domains using the same JS file from the past five months and kept only those with the USPS string in their name.
The design of these pages is very convincing and appear as exact replicas of the authentic USPS site with realistic tracking pages for status updates.
![Phishing USPS site providing fake tracking info](https://www.bleepstatic.com/images/news/u/1220909/2024/Phishing/10/tracking.png)
Akamai
In one case, the phishing actors set up what looks like a dedicated postage items shop, which started getting significant traffic in late November, as consumers sought to buy gifts and collectibles for the holiday season.
![Fake USPS stamps shop](https://www.bleepstatic.com/images/news/u/1220909/2024/Phishing/10/stamps.png)
Akamai
From October 2023 to February 2024, the most popular malicious domains that Akamai discovered received nearly half a million queries, with two surpassing 150k each.
![Malicious domains generating the most traffic](https://www.bleepstatic.com/images/news/u/1220909/2024/Phishing/10/toplist.png)
Akamai
The most popular top-level domains (TLDs) associated with phishing USPS-themed domains were:
- .com – 4459 domains and 271,278 queries
- .top – 3,063 domains and 274,257 queries
- .shop – 566 domains and 58,194 queries
- .xyz – 397 domains and 30,870 queries
- .org – 352 domains and 16,391 queries
- .info – 257 domains and 7,597 queries
The total queries generated by all malicious websites uncovered by Akamai’s research during the examined period is over 1,128,146, just short of the 1,181,235 queries recorded for the legitimate USPS site.
![Comparison of total queries](https://www.bleepstatic.com/images/news/u/1220909/2024/Phishing/10/total-queries.png)
Akamai
However, the stats show that traffic to malicious domains between November to December was higher compared to the legitimate one, indicating increased malicious activity during winter holiday season.
![Traffic generation over time](https://www.bleepstatic.com/images/news/u/1220909/2024/Phishing/10/comparison.png)
Akamai
Akamai only focused this research on USPS, so the actual scale of these combosquatting campaigns that potentially encompass many more brands is likely larger.
Consumers should exercise caution and be skeptic about any SMS or email messages about package shipments.
To verify the legitimacy of such communications, it’s advisable to use the official website (by manually loading it in the browser) to check the delivery status of a product.
Clicking on the links included in messages for tracking parcels may lead to malicious locations.
“An interesting youtube video that may be related to the article above”