dimmsdaleOct 10, 2023
BrianKrebs

Recent weeks have seen a sizable uptick in the number of phishing scams targeting U.S. Postal Service (USPS) customers. Here’s a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a dozen other countries.

I like to show my work, and went pretty far down the rabbit hole with this one:

https://krebsonsecurity.com/2023/10/phishers-spoof-usps-12-other-natl-postal-services/

Phishers Spoof USPS, 12 Other Natl’ Postal Services – Krebs on Security

Oct 10, 2023 at 12:08amWeb
Show threadFinchHaven sfbaOct 10, 2023

@briankrebs

I see probably five or six of these a week

Which is why I do *not* do email on my phone

Thunderbird, desktop only

That way I can inspect every URL with a mouse hover and not have to touch anything

Not to mention being able to look at Full Headers, which I hardly ever bother with, because this cr*p is so ludicrously obvious

Show threadBrianKrebsOct 10, 2023
@FinchHaven yeah, so many people are like, I can't believe suckers fall for domains ending in .top and .click, they're so obviously phishing. Yeah, but that assumes you can actually view the whole url on your mobile easily, which isn't a simple thing for a lot of users.
Show threadFinchHaven sfbaOct 10, 2023

@briankrebs

Exactly

Sitting ducks, really

If people are even aware of the threat

Show threadJames Trickle uPOct 10, 2023
@FinchHaven @briankrebs those that miss ludicrously obvious are the targets. you and I are not their targets. it's the elders or the weak minded they want to exploit.
Show threadDavid AndersenOct 10, 2023
@opalmirror @FinchHaven @briankrebs I think that's unfair to many victims. There are a lot of folks out there who would spot these things under normal circumstances, but put them on a phone and add in some distraction / being in a rush and you'll get many more hits.
Show threadFinchHaven sfbaOct 10, 2023

@dave_andersen

[me ignoring that comment about "elders" by not pointing out that I'm 76 years old]

oops...

cc @opalmirror @briankrebs

Show threadJames Trickle uPOct 10, 2023
@FinchHaven @dave_andersen @briankrebs You both seem to miss my point which is scams are usually made to be obviously flawed so that savvy folks will see it as flawed and won't waste the scammer's time. I do not mean to make anything less fair for victims, they need all the help we can offer. I will work harder to change the class terms I use... senile would more accurate than elder, my apologies. Scams are despicable and criminal, preying on the more easily manipulated.
Show threadBrianKrebsOct 10, 2023

@opalmirror @FinchHaven @dave_andersen I realize there is research to support your point (and have read it), but IMHO acceptance of that as a proper and good explanation seems like even more throwing up your hands and blaming the user.

The truth is a lot of companies are training users to respond to these types of messages. And basic knowledge about how to navigate the interwebs on a phone is hardly a given, and yet we so often assume it is and then blame the user.

Show threadJames Trickle uPOct 10, 2023
@briankrebs @FinchHaven @dave_andersen I concur with you that the exploited are not to blame here and we need to give users ever better and easy to use tools to try and impair the scammer's success rate. my text message app recently started categorizing some texts as suspected spam and added a spam reporting and blocking action along with hinting on how to use that. I'm certainly grateful for it. We definitely need more of this.
Show threadDavid AndersenOct 10, 2023

@opalmirror @briankrebs @FinchHaven There are scams and there are scams.

Someone calling you about your call warranty _is_ always looking for easy prey. It's a comparatively high cost approach.

Someone blasting out 10M phishing emails to catch your credit card _isn't_ trying to filter out the clueful. They're trying to make the phishing content as realistic as possible to maximize the number of people who'll enter a credit card, however briefly.

Show threadJames Trickle uPOct 10, 2023
@dave_andersen @briankrebs I'm more of a user advocate on this issue... I'd like both the annoyance and the criminals to both be plonked in a 'better ignored' bin and not greatly interested in accurately determining which is a spam and which is a phish. It's all abuse.
Show threadJames Trickle uPOct 10, 2023
@briankrebs @FinchHaven @dave_andersen I want my big brother (much less tech savvy than me) to have as much support to resist scams as he can get, to make the scams transparent and tag likely spam. Longer URL viewing windows might help. Autoclassification as spam definitely helps. It's not his fault he is not a techie. He deserves the same access to Internet as anyone else. The same is true of my sharp (1970s techie) nonagenerian step mom and my brother-in-law in cognitive decline.
Show threadFinchHaven sfbaOct 10, 2023

@opalmirror

Tapping out of this convo right here

Y'all go on and quibble about whether spam is a scam or is spam and who is a techie or not on someone else's time

Bye...

cc @dave_andersen

Show threadJames Trickle uPOct 10, 2023
Sorry for our misunderstanding - which I tried to clear up, and apologize for my poor initial choice of words. I respect you and listened, and tried my best to set things right. Peace. Out.
Show threadTimPostmaOct 20, 2023
@FinchHaven @briankrebs to be straight up any time a package is unsolicited it is a red flag unless then a pre paid verified gift from a reputable (business or non profit) otherwise it is best to avoid shipments you did not pay for unless it is a mistake in location
Show threadChryseOct 10, 2023
@briankrebs
Yep got one the other day. It usually goes to the sms spam, but I think I tapped the notification before it got shunted over there. Saw several more just like it.
Show threadNick O'NeillOct 10, 2023
@briankrebs these texts are really well timed, feels like there's a leak of tracking information too https://sfba.social/@nickoneill/111116057349471761
Nick O'Neill (@[email protected])

10:07: USPS delivery notification email 11:29: scam text telling me my delivery could not be completed https://mastodon.xyz/@nickoneill/110650929025157386

SFBA.social
Show threadChristian HuitemaOct 10, 2023

@nickoneill @briankrebs

I feel bad -- I am not getting the fancy version, just the text-only variation, shown below. Each line of text was padded with a large number of spaces, presumably to look right on an iPhone screen:

[USPS] The package has arrived at the warehouse and cannot be delivered due to incomplete address information. Please confirm your address at the link. https://usps.asposut.com
(Copy the link to your Safari browser and open it.)
Sincerely,
USPS Support Team

Show threadnepiOct 10, 2023
@briankrebs Hah, what a timely write up. My partner got his info (and mine, d’oh!) grabbed by one of these a couple weeks ago.

Something clever I noticed is that the website redirects to the regular USPS website unless it sees a mobile user agent string. Probably makes it more likely to get past a first glance at the “abuse” desk of large orgs?

The one we got hit with also used an IP geolocation service to make the scam more convincing - thankfully the service they used terminated the (helpfully embedded) API key quickly once informed of its use.
Show threadBrianKrebsOct 10, 2023
@nepi Yep. Several of these SMS phishing sites I had to use developer tools and emulate a mobile device to get the homepages to load. And also most of the links on the landing page actually go to USPS
Show threadSteve's PlaceOct 10, 2023
@briankrebs I get those occasionally. Also, an alibaba client was showing up in ssh hack attempts on a server I maintain. Swell folks.
Show threadDaniel EthierOct 10, 2023
@briankrebs I got one of those this morning. Fortunately I did not fall for it.
Show threadartful modderOct 10, 2023
@briankrebs I've gotten a number of these now, but only until recently have they been from a number in the same country that I am in. They've always gotten flagged by the spam filter.
Show threadartful modderOct 10, 2023
@briankrebs Exhibit A:
Show threadMike HicksOct 10, 2023
@artfulmodder @briankrebs Yeah, I've only been seeing them coming from +44 (United Kingdom). It's interesting alone for being international spam, which I don't really remember experiencing before. Not sure how many people in the US would recognize it as an international number, though
Show threadSiffOct 10, 2023
@briankrebs O, it has a blue check mark! It must be legit! 😀
Show threadSteven ZekowskiOct 10, 2023
@briankrebs
I got one just today. Pretty obvious fake imo. Swiped left to “Delete and report junk”
Show threadMee-mee-mee-meeOct 10, 2023
@briankrebs Yup, I received one directing me to click a .top domain 🤣
Show threadGLWOct 10, 2023
@briankrebs
Generally speaking…when USPS cannot resolve an address…they RETURN to SENDER. These are obviously a scam…
Show threadApple Annie Oct 10, 2023
@briankrebs yep, I been getting these from random email addresses via iMessage and reporting them to [email protected]
Show threadDr. Sam WeinOct 10, 2023
@briankrebs
I've seen this with DHL in Germany as well. Oddly it happened the same day a package was somewhat mysteriously returned to sender without a delivery attempt. The bait site redirected to yandex if you just entered the base URL, which gives me a pretty good idea of who the gang is running it.
Show threadTerrorBite 🦁Oct 10, 2023

@briankrebs I like that people are sending furry porn stickers to scammers on Telegram now.

Also, that sticker shows up uncensored in your blog post.

Show threadIain'; CREATE TABLE toots; -- Wallace Oct 10, 2023
@briankrebs I had a royal mail one a few days ago. Don't know if it's the same campaign
Show threadNicholas WeaverOct 10, 2023
@briankrebs
Also, don't forget luck of timing. I got this phish (and actually flagged Brian on it) because in what turned out to be just coincidence, I got this about 2 hours after I dropped off a package, and carriers all the time send text messages about delivery. I can so see how if you send enough people will fall for it.
Show threadcarrickdbOct 10, 2023
@ncweaver @briankrebs Same thing happened to me. Almost fell for it.
Show threadRenée JoyOct 10, 2023
@briankrebs I get those emails daily!!! I block them all!
Show threadMrCOct 18, 2023
@briankrebs Like commenters on your post, I've gotten several of these recently from +44 numbers, which I have to imagine is a way to bypass increased validation of +1 numbers with the rollout of things like STIR/SHAKEN?
Show threadLuna LacteaNov 5, 2023
@briankrebs Sending furry porn stickers to scammers on Telegram is great. LMAO