Join me in defending Democratic control of the Wisconsin Supreme Court. The election is on April 1.

<div class="wp-caption alignright" id="attachment_65265" style="width: 234px"><img alt="" aria-describedby="caption-attachment-65265" class="wp-image-65265" decoding="async" height="334" src="https://krebsonsecurity.com/wp-content/uploads/2023/10/uspsphish-sms.png" width="224"/><p class="wp-caption-text" id="caption-attachment-65265">The fake USPS phishing page.</p></div> <p>Recent weeks have seen a sizable uptick in the number of phishing scams targeting <strong>U.S. Postal Service</strong> (USPS) customers. Here’s a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a dozen other countries.</p> <p>KrebsOnSecurity recently heard from a reader who received an SMS purporting to have been sent by the USPS, saying there was a problem with a package destined for the reader’s address. Clicking the link in the text message brings one to the domain <strong>usps.informedtrck[.]com</strong>.</p> <p>The landing page generated by the phishing link includes the USPS logo, and says “Your package is on hold for an invalid recipient address. Fill in the correct address info by the link.” Below that message is a “Click update” button that takes the visitor to a page that asks for more information.</p> <p>The remaining buttons on the phishing page all link to the real USPS.com website. After collecting your address information, the fake USPS site goes on to request additional personal and financial data.</p> <p>This phishing domain was recently registered and its WHOIS ownership records are basically nonexistent. However, we can find some compelling clues about the extent of this operation by loading the phishing page in Developer Tools, a set of debugging features built into Firefox, Chrome and Safari that allow one to closely inspect a webpage’s code and operations.</p> <p>Check out the bottom portion of the screenshot below, and you’ll notice that this phishing site fails to load some external resources, including an image from a link called <strong>fly.linkcdn[.]to</strong>.</p> <div class="wp-caption aligncenter" id="attachment_65257" style="width: 760px"><a href="https://krebsonsecurity.com/wp-content/uploads/2023/10/linkcdn-to.png" rel="noopener" target="_blank"><img alt="" aria-describedby="caption-attachment-65257" class="wp-image-65257" decoding="async" height="231" loading="lazy" sizes="(max-width: 750px) 100vw, 750px" src="https://krebsonsecurity.com/wp-content/uploads/2023/10/linkcdn-to.png" srcset="https://krebsonsecurity.com/wp-content/uploads/2023/10/linkcdn-to.png 1474w, https://krebsonsecurity.com/wp-content/uploads/2023/10/linkcdn-to-768x237.png 768w, https://krebsonsecurity.com/wp-content/uploads/2023/10/linkcdn-to-782x241.png 782w" width="750"/></a><p class="wp-caption-text" id="caption-attachment-65257">Click the image to enlarge.</p></div> <p>A search on this domain at the always-useful <a href="https://URLscan.io" rel="noopener" target="_blank">URLscan.io</a> shows that <strong>fly.linkcdn[.]to</strong> is <a href="https://urlscan.io/search/#fly.linkcdn.to" rel="noopener" target="_blank">tied to a slew of USPS-themed phishing domains</a>. Here are just a few of those domains (links defanged to prevent accidental clicking):</p> <p>usps.receivepost[.]com<br/> usps.informedtrck[.]com<br/> usps.trckspost[.]com<br/> postreceive[.]com<br/> usps.trckpackages[.]com<br/> usps.infortrck[.]com<br/> usps.quicktpos[.]com<br/> usps.postreceive].]com<br/> usps.revepost[.]com<br/> trackingusps.infortrck[.]com<br/> usps.receivepost[.]com<br/> usps.trckmybusi[.]com<br/> postreceive[.]com<br/> tackingpos[.]com<br/> usps.trckstamp[.]com<br/> usa-usps[.]shop<br/> usps.infortrck[.]com<br/> unlistedstampreceive[.]com<br/> usps.stampreceive[.]com<br/> usps.stamppos[.]com<br/> usps.stampspos[.]com<br/> usps.trckmypost[.]com<br/> usps.trckintern[.]com<br/> usps.tackingpos[.]com<br/> usps.posinformed[.]com</p> <p>As we can see in the screenshot below, the developer tools console for informedtrck[.]com complains that the site is unable to load a <strong>Google Analytics</strong> code — <strong>UA-80133954-3 </strong>— which apparently was rejected for pointing to an invalid domain.</p> <div class="wp-caption aligncenter" id="attachment_65260" style="width: 760px"><a href="https://krebsonsecurity.com/wp-content/uploads/2023/10/ua-usps.png" rel="noopener" target="_blank"><img alt="" aria-describedby="caption-attachment-65260" class="wp-image-65260" decoding="async" height="321" loading="lazy" sizes="(max-width: 750px) 100vw, 750px" src="https://krebsonsecurity.com/wp-content/uploads/2023/10/ua-usps.png" srcset="https://krebsonsecurity.com/wp-content/uploads/2023/10/ua-usps.png 1890w, https://krebsonsecurity.com/wp-content/uploads/2023/10/ua-usps-768x329.png 768w, https://krebsonsecurity.com/wp-content/uploads/2023/10/ua-usps-1536x657.png 1536w, https://krebsonsecurity.com/wp-content/uploads/2023/10/ua-usps-782x335.png 782w" width="750"/></a><p class="wp-caption-text" id="caption-attachment-65260">Notice the highlighted Google Analytics code exposed by a faulty Javascript element on the phishing website. Click to enlarge. That code actually belongs to the USPS.</p></div> <p>The valid domain for that Google Analytics code is the official usps.com website. According to <strong>dnslytics.com</strong>, that same analytics code has shown up on at least six other nearly identical USPS phishing pages dating back nearly as many years, including <strong>onlineuspsexpress[.]com</strong>, which <strong>DomainTools.com</strong> says was registered way back in September 2018 to an individual in Nigeria.</p> <p>A different domain with that same Google Analytics code that was registered in 2021 is <strong>peraltansepeda[.]com</strong>, which <strong>archive.org</strong> <a href="https://web.archive.org/web/20211220213251/http://peralatansepeda.com/" rel="noopener" target="_blank">shows</a> was running a similar set of phishing pages targeting USPS users. DomainTools.com indicates this website name was registered by <a href="https://krebsonsecurity.com/2023/08/karma-catches-up-to-global-phishing-service-16shop/" rel="noopener" target="_blank">phishers based in Indonesia</a>.</p> <p>DomainTools says the above-mentioned USPS phishing domain <strong>stamppos[.]com</strong> was registered in 2022 via Singapore-based <strong>Alibaba.com</strong>, but the registrant city and state listed for that domain says “Georgia, AL,” which is not a real location.</p> <p>Alas, running a search for domains registered through Alibaba to anyone claiming to reside in Georgia, AL reveals nearly 300 recent postal phishing domains ending in “.top.” These domains are either administrative domains obscured by a password-protected login page, or are .top domains phishing customers of the USPS as well as postal services serving other countries.</p> <p>Those other nations include the <a href="https://urlscan.io/result/6a07d4ee-da58-4073-af57-b35a50443c1b/" rel="noopener" target="_blank">Australia Post,</a> <a href="https://urlscan.io/result/d1e65a1b-83ab-4336-b08e-238228b76816/" rel="noopener" target="_blank">An Post</a> (Ireland), <a href="https://urlscan.io/result/625dbe0a-014d-43b3-a186-8b0a289b72aa/" rel="noopener" target="_blank">Correos.es</a> (Spain), the <a href="https://urlscan.io/result/f8597d60-6c51-4703-abf3-c38738124fff/" rel="noopener" target="_blank">Costa Rican post</a>, the <a href="https://urlscan.io/result/3e467dac-5972-4e2c-ab36-52b783c6b59f/" rel="noopener" target="_blank">Chilean Post</a>, the <a href="https://urlscan.io/result/1677e4c5-f22a-4a5c-a5d3-98f4d3b940bf/" rel="noopener" target="_blank">Mexican Postal Service</a>, <a href="https://urlscan.io/result/1eaba8e4-10be-49fc-9770-f44b87133dd6/" rel="noopener" target="_blank">Poste Italiane</a> (Italy), <a href="https://urlscan.io/result/5805064e-4fc9-43bf-8c02-a30ac0056d9e/" rel="noopener" target="_blank">PostNL</a> (Netherlands), <a href="https://urlscan.io/result/ae756c37-5ce0-47bf-934b-3c9f217f8ae2/" rel="noopener" target="_blank">PostNord</a> (Denmark, Norway and Sweden), and <a href="https://urlscan.io/result/151c049e-d475-4cad-89c0-ef9cd383cd48/" rel="noopener" target="_blank">Posti</a> (Finland). A complete list of these domains is available <a href="https://krebsonsecurity.com/wp-content/uploads/2023/10/alibaba-postal-phishing-al-ga.pdf" rel="noopener" target="_blank">here</a> (PDF).<span id="more-65255"></span></p> <div class="wp-caption aligncenter" id="attachment_65273" style="width: 680px"><img alt="" aria-describedby="caption-attachment-65273" class="size-full wp-image-65273" decoding="async" height="651" loading="lazy" src="https://krebsonsecurity.com/wp-content/uploads/2023/10/anpostphish.png" width="670"/><p class="wp-caption-text" id="caption-attachment-65273">A phishing page targeting An Post, the state-owned provider of postal services in Ireland.</p></div> <p>The Georgia, AL domains at Alibaba also encompass several that spoof sites claiming to collect outstanding road toll fees and fines on behalf of the governments of <a href="https://urlscan.io/result/3a8729af-379c-408a-9623-66b619125e82/" rel="noopener" target="_blank">Australia</a>, <a href="https://urlscan.io/result/c552d0d2-d698-4b0d-8644-88b1938ff173/" rel="noopener" target="_blank">New Zealand</a> and <a href="https://urlscan.io/result/ea135a70-c1b1-43be-ae50-2386c67befcc/" rel="noopener" target="_blank">Singapore</a>.</p> <p>An anonymous reader wrote in to say they submitted fake information to the above-mentioned phishing site usps.receivepost[.]com via the malware sandbox <strong>any.run</strong>. A <a href="https://app.any.run/tasks/fc79e00c-a26c-4bfa-b658-4a7009ac4682/" rel="noopener" target="_blank">video recording of that analysis</a> shows that the site sends any submitted data via an automated bot on the Telegram instant messaging service.</p> <p>The traffic analysis just below the any.run video shows that any data collected by the phishing site is being sent to the Telegram user <a href="https://t.me/chenlun" rel="noopener" target="_blank">@chenlun</a>, who offers to sell customized source code for phishing pages. From a review of @chenlun’s other Telegram channels, it appears this account is being massively spammed at the moment — possibly thanks to public attention brought by this story.</p> <p><a href="https://krebsonsecurity.com/wp-content/uploads/2023/10/chenlun.png" rel="noopener" target="_blank"><img alt="" class="aligncenter wp-image-65291" decoding="async" height="381" loading="lazy" sizes="(max-width: 750px) 100vw, 750px" src="https://krebsonsecurity.com/wp-content/uploads/2023/10/chenlun.png" srcset="https://krebsonsecurity.com/wp-content/uploads/2023/10/chenlun.png 991w, https://krebsonsecurity.com/wp-content/uploads/2023/10/chenlun-768x390.png 768w, https://krebsonsecurity.com/wp-content/uploads/2023/10/chenlun-782x397.png 782w" width="750"/></a></p> <p>Meanwhile, researchers at DomainTools recently <a href="https://www.domaintools.com/resources/blog/return-to-sender-a-brief-analysis-of-a-us-postal-service-smishing-campaign/" rel="noopener" target="_blank">published a report</a> on an apparently unrelated but equally sprawling SMS-based phishing campaign targeting USPS customers that appears to be the work of cybercriminals based in Iran.</p> <p>Phishers tend to cast a wide net and often spoof entities that are broadly used by the local population, and few brands are going to have more household reach than domestic mail services. In June, the <strong>United Parcel Service</strong> (UPS) disclosed that fraudsters were <a href="https://krebsonsecurity.com/2023/06/sms-phishers-harvested-phone-numbers-shipment-data-from-ups-tracking-tool/" rel="noopener" target="_blank">abusing an online shipment tracking tool in Canada</a> to send highly targeted SMS phishing messages that spoofed the UPS and other brands.</p> <p>With the holiday shopping season nearly upon us, now is a great time to remind family and friends about the best advice to sidestep phishing scams: Avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly.</p> <p>If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid <a href="https://krebsonsecurity.com/?s=typosquatting&amp;x=0&amp;y=0" rel="noopener" target="_blank">potential typosquatting sites</a>.</p> <p>Update: Added information about the Telegram bot and any.run analysis.</p>

We're back and we have something to say