US Post Office phishing sites get as much traffic as the real one

Security researchers analyzing phishing campaigns that target United States Postal Service (USPS) saw that the traffic to the fake domains is typically similar to what the legitimate site records and it is even higher during holidays.

Phishing operations typically target people's sensitive information (account credentials, card details) or try to trick users into making payments to fraudulent shops or covering fees supposedly required for clearing items that have been placed on hold for various reasons.

USPS phishing

During the 2023 holiday season, Akamai Technologies observed a significant volume of DNS queries going to "combosquatting" domains that impersonate the USPS service.

"The amount of traffic to the illegitimate domains was almost equal to the amount of traffic to legitimate domains on a normal day — and greatly exceeded legitimate traffic during the holidays." - Akamai

Akamai started investigating USPS-themed phishing in October 2023 after an employee received a suspicious SMS that redirected to a site containing malicious JavaScript code.

Phishing SMS
Phishing SMS
Akamai

Next, the analysts compiled a list of all domains using the same JS file from the past five months and kept only those with the USPS string in their name.

The design of these pages is very convincing and appear as exact replicas of the authentic USPS site with realistic tracking pages for status updates.

Phishing USPS site providing fake tracking info
Phishing USPS site providing fake tracking info
Akamai

In one case, the phishing actors set up what looks like a dedicated postage items shop, which started getting significant traffic in late November, as consumers sought to buy gifts and collectibles for the holiday season.

Fake USPS stamps shop
Fake USPS stamps shop
​​​​​​​Akamai

From October 2023 to February 2024, the most popular malicious domains that Akamai discovered received nearly half a million queries, with two surpassing 150k each.

Malicious domains generating the most traffic
Malicious domains generating the most traffic
Akamai

The most popular top-level domains (TLDs) associated with phishing USPS-themed domains were:

  1. .com – 4459 domains and 271,278 queries
  2. .top – 3,063 domains and 274,257 queries
  3. .shop – 566 domains and 58,194 queries
  4. .xyz – 397 domains and 30,870 queries
  5. .org – 352 domains and 16,391 queries
  6. .info – 257 domains and 7,597 queries

The total queries generated by all malicious websites uncovered by Akamai's research during the examined period is over 1,128,146, just short of the 1,181,235 queries recorded for the legitimate USPS site.

Comparison of total queries
Comparison of total queries between legitimate (left) and malicious domains (right)
Akamai

However, the stats show that traffic to malicious domains between November to December was higher compared to the legitimate one, indicating increased malicious activity during winter holiday season.

Traffic generation over time
Traffic generation over time
Akamai

Akamai only focused this research on USPS, so the actual scale of these combosquatting campaigns that potentially encompass many more brands is likely larger.

Consumers should exercise caution and be skeptic about any SMS or email messages about package shipments.

To verify the legitimacy of such communications, it's advisable to use the official website (by manually loading it in the browser) to check the delivery status of a product.

Clicking on the links included in messages for tracking parcels may lead to malicious locations.

Related Articles:

Ethereum mailing list breach exposes 35,000 to crypto draining attack

Formula 1 governing body discloses data breach after email hacks

Router maker's support portal hacked, replies with MetaMask phishing

New Medusa malware variants target Android users in seven countries

ONNX phishing service targets Microsoft 365 accounts at financial firms