USPS Anchors Snowballing Smishing Campaigns

A cyber campaign by threat actors targeting the US Postal Service (USPS) using smishing and phishing tactics is cresting, with close to 200 different domains used as infrastructure for the attacks.

While using tactics such as these is common in the cyber world, the volume of these campaigns has increased significantly in recent weeks. This prompted an investigation by DomainTools, which looked into the domain included at the end of one of the smishing messages and found that it was a unique email address — mehdi\.kh021@yahoo[.]com — that included a backslash, a feature tied to 71 other domains. 

Another email with a similar naming convention — mehdi.k1989@yahoo[.]com, only differing from the first domain in the five characters after the period — was tied to an additional 63 domains. That tally combined with a further 30 domains found through an email missing a backslash, the researchers at DomainTools have found 164 domains at present being used in the campaign.

Included in the research is an example of a smishing message that uses suspicious phrasing, likely the product of a reused script and a non-native English speaker. The researchers also noted that had the threat actor taken advantage of AI, such as ChatGP and the like, the smishing message could have been much more convincing, leading to more harm.

"Everyone I know, including myself and my wife, have seen a ton of new USPS SMS scam messages over the last few weeks. They are all very 'normal' smishing scams, in that they don't use some new unheard-of technique," Roger Grimes, data-driven defense evangelist at KnowBe4, stated in an emailed statement. "They simply claim your package is delayed and request the potential victim to click on the included link to resolve the issue," which only confirms how ordinary and realistic these malicious schemes can be.

Threat actors might also tie social media accounts to the emails used for campaigns, indicating a lack of OpSec, which is evident in this case. A Facebook account with ties to the domains that was found by the researchers indicated that the threat actor is "an Iranian national who lives and works in Tehran, and who may have attended the Islamic Azad University."

"Even though phishing and smishing campaigns have become an unfortunate daily fact of life, they remain a significant source of prospective harm for not only individuals, but the companies and organizations whose services they use," the researchers at DomainTools wrote. They also noted that being able to identify the kind of infrastructure used in these kinds of campaigns, as well as who might be behind it, allows for law enforcement and other organizations to more quickly mitigate the issue.