By BECKY RUTHERFORD
For the Los Alamos Daily Post

USPS themed “smishing” or text message based phishing attacks are making a comeback, with a few new twists.

If you get a text from “the USPS” or other shipping agency, don’t click that link!

Resecurity, a cyber security research firm, discussed these attacks in a report published 08/30/23.  

The cyber crime group behind last year’s attacks has been dubbed the “Smishing Triad” and appears to be in the business of “Fraud as a Service” FaaS; offering other actors their phishing kits as a monthly subscription service at about $200 a month, with higher prices for those wanting technical support included in their plan.

The scams impersonate legitimate shipping services in order to steal users PII or financial information, or get them to download malware.

As part of their last campaign, Smishing Triad registered several new .top domain names with deceptive “usps” and “usus” prefixes, such as “uspshhg[.]top.” and many others that look deceptively similar to legitimate domains.

Image of scam texts received on author’s iPhone. Courtesy/Becky Rutherford

Images of scam texts received on author’s iPhone. Courtesy/Becky Rutherford

These are very similar to the ones seen last year, though not from iCloud email addresses, these were from Gmail and Outlook addresses. 

I searched for the domains in the texts in the Resecurity report, and they are not referenced there, but it’s very easy to spin up a new phish landing domain.

Notice how the text provides instructions for how to reply so you can interact with the links, which were not clickable. 

Courtesy/Becky Rutherford

These also seem targeted to iPhone users. The previous campaign likewise targeted iPhone users, so if I had to guess, I would think it’s the same threat actors.  

So when you get suspicious texts like this, what should you do? Even though they are from email addresses, set phasers to BLOCK and block those babies!

Courtesy/Becky Rutherford

Here is what it looks like on an iPhone. Click the circle at the top with the contacts info then you will go here:Image from scam text received by author. Courtesy/Becky Rutherford

Click “info”

Image from scam text received by author. Courtesy/Becky Rutherford

The USPS has released an educational video on YouTube with advice for victims on these “smishing” package scams.  

How can you deal with text message scams?

• Do not reply to any suspicious text messages.
• Never give out any personal or financial information via text message.
• Never click on any links within a suspect text message.
• Do not call or otherwise interact with the number.
• Follow directions for blocking the number for whatever phone OS (Android or iOS) you have, but keep in mind blocking isn’t always helpful as they like to change up the number or email sending the text messages. 
• In some cases you can report the suspect texts to your carrier, and some phone OSs will let you turn on spam filtering to weed these out.
• Avoid giving out your phone number to unknown or untrusted sources online.  Perhaps it is unwise to use your phone number to sign up for that raffle for a year’s supply of free spam from an oddball blog you follow?  

Resecurity offered some tips on how to report package themed text scams:
To report USPS related smishing, send an email to spam@uspis.gov.

• Without clicking on the web link, copy the body of the suspicious text message and paste into a new email.
• Provide your name in the email, and also attach a screenshot of the text message showing the phone number of the sender and the date sent.
• Include any relevant details in your email, for example: if you clicked the link, if you lost money, if you provided any personal information, or if you experienced any impacts to your credit or person.
• The Postal Inspection Service will contact you if more information is needed.
• Forward the smishing/text message to 7726 (this will assist with reporting the scam phone number).

Complaints of non-USPS related smishing can also be sent to any of the following law enforcement partners of the U.S. Postal Inspection Service:

• Forward to 7726 (this will assist with reporting the scam phone number).
• The Federal Trade Commission at https://reportfraud.ftc.gov.
• The Federal Bureau of Investigation’s (FBI), Internet Crime Complaint Center (ic3) at https://www.ic3.gov/complaint.

Package themed phishing scams aren’t just for the holidays! They are the gift that keeps giving, and giving, and giving… all year long!! Stay safe, don’t click that link. 

Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.