Catch Of The Week: Package Delivery Text Scams

Image of a scam text message from Resecurity. Courtesy/Rebecca Rutherford

By REBECCA RUTHERFORD
For the Los Alamos Daily Post

Got an iPhone? Got a text about a package tracking number? Don’t be so quick to click … it just might be a scam. “Smishing”, or text message (SMS), scams about package delivery have been growing in popularity.

“The Chinese-speaking threat actors behind this campaign are operating a package-tracking text scam sent via iMessage to collect personally identifying information (PII) and payment credentials from victims, in the furtherance of identity theft and credit card fraud,” said Resecurity, a cyber security research firm in a report published Aug. 30, 2023.

The cyber crime group behind this has been dubbed the “Smishing Triad” and appears to be in the business of “Fraud as a Service” FaaS; offering other actors their phishing kits as a monthly subscription service at about $200 a month, with higher prices for those wanting technical support included in their plan. The scams impersonate legitimate shipping services in order to steal users PII or financial information, or get them to download malware. As part of their last campaign, Smishing Triad registered several new .top domain names with deceptive “usps” and “usus” prefixes, such as “uspshhg[.]top.” and many others that look deceptively similar to legitimate domains.

These phishing kits help the bad actors to impersonate shipping companies like FedEx, USPS, UPS, etc. in the U.S, the U.K, Poland, Sweden, Italy, Indonesia, Malaysia, Japan, and other countries. They are known to have organized several successful smishing campaigns, and sell country and language specific phishing kits. 

Through investigation, Resecurity was able to determine the threat actors behind this were mostly Chinese speakers, as well as some Vietnamese. The roster also included graphic designers, who were responsible for creating high-quality fake web pages, web developers, and also salespeople who sold the kits mainly via Chinese-speaking dark web cybercriminal sites. One has to wonder if perhaps they also had an HR department, but probably not. Resecurity’s team was also able to observe conversations in online dark web forums between bad actors discussing how successful the phishing kits were.  

The USPS has released an educational video on YouTube with advice for victims on these “smishing” package scams.  

How can you deal with text message scams?

  • Do not reply to any suspicious text messages.
  • Never give out any personal or financial information via text message.
  • Never click on any links within a suspect text message.
  • Do not call or otherwise interact with the number.
  • Follow directions for blocking the number for whatever phone OS (Android or iOS) you have, but keep in mind blocking isn’t always helpful as they like to change up the number or email sending the text messages. 
  • In some cases you can report the suspect texts to your carrier, and some phone OSs will let you turn on spam filtering to weed these out.
  • Avoid giving out your phone number to unknown or untrusted sources online.  Perhaps it is unwise to use your phone number to sign up for that raffle for a year’s supply of free spam from an oddball blog you follow?  

Resecurity offered some tips on how to report package themed text scams:

To report USPS related smishing, send an email to spam@uspis.gov.

  • Without clicking on the web link, copy the body of the suspicious text message and paste into a new email.
  • Provide your name in the email, and also attach a screenshot of the text message showing the phone number of the sender and the date sent.
  • Include any relevant details in your email, for example: if you clicked the link, if you lost money, if you provided any personal information, or if you experienced any impacts to your credit or person.
  • The Postal Inspection Service will contact you if more information is needed.
  • Forward the smishing/text message to 7726 (this will assist with reporting the scam phone number).

Complaints of non-USPS related smishing can also be sent to any of the following law enforcement partners of the U.S. Postal Inspection Service:

The dark depths of the web remain untamed, home to lawless cowpokes looking to lasso up your PII, so stay aware, and ignore those texts! Don’t click that link, and don’t fall for their phishy text messages.

Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.

Search
LOS ALAMOS

ladailypost.com website support locally by OviNuppi Systems

Facebook Rss Twitter Youtube

Subscribe to your choice of breaking and/or daily news headlines.

Copyright © 2012-2024 The Los Alamos Daily Post is the Official Newspaper of Record in Los Alamos County. This Site and all information contained here including, but not limited to news stories, photographs, videos, charts, graphs and graphics is the property of the Los Alamos Daily Post, unless otherwise noted. Permission to reprint in whole or in part is hereby granted, provided that the Los Alamos Daily Post and author/photographer are properly cited. Opinions expressed by readers, columnists and other contributors do not necessarily reflect the views of the Los Alamos Daily Post. The Los Alamos Daily Post newspaper was founded Feb. 7, 2012 by Owner/Publisher Carol A. Clark.