Researchers have discovered a malvertising campaign in which threat actors are impersonating the United States Post Office (USPS) to steal payment-card and banking credentials. The malicious ad appears on Google searches for users looking to track packages via the USPS website. This campaign serves as a reminder that threat actors continue to successfully use tactics that impersonate trusted entities to deceive and defraud Internet users.
According to Jérôme Segura, the director of threat intelligence at Malwarebytes Labs, the malicious ad appears “completely trustworthy” but redirects victims to a phishing site. The site collects their address and credit card details and then prompts them to log into their bank account for verification, ultimately stealing that information as well.
The initial discovery of this campaign was made by Jesse Baumgartner, marketing director at Overt Operator. He shared screenshots of his experience attempting to track a package that led him to a scam website on LinkedIn. Malwarebytes Labs researchers were able to locate the scam themselves by performing a simple Google search for “usp tracking”.
What makes this malvertising campaign particularly convincing is the tactics employed by the threat actors. They use two ad campaigns, one targeting mobile users and the other targeting desktop users. These ads appear to use the official USPS URL but redirect victims to an attacker-controlled domain. However, the URLs shown in the ad are “pure visual artifacts” and have nothing to do with the actual destination of the click.
Once victims click on the ad, they land on a website that asks them to enter their package tracking number. This step appears normal for anyone tracking a package. However, upon submitting the information, victims receive an error message stating that the package couldn’t be delivered due to incomplete information in the delivery address.
The next step of the attack is where suspicion may arise. Victims are asked to enter their full address again and submit their credit card data to pay a small fee. This should raise a red flag as it is unusual for users to have to pay a fee to track a package. However, the threat actors make the fee appear “completely irrelevant” since stealing payment card data can result in much more damage for the victim.
Finally, victims are prompted to enter their credentials for their financial institution. The phishing site generates a dynamic page based on the credit card information provided, asking the target to log in to their bank’s page. Different banks and cards will result in different templates specific to the data provided.
To prevent falling victim to such malvertising campaigns, awareness is key. However, Segura notes that training can only go so far since modern malicious scams created by attackers can look legitimate. One suggestion is for search engines to apply stricter controls to combat brand impersonation. Additionally, real-time browser protection can disrupt the malvertising kill chain from the initial ad to the payload, mitigating this type of attack.
This malvertising campaign targeting the USPS serves as a reminder that threat actors are continuously finding ways to deceive and defraud Internet users. It highlights the importance of staying vigilant and taking necessary precautions to protect personal and financial information online.