A new cyber campaign targeting the US Postal Service (USPS) is gaining momentum, as threat actors employ smishing and phishing tactics to carry out their attacks. The volume of these campaigns has increased significantly in recent weeks, prompting an investigation by DomainTools. The researchers discovered that close to 200 different domains were being used as infrastructure for these attacks.
DomainTools looked into one of the smishing messages and found a unique email address – mehdi.kh021@yahoo[.]com – that was linked to 71 other domains through the presence of a backslash. Another email, mehdi.k1989@yahoo[.]com, with only a slight difference in the characters after the period, was associated with an additional 63 domains. Adding in another 30 domains found through an email missing a backslash, the researchers concluded that there are currently 164 active domains used in this campaign.
Furthermore, the researchers provided an example of a smishing message which exhibits suspicious phrasing. This suggests that the threat actors might be non-native English speakers reusing a script. However, they noted that if the perpetrators had made use of AI tools like ChatGP, the smishing message could have been much more convincing and resulted in more harm.
Roger Grimes, a data-driven defense evangelist at KnowBe4, remarked that he has witnessed an increase in the number of USPS SMS scam messages in recent weeks. He described these scams as “normal” smishing techniques that falsely claim a package is delayed and request the recipient to click on a link to resolve the issue. Grimes emphasized that these scams might appear ordinary and realistic, making them more likely to deceive potential victims.
Additionally, the researchers found that the threat actors had linked social media accounts to the email addresses used in the campaigns, indicating poor operational security. In one instance, a Facebook account connected to the domains was discovered, leading the researchers to conclude that the threat actor is an Iranian national living and working in Tehran, possibly with ties to the Islamic Azad University.
The DomainTools researchers stressed the need to identify the infrastructure and actors involved in these campaigns. They explained that this information enables law enforcement agencies and other organizations to promptly mitigate the issue. Phishing and smishing campaigns remain a significant threat not only to individuals but also to the companies and organizations whose services they exploit.
Taking steps to educate users about the risks of such scams and implementing stronger cybersecurity measures are essential to counter these attacks effectively. As threat actors continue to evolve their tactics, individuals and organizations must remain vigilant and adopt proactive measures to safeguard against cyber threats.