bolster.ai Open in urlscan Pro
2606:4700:10::6816:42db  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Join Us for Our Upcoming Webinar Highlighting Scam Trends This Holiday Season -
Register Now
Forrester TEI Study: Bolster Delivered 278% ROI. Learn More
Toggle navigation
 * Contact
 * Support
 * Log In

 * Platform
   
    * Domain Monitoring and Takedowns
    * Social Media Monitoring and Takedowns
    * App Store Monitoring and Takedowns
    * Dark Web Monitoring
    * 24/7 Support

 * Solutions
   
    * Account Takeover Protection
    * Phishing & Scam Protection
    * Brand Protection
    * Typosquatting Protection
    * Digital Risk Protection Services

 * Why Bolster?
   
    * Industry-leading AI Technology
    * Industry-leading Takedown Technology
    * Bolster Difference

 * Customer
 * Company
   
    * Overview
    * Careers
    * Our Team
    * Press
    * Contact Us

 * Resource
   
   
   
   CONTENT CENTER
   
    * Datasheets
    * E-books & Whitepapers
    * Solution Briefs
    * Multimedia
    * Reports
    * Webinars
   
    * Blog
    * Domain Risk Report
    * Glossary
    * Global Fraud Index
   
   Checkphish

Request Demo
 1. Home
 2. Resources
 3. Blog
 4. Vast USPS Delivery Phishing Campaign Sees Threat Actors Abusing Freemium
    Dynamic DNS and SaaS Providers

PHISHING


VAST USPS DELIVERY PHISHING CAMPAIGN SEES THREAT ACTORS ABUSING FREEMIUM DYNAMIC
DNS AND SAAS PROVIDERS

December 5, 2023   |   5 MIN READ


Register for our live webinar covering 2023 holiday scams

You may be familiar with the common phishing tactics like fake emails or text
messages from a hacker pretending to be someone at your place of work, or maybe
it’s someone pretending to be from your bank or credit card company. The latest
scam we’ve uncovered now highlights another widespread service used by almost
everyone: the postal service. Perhaps it’s not a coincidence that the uptick
comes as we turn the corner into the holiday season, emphasized with an increase
of ordering and sending packages or items in the mail.

The parcel delivery scam, a phishing campaign initially targeting less
tech-savvy individuals with messages about “failed deliveries” or late payments,
has significantly evolved since first discovered. As awareness grows, scammers
are refining their tactics, shifting from simple misleading messages to more
sophisticated methods, like tricking victims to download malicious apps designed
to steal banking information.

Bolsters’s Research Team has uncovered a new dimension in these scams. We’ve
detected a domain impersonating Walmart, cleverly designed to mimic the
appearance of the USPS.com website.

A key feature of this phishing site is its ability to access and integrate IP
location data into its delivery tracking process, enhancing its perceived
authenticity. The site also employs a geo-fencing technique to avoid detection.

The threat actors have gone beyond just creating typosquat domains. They are
exploiting various free hosting services to run these deceptive websites, aiming
to maximize their profits through this abuse of freemium dynamic DNS and SaaS
providers.


THE IMPLICATION OF THIS NEW ATTACK AVENUE

Scammers are using advanced and innovative tactics, making it more challenging
to differentiate genuine services from scams. This can mean even tech-savy or
cyber-aware consumers might have trouble spotting a scam, and hackers can go
unnoticed for longer periods of time.

Increased vigilance and awareness are essential. As we enter another
cyber-focused holiday season, cyber criminals are hyper aware that more
consumers are looking to spend money online, which includes entering credit card
information, scoping out the best deal, and getting all their shopping done
fast.

The holiday shopping environment provides a prime setting for hackers pretending
to be USPS, due to the higher volume of shipping needs during November and
December, making it ever more critical for consumers to be wary of suspicious
links and mail scams.


ANALYSIS OF THE PHISHING CAMPAIGN

So far, we’ve identified Walmart as the main vein for hackers to mimic as part
of this scam attack. There’s no telling if the attackers will use additional
brands in the future as attack avenues for this parcel scam.

While writing this blog, the domain walmarts[.]co was active and mimicked
Walmart’s domain name, but was predominantly serving content related to USPS
delivery tracking. Strategically, it redirects to the genuine USPS portal to
evade detection mechanisms.



Fig.1: http://walmarts[.]co/go redirects to this track pageFrom our analysis of
data spanning the past month, CheckPhish detected more than 3,000 related
phishing domains, and most of them utilizing major two phishing-kits, as evident
from their shared functional designs.




SPECIFICATIONS OF PHISHING SITES

By examining a majority of the phishing sites we have found few similarities
across the phishing sites:

 * All of the phishing websites contain a site title such as USPS.com® – USPS
   Tracking® Results
 * Most of the phishing domains are actively stealing sensitive information like
   email address, name, phone number, residential address, and credit/debit card
   information.
 * The majority of the hyperlinks present in the phishing pages redirect to
   legitimate USPS websites, unlike other impersonated websites.
 * Few phishing domains redirect to the legitimate USPS site based on the IP
   location, which is a popular technique to evade detection.
 * Another group of phishing sites show the tracking details based on the
   victim’s IP locations which makes it more authentic to a victim.
 * Threat actors are not limited to hosting these phishing sites on a pushed
   domain, but they have abused the free hosting services.
 * Further analysis reveals that while the phishing sites primarily target
   customers based in the US, they do possess the capability to target customers
   globally as well.


THE METHOD BEHIND THESE ATTACKS

Modus operandi for this phishing campaign remains the same, where the threat
actors utilize SMS or email to distribute phishing links, as seen in the example
images below. With the stolen data they gain access to through the scam, hackers
could potentially lure victims further using social engineering techniques.



Examples of scam messages consumers are receiving from hackers pretending to be
USPS

Once a victim’s bank details (like their credit or debit card information and
account passwords) are in the hands of attackers, the information can be used to
further exploit the consumer. Sometimes hackers use account information to make
purchases, transfer money, or otherwise benefit financially from the scam. 

In some instances, hackers will use the personal information they’ve gathered
from the scam, like your email address, phone number, address, or even your name
to send emails or phishing scams pretending to be you. Social engineering
attacks, or attacks meant to target a victim’s emotions and sympathy, are more
successful when they come from a believable source, so when a hacker has true
access to your email, these phishing attacks become more feasible.

The rippling effect of these shipping and mail scams are more impactful than we
think.


ABUSED FREE HOSTING SERVICES

Threat actors always try to maximize their profit by leveraging various free
hosting services. This type of infamous phishing campaign implies that threat
actors are always trying to find out new freemium services (SaaS products) and
abuse them to evade detection engines.

In this campaign, threat actors used a couple of freemium hosting services to
host the phishing sites like:


ALVIY

alviy.com is a DNS service hosting provider which provides Dynamic DNS Service
for completely free. Anyone can create an account with their email and get 3
free host names to set up their sites.

Fig. 2: Anyone can check for available hostname for three domains


CLEVER CLOUD

clever-cloud.com: This is a SaaS service that provides tools to host, deploy and
maintain applications in operational conditions.

Anyone can host and run web applications using the free trial.


FORUMZ & NOW DNS

forumz.info & now-dns.com  are two services that provide similar Dynamic DNS
services where anyone can use hostnames based on the availability for mentioned
domain names, shown in Fig.3.

Fig.3 : Domain that can be used to create free hostname


WHAT THIS SCAM MEANS FOR BUSINESSES MOVING FORWARD

Threat actors are being proactive in terms of using various SaaS services to
make their attacks more profitable, including using various freemium services.
They are constantly employing various new tools and techniques, like
AI-technology, social media phishing, brand impersonation scams, and more to
steal or lure customers from profitable, data-rich industries, like financial
services, healthcare, and government agencies.

This current USPS scam campaign, like so many major scam campaigns, has an
impact on the legitimate business’s reputation, and can create loss of trust
with consumers, employees, and partners. Especially during a busy holiday
shopping season, the impact of this scam could mean business and consumer
financial data and PII are compromised unknowingly, and maybe not identified
until months down the road.

In such cases, it can be seen why taking proactive measures to identify similar
pre-malicious domains and taking them down manually, or by using an automated 
takedown service to remove such malicious domains immediately after
identification, is critical to protecting your brand reputation.

Bolster provides an expansive suite of threat detection and takedown tools to
protect your business reputation from digital threats. With AI-powered internet
monitoring, we will cover all fronts when it comes to scam protection, including
fake sites spun up to replicate your brand.

For more information on how Bolster can work for your business, you can visit
our website, or request a free demo today.

 

Appendix

List of phishing domains which abused clever-cloud.com

 

Phishing domains abused through now-dns.com

 

Additional phishing domains detected by Bolster.ai
Anshuman Das
Previous Post



YOU MIGHT ALSO LIKE...

A Pocket Guide to Multi-Channel Phishing Defense
November 30, 2023
5 Strategies for Reliable Protection Against BEC Scams
September 14, 2023
4 Key Trends from the Cloudflare 2023 Phishing Threats Report
September 7, 2023

Bolster Platform protects organizations from scams online. It fully automates
the process from domain monitoring to takedowns

 * Why Bolster
   * Technology
   * Website Takedown
   * Bolster Difference
   * Persona
   * Security
   * Legal
   * Engineering
   * Trust & Safety
 * Persona
   * Security
   * Legal
   * Engineering
   * Trust & Safety
 * Solutions
   * Brand Protection
   * Phishing & Scam
   * Fraud Prevention
   * Account Takeover
   * Domain Monitoring
   * App Store Monitoring
   * Real-Time API
   * Social Media Protection
 * Resources
   * Resources Center
   * Bolster for Good
   * Global Fraud Index
   * Domain Risk Report
   * Blog
   * Checkphish
   * Glossary
 * Company
   * Careers
   * About Us
   * Our Team
   * News
   * Contact Us
   * Media Kit

Copyright © 2023 Bolster Inc. All Rights Reserved.
Privacy Policy Terms of Services



Contents

×
 * Analysis of the Phishing Campaign
 * Specifications of Phishing Sites
 * Abused Free Hosting Services
 * What This Scam Means for Businesses Moving Forward

→ Index