Summary:
Since October 2023, security researchers at Akamai have been investigating USPS-themed phishing following a USPS smishing attempt targeting one of their team members. In this case, the SMS contained a link designed to redirect the employee to a site containing malicious JavaScript. From October 2023 to February 2024, researchers were able to compile a list of all of the domains using the same JS file, only keeping the ones with the USPS string in their name. During this period, researchers tracked the amount of DNS queries generated by these malicious sites, further comparing it to the number of requests made to the legitimate USPS domain. To their surprise, researchers discovered that the number of DNS queries to the collected malicious domains (1,128,146 DNS queries) was generally equal to the number of queries to usps[.]com (1,181,235 DNS queries). Notably, traffic to these malicious domains was higher compared to the legitimate domain, between November to December, highlighting an increase in malicious activity during the holiday season.

Security Officer Comments:
The domains uncovered by Akamai are designed to be very convincing and appear as exact replicas of the authentic USPS site with realistic tracking pages for status updates. One particular domain spotted by researchers appeared to be a Fake USPS stamps shop, which received a significant amount of traffic in late November, given that people were buying gifts for the holidays. While Akamai says that it focused its research on domains targeting USPS, the actual scale of these campaigns is likely far greater, with other brands potentially being targeted.

Suggested Corrections:
Users should be wary of incoming messages from unrecognized senders requesting to click on a URL. In general, messages containing grammatical and spelling errors, and offers that are ‘too good to be true’ or that require urgent action should be avoided. If you are expecting a shipment, for example from USPS, you should defer to the company’s official site for shipping and tracking updates.

Link(s):
https://www.bleepingcomputer.com/ne...ng-sites-get-as-much-traffic-as-the-real-one/