My next class:

USPS Phishing Scam Targeting iOS Users

Published: 2023-07-30. Last Updated: 2023-07-30 15:33:55 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Phishing scams have frequently arrived as an SMS message (sometimes called "Smishing"). SMS messages are easy and cheap to send, and we have documented how attackers like to scan for exposed credentials for services like Twilio to make it even cheaper.

But today, I received a message on my Apple devices that didn't arrive as an green SMS, but instead as a blue iMessage

As I always do, I clicked on the link on my Mac. But I was immediately redirected to the legitimate USPS page (usps.com). It didn't matter if I used Safari or Chrome on macOS. So I tried Safari on my iPhone and was directed to the phishing page.

The page appears to attempt to collect credit card numbers. I didn't feel charitable enough to provide a real credit card number, so I am unsure if it would ask for any additional information.

The main domain (deliverocy.com) does not resolve. I did try a few other hostnames (FedEx, www, ups...), but no other hostname was resolved. +639468743057 is a number in the Philippines. I did try a Facetime call, but nobody picked up :( 

The site's '/admin' URL presents a login screen for some kind of admin system. The background image appears to come from "Ghostblade". The admin part of the site did not restrict the user-agent like the phishing part of the site.

Restricting access to the phishing site to specific user agents may help in keeping the phishing site up. A casual test of the URL will only redirect to the legitimate USPS website, which may trick an ISP's abuse department into believing that this is not a phishing page.

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
5 comment(s)
My next class:

Comments

It has been interesting watching the evolution of this one. I started receiving texts like this in mid to late June. It used to respond to a sandbox service, and then stopped, and presented the real USPS page. I guess because the sandbox service didn't support mobile.

https://www.joesandbox.com/analysis/1261719
https://www.joesandbox.com/analysis/1274709
It has been interesting watching the evolution of this one. I started receiving texts like this in mid to late June. It used to respond to a sandbox service, and then stopped, and presented the real USPS page. I guess because the sandbox service didn't support mobile.

https://www.joesandbox.com/analysis/1261719
https://www.joesandbox.com/analysis/1274709
It has been interesting watching the evolution of this one. I started receiving texts like this in mid to late June. It used to respond to a sandbox service, and then stopped, and presented the real USPS page. I guess because the sandbox service didn't support mobile.

https://www.joesandbox.com/analysis/1261719
https://www.joesandbox.com/analysis/1274709
It has been interesting watching the evolution of this one. I started receiving texts like this in mid to late June. It used to respond to a sandbox service, and then stopped, and presented the real USPS page. I guess because the sandbox service didn't support mobile.

https://www.joesandbox.com/analysis/1261719
https://www.joesandbox.com/analysis/1274709
Sorry for the spam. I clicked again when the page was unresponsive.
Love the podcast. I think I've listened to every one published for the past 2 years at this point. I almost never miss catching it in the morning.

Diary Archives