SMiShing Campaign Leverages USPS and Parcel Service Distrust

Beginning the week of August 23rd, a SMiShing campaign began to unfold that, by and large, impersonated large mail carrier and parcel services with the intention of stealing sensitive information from the victims. This post will explain the high-level tactics and technologies the attacker(s) used to send these SMiShes as well as several real-world text message examples that were attributed to this campaign, including myself. At the end of this post will be the list of known domains and URLs used in this campaign (tentative).

Preliminary Information

Definitions

Here a few definitions for need-to-know terms for this post.

Phishing: An attempt to steal sensitive information or perform malicious actions by masquerading as a trustworthy entity

SMiShing: SMS + Phishing. An Attempt to perform a phish via SMS.

Social Engineering: Manipulating individuals from divulging sensitive information used for malicious purposes. Commonly known as “hacking people”.

What is SMiShing

SMiShing campaigns, and other similar social engineering attacks, often utilize current events and other psychological tricks to further coerce victims into divulging sensitive information. For example, I bet you have received an email, text, or instant message that claims you can lose 50 pounds fast and all you have to do to get a limited supply of their supplement is to click a link. Well, there are several psychological factors at play here, but there are two that stick out immediately:

  1. The attacker assumes that the victim wants to lose weight or has body image issues. Considering about half of Americans say that they’re trying to lose weight, this is an effective approach
  2. The use of the words “limited supply” imply that the stock is low and the victim needs to react fast to get this supplement. This is a common tactic in social engineering that combines emotion with time-sensitive decisions.

The SMiShing campaign in this post impersonated common postal and parcel services in the United States such as USPS, UPS, FedEx, DHL, and Amazon. This is another effective industry to impersonate as the general public doesn’t exact have much trust in these services. For starters, a report from Clutch states that 29% of people trust UPS to deliver their package securely, the highest score of all 5 carriers listed (USPS 27%, Amazon 22%, FedEx 20%, DHL 2%). Not to mention an increasing number of people have distrust towards the USPS considering the political charade occurring there that is undermining confidence and continuing despite promises to cease. To make it worse, 1 in 5 of people who receive their packages are victims of porch piracy. A perfect topic for a SMiShing campaign, indeed.

The SMiShes

This section will cover the SMiShes themselves (pictures) and information about the origins/infrastructure of the attacker. First, all of the SMiShes.

l1smc[.]info

l2scr[.]info

l3smr[.]info

l4sve[.]info

l5ssv[.]info

Passive Reconnaissance

As can be seen from the variety of images above that this attack didn’t target a specific victim type or technology. Rather, this SMiShing campaign simply leveraged the distrust in the parcel services discussed above. What we initially know from these SMS messages above:

  • Each domain is a 5 alphanumeric string that follows a certain pattern (“l” + incrementing number + “s” + 2 random letters)
  • Each message mentions something about an old package that wasn’t received
  • Each message asks users to click a link to figure out information about the package
  • Clicking on the links leads to several different landing pages

IP Address

A dig command was used to figure out the IP address of the server hosting this webpage.

IP Address: 8.210[.]108.16

dig command

Whois Lookup

The DomainTools Whois lookup tool was used to discover information about the IP address/server. Based on the information in the Whois lookup, this server is hosted on an Alibaba cloud server in Hong Kong, China. This means the attackers are using a cloud service to host or send these SMiShing messages out and are likely harvesting sensitive information using scam tactics. Based on the landing pages, these SMS message links likely lead to pages that have been compromised or are hosted by the attackers themselves. There’s not too much more than can be gathered unless a PCAP is gathered and further analysis is done, but that is out of scope.

Whois Whois

Landing Pages

Listed here are all the possible landing pages resulting from clicking any of the URLs in this post. Note: This is only the known list of landing pages, there could be more.

USPS SMiSh

Membership Rewards SMiSh

Free iPhone 11 SMiSh

FedEx SMiSh

Cox SMiSh

Cox SMiSh 2

Domains and URLs

Listed below are the domains and URLs discovered from this SMiShing campaign, so far.

domains

  • l1smc[.]info
  • l2scr[.]info
  • l3smr[.]info
  • l4sve[.]info
  • l5ssv[.]info
  • bgfdc[.]info
  • sbcae[.]info
  • utzho[.]info

URLs

  • l1smc[.]info/i4B8uiee0a
  • l1smc[.]info/i4B8uin2vq
  • l2scr[.]info/KiF46J87bC
  • l2scr[.]info/KiDo37zjMj
  • l2scr[.]info/KigKalF3R9
  • l2scr[.]info/KiDo375mT7
  • l2scr[.]info/KilMlbzjMj
  • l3smr[.]info/09Nh46erLO
  • l4sve[.]info/o6icgxntOe
  • l4sve[.]info/o6icgxzjMj
  • l5ssv[.]info/QTyhVcBhKs
  • l5ssv[.]info/QTuVNYkWh3
  • l5ssv[.]info/QTwBRAjqK2
  • l5ssv[.]info/QTyhVc6tel
  • bgfdc[.]info/7vsqg76ZGz
  • sbcae[.]info/BYhxV4jAB1
  • utzho[.]info/Tf7Slh4POr