USPS “Your package could not be delivered” text is a smishing scam

A scam is doing the rounds which begins with a text from what claims to be the US Postal Service. The SMS reads as follows:

[U.S. Postal Service] We’re sorry to let you know that your package could not be delivered. To reschedule a delivery please visit [bit(dot)ly]

I’ve never received an SMS from the US Postal Service, but I have to imagine they don’t use redirect links in text messages. The link hides the actual URL being sent to people’s phones. You can view stats for a link by placing “+” at the end of the URL. Detailed stats about the shortener’s creation date, number of clicks, and more are available through this method. On this occasion, data is hidden with the message “This link has been flagged as redirecting to malicious or spam content”.

Clicking through reveals the following warning:

  • The link may be listed on a website blocklisting service.
  • The link may have been reported to Bitly by a member of the public.
  • The link may contain malware (software designed to harm your computer), attempt to collect your personal information for nefarious purposes, or otherwise contain harmful and/or illegal content.
  • The link may be attempting to hide the final destination.
  • The link may lead to a forgery of another website or may infringe the rights of others.

Not a promising start for our missing package. Shall we take a look at the final destination?

Phishing for info

The actual landing page, located at us(dot)awaiting(dot)host, claims to be a USPS parcel tracking page. It says:

USPS Currently Awaiting Package
Undeliverable as Addressed(UAA) Problem with Address
USPS Allows you to Redeliver your package to your address in case of delivery failure or any other case.
You can also track the package at any time, from shipment to delivery.

It asks visitors to “verify address”, by filling in their name, address, city, state, ZIP code, phone number and email.

fake usps
Fake data entry form

Clicking Continue at this point would normally display a second page asking for payment information. At the time of writing, clicking continue triggers a .php URL and then redirects to the 3M science website. It’s likely the data entered has been submitted to the phisher, but why didn’t they ask for payment details too?

Forgetful phishers or long-haul social engineering?

Sometimes scammers simply forget to make sure their ruse sails smoothly from A to B. It may be that they’re only actually interested in grabbing name and address information for now via the website. The logical progression would be to follow up by phone, mail, or post.

It’s also possible they realise they’ve attracted some heat and are trying desperately to put the flames out. The site is flagged via the link and produces warning pages in browsers such as TOR. The creators may figure it’s not worth the potential risk of keeping payment detail requests online anymore – if they were there in the first place, that is.

The right way to arrange a redelivery

This is “basic parcel delivery information” as opposed security advice, but If you do use USPS, you’ll want to head over to its dedicated redelivery page. It explains in detail what USPS customers should expect when waiting on a parcel, and what to do next.

As for the security angle: Fake USPS delivery notification spam is a popular tactic for scammers, and USPS’s recent advisory on the topic includes instructions on how to report bogus SMS messages.

No matter the delivery service, always pay attention to the URL on the landing page and ensure it matches up with the official site you’re familiar with. It’s no fun having your data harvested, even if they miss out on your payment details. There’s no guarantee they won’t follow up on such a thing at a later date, so it’s well worth taking the time to get it right the first time around.

Just over half of all smishing attacks in the last few months of 2021 in the UK alone claimed to be from delivery firms. Even as the pandemic (sort of) recedes a little, this scam refuses to go away. Next time your receive a text about a package you have no memory of, it might be worth checking your most recent purchases before responding. If the parcel is real, it’ll still be there – unlike the fly-by-night scammers.

The post USPS “Your package could not be delivered” text is a smishing scam appeared first on Malwarebytes Labs.