Bad actors have long impersonated package delivery companies, including the U.S. Postal Service (USPS), FedEx, and UPS. They’ve used email and text-based phishing scams to convince unsuspecting targets to send money or reveal personal information. That’s nothing new.

However, recent research shows just how popular – and most likely lucrative – smishing messages impersonating the USPS are. According to an Akamai report, the amount of traffic to illegitimate domains pretending to be the USPS are almost equal to the traffic for the real postal service. It actually outpaces the USPS during the Thanksgiving and Christmas seasons.

“We have found that the USPS is under attack from text scams, especially during holiday seasons of Christmas and Thanksgiving because of the nature of gift buying in these holidays,” Akamai threat researchers Stijn Tilborghs and Connor Faulkner wrote in the report. While they used the USPS as an example, the researchers added, “this combosquatting technique is used globally in phishing campaigns, and with good reason: It’s wildly successful.”

Combosquatting is an offshoot of cybersquatting where the bad actor adds a keyword to the impersonated brand’s domain, a technique that Akamai researchers a year ago called the “biggest cybersquatting threat.”

Impersonation scams are big business. According to the Federal Trade Commission (FTC), last year the FTC received more than 330,000 reports of business impersonation scams and almost 160,000 reports of scams impersonating government agencies. Combined, those reports accounted for almost half the frauds reported directly to the agency in 2023, with losses to such campaigns topping $1.1 billion.

Hackers like to use texting for many of these scams. The FTC said scammers in 2022 sold $330 million in smishing campaigns. The five most popular kinds – which account for more than 40% of smishing attacks – all involved impersonating well-known businesses. Among those, smishing attacks impersonating delivery services were the third most popular, behind only fraud prevention alerts from well-known banks and texts about free gifts from popular companies.

Such scams also are evolving. Fraudsters earlier this year ran a campaign through the cloud by using Amazon Web Services’ Simple Notification Service (SNS) to send malicious SMS bulk messages seemingly coming from the USPS about missed package deliveries.

Looking at the Domains

Tilborghs and Faulkner began their research after a colleague at Akamai said they had received a USPS-based smishing attempt on their phone. The two began looking at the DNS level, getting a list of domains that used the same malicious JavaScript file hashes as the one their team member received, plus another list of domain names where the HTML showed the same pattern. The combination helped them create a third collection of malicious domain names.

The two researchers pared down that list to only those domain names with “USPS” in the string and then filtered it down even more, showing domains that had the intent of deceiving Postal Service customers.

Over five months of research, Tilborghs and Faulkner found 10 malicious domains that generated the most DNS queries, with the top malicious domains being usps-post[.]world and uspspost[.]me, which got 169,379 and 150,052 hits, respectively, accounting for 29% of all the malicious traffic that they monitored.

“Keeping in mind that we’re only looking at a data sample, the traffic that some of these domains are seeing is truly mind-blowing,” Tilborghs and Faulkner wrote. “It’s not surprising that USPS phishing campaigns have been, and continue to be, so popular for scammers. Unfortunately, there are tons of people visiting these websites, which means they’re lucrative for the attackers running them.”

They also saw 233 top-level domains (TLDs) associated with malicious activity, with “.com” and “.top” by far the most popular. With IP addresses, the researchers saw something of a mixed bag,; some that had a few domains see high levels of traffic and others with more domains show less traffic.

“The likely explanation is that we are looking at two different phishing attacks here,” the researchers wrote, pointing to two IP addresses in particular. “In one of them, the fraudsters made the decision to spread traffic across many different domain names. The other campaign spans just a few domains, and each one sees a lot of traffic.”

Almost Equal Traffic

Comparing the legitimate USPS with that going to malicious domains, the Akamai researchers found the traffic was almost equal: the USPS got 51% of the traffic, while the bogus domains combined got 49%. But it spiked in favor of the malicious domains during the holidays. It’s not surprising that scammers time phishing campaigns to the holiday season, given that more people are expecting packages. In addition, Thanksgiving and Christmas “are also an especially busy time for people, which means they may be more likely to make careless mistakes they might otherwise not make, such as clicking on these scam messages,” Tilborghs and Faulkner wrote.

Looking at the trend toward two different approaches – spreading traffic across many domains or using only a few domains that each saw a lot of traffic – Tilborghs and Faulkner suggested it could be obfuscate their activities. “Carriers and other hosting providers are aware of the ubiquity of these scams and are trying vigilantly to identify and remove these pages,” they wrote. “Considering the level of attention given to eliminate these scams, their results and our observations are even more concerning.”