[HN Gopher] Phishing Campaigns Targeting USPS See as Much Web Tr...
___________________________________________________________________
Phishing Campaigns Targeting USPS See as Much Web Traffic as the
USPS Itself
Author : rexbee
Score : 133 points
Date : 2024-04-29 04:12 UTC (18 hours ago)
(HTM) web link (www.akamai.com)
(TXT) w3m dump (www.akamai.com)
| petesergeant wrote:
| I'm disappointed by how little protection we're getting against
| phishing campaigns. Google's SafeSearch takes forever to process
| stuff, where presumably very quick response times are much more
| effective, Fastmail, despite being great in general, is
| _terrible_ at detecting phishing, Booking.com met my report of a
| phishing campaign over their site (hotel got hacked) with a "it
| happens, we might talk to the hotel about it one day" shrug, and
| banks and other institutions continue to send legitimate messages
| that look like phishing.
| infotainment wrote:
| _> Booking.com met my report of a phishing campaign over their
| site (hotel got hacked) with a "it happens, we might talk to
| the hotel about it one day" shrug_
|
| This is my problem with almost every "report spam/fraud/etc"
| flow. It's always a digital shrug, and then nothing happens.
|
| Only one site I know of ever had it right: Instagram, up to
| about 2021. When you reported an account or post, you would
| actually be notified when they took action, which would usually
| take about a week and be something like "the account was
| removed". It was so _satisfying_ to see a spam account get
| taken down after a report. But, they removed that in favor of
| the "hey thanks for the report we've tossed it right in the
| trash lol" user flow that every other site uses. Unfortunate.
| Dalewyn wrote:
| Generally, I find the effectiveness of feedback is inversely
| proportional to the ease of submitting it.
| bluGill wrote:
| The problem with the feedback is scammers can abuse it - they
| report a few of their own scams and then use feedback to
| check on those and thus see what happened an in turn they
| better know when they are blocked and have a better idea how
| to create new accounts that are hard to block.
| Plasmoid wrote:
| > banks and other institutions continue to send legitimate
| messages that look like phishing.
|
| The Canada Revenue Agency (tax collectors) once called me up
| about something. They literally said "To verify your identity,
| please give me your social insurance number". It's hard to
| blame people when actual government agencies are training
| people to be phished.
| effluvium wrote:
| Do business with business that have local offices. That way
| anytime something needs verification or seems off, go into
| the businesses building.
| Scoundreller wrote:
| When a Canadian gov agency calls, a good reverse
| verification method is to test their French.
|
| << Etes-vous une pamplemousse? >>
| jplrssn wrote:
| If you live in Canada you can't really opt out of doing
| business with the CRA.
| Terr_ wrote:
| I ranted about something similar when it came how the US
| Internal Revenue Service was implementing authentication for
| their free-filing service.
|
| They're training taxpayers to put in large amounts of
| extremely sensitive personal information into a third-party
| domain called "id.me". Even if you trust the private company,
| I think it's insane they didn't _at least_ whitelabel the
| process through a *.irs.gov domain!
|
| (For those curious, the .me TLD is run by the country of
| Montenegro. Control over DNS has some security implications
| for phishing and man in the middle attacks.)
| CodeWriter23 wrote:
| Just curious, how did you confirm it was The Canada Revenue
| Agency and not scammers?
| Plasmoid wrote:
| I logged into the CRA website and found something.
| Terr_ wrote:
| "Contact the suspicious person back through the official
| number or website" is always a good heuristic, especially
| since it works pretty well as advice for non-technical
| relatives.
| MattGaiser wrote:
| Is detecting phishing all that straightforward? As banks,
| travel agents, and even governments, are all terrible at
| avoiding the signalling of phishing.
|
| Equifax had its entire response to its breach on a different
| domain, the kind of thing we tell people to watch out for.
|
| https://www.equifaxsecurity2017.com/
|
| This looks like phishing. But it is legitimate.
| bartvk wrote:
| Vattenfall (a big Swedish energy company) had the same for a
| while. Their marketing created a website where you could log
| in as a user, on a completely different domain.
|
| Most have been fixed but my current pet peeve is receiving
| email newsletters from these companies with tracking links. I
| get it, you're trying to measure something. But they're
| genuinly sending you links like
| sx4pv.mjt.lu/lnk/EEEAAAA-3434-asdfasdfasdf
| ecosystem wrote:
| Indeed. They haven't learned their lesson.
|
| AT&T finally copped to enormous breach this month. In their
| notification to individuals (sorry, sign up for identity
| protection, etc), they made sure to let you know official
| email always comes from: att@message.att-mail.com
|
| ...an email address and subdomain that have never contacted
| me before on a sketchy sounding domain that doesn't match the
| service (hosted at https://att.com). The email links to
| experianidworks.com which asks for email, address, and SSN
| upon clicking the CTA.
| sureglymop wrote:
| Even tech companies do this wrong. Github had it's
| upcoming/beta features on githubnext.com and even sent out
| auth related e-mails from there. I wanted to test their new
| features but when I got the email I lost my faith in them and
| opted not to.
| heipei wrote:
| It is not straightforward, and it is complicated by a number
| of factors. The first would be bad "brand hygiene": If a
| company has dozens of legitimate domains across different
| TLDs, different providers and different geographical
| locations then it's already more complicated than just one
| canonical .com domain. If teams within the company are
| permitted to spin up their own domains (e.g. marketing
| campaigns, branch offices) then it gets 10x worse. Lastly if
| a legitimate brand frequently changes its appearance, it will
| be harder to pin down the true brand identity.
|
| But even if you follow all of these best practices there are
| still powerful attack vectors. A threat actor could host
| their phishing page on an unrelated (compromised) domain with
| good domain reputation, in that case you wouldn't even know
| about that site until the first email or SMS hits your
| customers. Or the threat actor could use one of the many
| file-hosting or website services to create their site and
| host it on a shared third-party domain with perfect domain
| reputation (e.g. amazonaws.com).
|
| And then there's incentive: It's no the companies that suffer
| financial losses, it is their customers. If you were talking
| about their employees being phished that would be a different
| story. Same thing for Google Safe Browsing: Their incentive
| is to protect against most of the obvious phishing, without
| any false positives, ever. If they are slow to detect
| something they won't suffer any losses. If they generate a
| False Positive their Chrome browser might suffer significant
| reputational damage if a popular legitimate domain is
| blocked.
| cameronh90 wrote:
| DHL sent me a shipment tracking email from
| "dhlecommerce.co.uk" the other day. I almost deleted it, but
| then I remembered I was actually waiting for a package.
|
| This is a huge issue and it seems like we've just given up on
| it. There used to be EV SSL certs, but they are essentially
| dead now. There's BIMI for email, but support is mixed, and
| only partly addresses the issue.
| miyuru wrote:
| Its not just in US, it happens in every country. SMS is the main
| way these links are distributed. So much so that in Sri Lanka,
| gov planned to add a centralized SMS firewall.
|
| https://economynext.com/sri-lanka-to-study-infobip-centraliz...
|
| Google messages have a good spam filter than can filter in real
| time them, but I have seen some get though for a small period of
| time.
| jajko wrote:
| I dont get sms but amount of spam in gmail inbox about Swiss
| post (I live here but not native) is staggering.
|
| Luckily they still look so lame its trivial to spot them, and
| gmail is doing a fine service filtering them right into spam.
| Scoundreller wrote:
| About 7-8 years ago in France you'd get regular phone calls
| from actual humans running the same scam about a DHL or
| whatever packaging requiring duties to be paid. Plus the same
| SMS scams.
|
| Americans are lucky in they usually don't have to buy from
| abroad and when they do, rarely is tax/duty payment required
| from the recipient (unlike many other parts of the world).
| FinnKuhn wrote:
| In Germany we get those phishing SMS too, but I think the US
| is probably worse off, as they get way more phishing calls
| (which I think are more effective) as scammers in Nigeria or
| India usually don't speak German or French...
| Scoundreller wrote:
| Plenty of low-income Francophones in the world.
| lynx23 wrote:
| In 2019, when I landed in Hamburg, I got a scam SMS _before_
| the "Welcome to germany"-SMS. IOW, the scammers managed to
| consume the "new arrival" event somehow, and send out their own
| scam. Tells a lot about how much the telcos actually care / are
| a part of these scams.
| acdha wrote:
| I periodically wonder how quickly this would end if the costs
| shifted to the telcos who currently see it as a profit center.
| Imagine if reporting a message got you an immediate $1 credit
| and they had to recover it from the network which originated
| the spam: how quickly would they be able to turn on egress
| filtering?
| acomjean wrote:
| The fact that telcos are really party to these scams and for
| some reason aren't held accountable is amazing to me.
| acdha wrote:
| I think about that every time I just a call with a forged
| number. I remember when VoIP was coming on the market and
| people were warning about spoofing but telco executives
| apparently just blew that off because it'd slow sales.
| bdw5204 wrote:
| RCS messaging being adopted on Android has meant that I now get
| added to spam group chats called "USPS" by some criminals
| impersonating the post office.
| ChrisArchitect wrote:
| Related from earlier this month:
|
| _USPS jumps to first place as most imitated brand in phishing
| attacks_
|
| https://news.ycombinator.com/item?id=39969527
| InCityDreams wrote:
| I get no spam, until I send something...then it's an avalanch for
| a few weeks then they dry up until next time I need DHL (or,
| indeed, any other carrier - EUR40 to send a registered letter,
| DHL priced themselves out of my budget).
| bombcar wrote:
| USPS.gov redirecting to USPS.com certainly doesn't help matters.
|
| Things like this should use one of the few TLDs that actually has
| policies and procedures in place; then it's a simple "if it's not
| .gov, it's not real."
| cozzyd wrote:
| I wonder if the .com TLD is part of the GOP campaign to kill
| the USPS
| qsymmachus wrote:
| USPS purchased the usps.com domain a long time ago
| specifically so they could control it and prevent phishing.
| The decision to replace usps.gov with the .com domain came
| later, with the tenure of Trump appointee Louis DeJoy.
|
| Right wingers believe that USPS should operate as a business,
| not a public service, so "rebranding" their website to be
| .com is definitely a part of that narrative.
| toomuchtodo wrote:
| So the ask should be to have .gov be canonical, and
| usps.com directing to .gov it sounds like?
| qsymmachus wrote:
| Yep, but for ideological reasons they reversed it.
| compuguy wrote:
| No, as I and others have commented, this wasn't changed
| by the current Postmaster DeJoy (not ignoring all the
| other _wonderful_ stuff he 's changed). They've been
| using the dot com domain for decades at least?
| ciabattabread wrote:
| It's been USPS.com branding since at least 2000, aka the
| Bush administration. [1]
|
| [1] https://web.archive.org/web/20000229182038/http://www.u
| sps.g...
| ciabattabread wrote:
| I meant Clinton administration
| PopAlongKid wrote:
| This does not jibe with my recollection, which is that
| usps.com has always been the main site. And now, after a
| quick interent search, I find many references[0] that show
| your claim is wrong -- the use of the .com domain pre-dates
| DeJoy by many years, going back in fact to the days when
| WWW was starting to get widespread use (because .com was
| far better known than .gov).
|
| [0]here is just one: https://www.reddit.com/r/explainlikeim
| five/comments/3piv7w/e...
| gumby wrote:
| > Right wingers believe that USPS should operate as a
| business, not a public service, so "rebranding" their
| website to be .com is definitely a part of that narrative.
|
| Seems failing businesses is also on brand for those guys.
| beanjuiceII wrote:
| fake news ... i love how people always blame dejoy even tho
| he is one of the better PMG's we've had... and then right
| wingers somehow enter the picture? I've been working at
| usps in tech for 15 years...this has nothing to do with
| dejoy or right wingeres and .com has existed for a very
| long time as the main external facing website for customers
| compuguy wrote:
| I'm honestly not a fan of what Louis DeJoy has done to
| USPS, but I'm pretty sure they've used the dot com domain
| for as long as I can remember, _way before_ DeJoy became
| Postmaster General....
| mr_mitm wrote:
| You're right that it doesn't help, but looking at regular non-
| technical people like my retired parents for example, I really
| wonder if it's a realistic expectation that people know what
| the important part of a URL are.
|
| They need to parse slashes, dots, colons and ats (remember URLs
| can contain credentials, even though I believe browser issue
| warnings these days), identifiy the TLD and the domain and then
| know what is legit and what isn't. And know that things like
| onmicrosoft.com is legit while atmicrosoft.com is probably not.
| Or whatever link shortener some legit organizations are using.
| Larrikin wrote:
| The Internet has been around long enough at this point. Maybe
| your parents might never be able to read a URL and there will
| always be people who get scammed.
|
| But we should be taking the obvious steps like enforcing
| government domains on .gov . Attacks and scams are getting
| more sophisticated, so I hope when I'm elderly I can atleast
| check the .gov portion and know it's an actual government
| website.
| mr_mitm wrote:
| It's not just the elderly generation though. Young people
| mostly use apps and might barely interact with an actual
| browser. Big browsers de-emphasize the URL bar more and
| more. Yes, you and I and probably everyone on HN will never
| have a problem with this, but significant portions of the
| population will. I think it's a hard problem.
| jonas21 wrote:
| Isn't the simple solution to this to encourage everyone
| to use the USPS app (and apps for banking, etc.)? Most
| young people probably do this already.
| jddj wrote:
| This just moves the mimicry to the app stores. Admittedly
| there's some curation but it's far from perfect
| lukeschlather wrote:
| That's like suggesting people don't need to know what the zip
| code is because it's often redundant and omitted. People are
| often lazy, but it's immediately obvious to anyone that
| omitting the full 9-digit zip code could result in the letter
| being misdelivered, even if I don't understand what the last
| 4 digits are even for.
| LoganDark wrote:
| It's honestly not that obvious. I never knew there's a
| difference between the 5-digit and 9-digit versions of my
| zip code. Most checkout flows do not even allow me to input
| more than 5 digits in the first place. But upon receiving
| my mail, the 5-digit code is always corrected to the
| 9-digit one.
|
| I had never considered that if there were multiple 9-digit
| expansions of a 5-digit zip code, the correction might turn
| out wrong unless the full 9-digit code is specified.
| tristor wrote:
| The Zip+4 last four digits align to delivery zones. It can
| be trivially constructed from the complete address now that
| we have reliable digital mapping systems, and in fact this
| is what happens internally in the postal system.
|
| It is not required and will likely never be required to
| provide a 9 digit ZIP for reliable delivery. It may, and
| does sometimes, impact speed of delivery due to
| sorting/distribution rounds.
| labcomputer wrote:
| > It is not required and will likely never be required to
| provide a 9 digit ZIP for reliable delivery.
|
| That depends on who _you_ are.
|
| If you are a regular person, then yes, 5 digits is
| sufficient. But if you are a sender of presorted
| commercial bulk mail (which is discounted from first
| class), you may actually be required to provide a 5 + 4 +
| 2 = 11 digit ZIP.
|
| That little barcode the post office prints on your
| letters is actually just the 11 digit zip. The final two
| digits are the last two digits of the house number. So
| "123 Any Street, Anytown FL, 45678" the final two digits
| of the zip would be 23.
| talldatethrow wrote:
| I'm 38, live in the SF Bay area, and have never given
| anyone more than the first 5 digits in my life. Online some
| might auto correct, but I've never learned them in my life
| and never even considered I should.
| bombcar wrote:
| The root of all these things is companies, banks, and
| governments offloading the responsibility of security _on to
| the worst possible person_ - the end user.
|
| "Identify theft" should simply not be a thing at all - it's
| fraud against _the bank_ and the person 's whose "identity"
| was stolen shouldn't be involved. Combined with simple fraud
| chargebacks that make the bank accountable if they can't make
| their (fraudulent) customer accountable would reduce much of
| it.
| BobaFloutist wrote:
| If nothing else, their browser could know that.
| wongarsu wrote:
| Browsers have gotten better at highlighting the important
| part. On this URL Firefox highlights the "ycombinator.com"
| part of the URL (by writing the rest in muted gray), and edge
| at least highlights "news.ycombinator.com". Chrome curiously
| doesn't, and neither do any of my mobile browsers
| godelski wrote:
| This is a problem I have a REALLY hard time with when
| discussing with people, often about scams.
|
| A lot of people look at scams and think "I'd never fall for
| that" because at face value something looks obvious and you
| think you can use these obvious filters. BUT in reality there's
| tons of fuckups like this that make the space confusing because
| the "red flags" just look like flags.
|
| For example, in the scams where people fake a voice of a loved
| one people think they'd know. But there's bad connections and
| scammer makes it feel like an emergency so you'll let little
| weird things slip by. Or how every year or two Google changes
| its login page format (and currently I seem to hit two very
| different formats...). Or a week ago with the rabbit leak I
| said this was a reason not to push people to download a file[0]
| and people concentrated on the part of it being a zip and not
| that 1) you download something and 2) that zip has to be opened
| even if a zip alone can't do anything.
|
| This really is one of the big dangers of enshitification. It
| becomes difficult to distinguish legitimate things from scams.
|
| [0] https://news.ycombinator.com/item?id=40135671
| tylervigen wrote:
| > We have found that the USPS is under attack from text scams
|
| The core challenge of phishing attacks is that USPS is not, in
| fact, the primary victim of these attacks.
|
| The victims are distributed citizens who fall for the scam. USPS
| doesn't have very many levers available to them to address the
| attacks (besides a warning on their site, which they have), but
| also doesn't 'feel' the impact so would have a hard time
| justifying substantial investment in addressing it.
|
| Ultimately the solution needs to come from regulatory regimes
| that target fraud, particularly SMS message spam.
| gowld wrote:
| The USPS is empowered with a law enforcement branch to defend
| against attacks on the mail system.
|
| The problem is usually that domestic law enforcement is
| powerless against international crime, which gets laundered by
| international utilities like DNA and IP routing/peering.
| habosa wrote:
| It might not change anything, but I think the criminal penalties
| for scams need to be significantly raised.
|
| The idea of reaching out to someone you don't know at all and
| attempting to steal their money by lying and betraying their
| confidence is morally disgusting. The type of people who can do
| this hundreds or thousands of times a day are criminals of the
| worst and least redeemable kind, yet if caught they would likely
| face a smaller penalty than someone who steals a single piece of
| jewelry from a store.
|
| We are slowly losing our ability to trust each other because of
| the prevalence of scams which adds massive transaction costs to
| every legitimate exchange. These costs are unseen but they make
| almost everything we buy slower and more expensive.
| Eisenstein wrote:
| Increasing penalties has much less effect on crime than
| increasing the likelihood of them getting caught. If there is a
| slim chance of them getting caught it doesn't matter what the
| penalty is because they will do it anyway.
| wslh wrote:
| Try posting on a relatively popular cryptocurrency Telegram group
| and will be receive a lot of messages and calls within 30'
| squirrel wrote:
| Reminds me of the fake police station in Do Androids Dream of
| Electric Sheep [1]. In order to keep up the pretense for three
| years, the androids have to take crime reports, do paperwork, and
| arrest perpetrators. In other words, they have to run an actual
| real police station. So perhaps the fake USPS sites should just
| start delivering the post!
|
| [1]
| https://en.wikipedia.org/wiki/Do_Androids_Dream_of_Electric_...
| gowld wrote:
| Why don't DNS providers offer anti-malicious-URL protection?
___________________________________________________________________
(page generated 2024-04-29 23:02 UTC)