USPS Phishing Texts Are Flooding Phones Across The Country
On top of all the other fracas currently facing our country’s postal service, the USPS name is at the centre of a string of phishing schemes slamming phones nationwide, with some folks claiming these texts have ties to a massive, multinational sex trafficking operation — while offering no evidence to back it up.
For those lucky enough not to have received these texts, the scheme generally works like this: you get a text from a mysterious number claiming that your delivery from USPS, FedEx, or another delivery service is experiencing some sort of issue in transit that requires your urgent attention. Because our country’s post offices are in a state of literal crisis right now, and because the text includes a legitimate-sounding (but in fact phony) tracking number, you click on the link they provide.
BREAKING!! New SMS phishing campaign pretending to be from the United States Post Office being pushed out to cell phones today. So far the link in the SMS being used is this domain m9sxv[.]info. Here are a couple of sample texts we have collected. #infosec #malware #smish #osint pic.twitter.com/90xSWYCUbZ
— Eric JN Ellason (@SlickRockWeb) September 15, 2020
What happens next is up to the scammer behind the text, but generally they’re trying to get your credentials — most often in the form of a credit card number. In the example security researcher Eric Ellason unearthed in this tweet thread, the link that supposedly provided access a supposed USPS shipment actually led to a domain that did nothing but infect your browser (or phone) with malware.
The current wave of texts hitting countless phones across the country might seem like a new threat, but it’s actually been around for a while. Back in February, the FTC put out a notice warning people to be sceptical of any potentially scammy tracking codes being sent their way. And then at the start of this month — likely spurred on by the new round of phishing attempts — the Better Business Bureau put out its own memo warning folks about some popular “delivery scams,” including the phony text from FedEx or USPS. It’s spam, plain and simple.
But of course that couldn’t be the end of it, because this is 2020, and people with too much time on their hands love tying mundane happenings to vast conspiracies — the sale of human lives in particular. As Insider first detailed, one of the more notable examples involved one Instagram poster claimed the links in the text were planted to covertly track the location of vulnerable women, to eventually traffic them, rather than acting as a malware vector to steal their credit card numbers. Similar posts have been seen circulating across Facebook, with one becoming viral enough that Facebook eventually felt the need to note that the claims the user were making were, indeed false — but only after thousands of users had shared it, Qanon diehards co-opted it, and an untold number of women got way more freaked out than they had any need to be.
These rumours got so bad that the Polaris Project — a nonprofit that combats trafficking — put out a statement begging people to stop flooding their real sex trafficking hotline with this completely unverified horseshit. It’s sadly not the first time, either. The organisation had to do the same when its phone lines were flooded with similar “tips” regarding the e-commerce giant Wayfair, which can naturally also be sourced back to the Qanon community.
Editor’s Note: Release dates within this article are based in the U.S., but will be updated with local Australian dates as soon as we know more.
Gloss