Undeliverable Sham Package Service

There has been an observed social engineering campaign posing as delivery failure notifications from the United States Postal Service (USPS). The message is addressed to a generic “customer” and directs the user to click the provided link to update their address details. It also claims that if the user ignores the request, the undelivered package will be returned to the sender. Although the link may appear legitimate, it redirects to a malicious webpage.

Upon clicking the provided link, users are directed to a purported tracking page for a USPS package, claiming that the package has been held at the post office due to incorrect delivery information. Clicking the “Update My Address” button directs users to a form that requests an updated mailing address, email address, and phone number. Submitting that information leads to a final page that requests a small re-delivery fee to process and deliver the package. Once the forms have been submitted, the address and payment information are forwarded to the threat actors behind the campaign.

Recommendations
  • Avoid clicking links and opening attachments in unsolicited emails.
  • Confirm requests from senders via contact information obtained from verified and official sources.
  • Submit only payment and personal information on official websites.
  • Maintain robust and up-to-date endpoint detection tools on every endpoint.
  • Consider leveraging behavior-based detection tools rather than signature-based tools.
  • Users who submitted credit card information to these webpages are advised to contact their banking institutions to report the fraudulent purchases.
  • Report malicious cyber activity to the NJCCIC and the FBI’s IC3.