Hey, Mom! The Explanation.

Here's the permanent dedicated link to my first Hey, Mom! post and the explanation of the feature it contains.

Thursday, August 15, 2024

A Sense of Doubt blog post #3467 - BEWARE USPS Scams!



A Sense of Doubt blog post #3467 - BEWARE USPS Scams!

I have been receiving these scams both via text and email. I was suspicious every time, though one time I clicked a link from a text on my computer via my phone link. I do not think it installed malware, but I am happy to learn that it is best to not even click the links to investigate. I am smart enough not to enter personal information of any kind, but I did not know that even clicking a link is potentially harmful.

Here's two articles about precautions with smishing, the first from USPS itself and the other from Santa Clara Federal Credit Union. Following those, there's an article from WIRED on someone who hacked the hackers!!

Thanks for tuning in today.

COUNTDOWN!!!



https://www.uspis.gov/news/scam-article/smishing-package-tracking-text-scams


Have you received unsolicited mobile text messages with an unfamiliar or strange web link that indicates a USPS delivery requires a response from you?  If you never signed up for a USPS tracking request for a specific package, then don’t click the link! This type of text message is a scam called smishing.

Smishing is a form of phishing that involves a text message or phone number. Victims will typically receive a deceptive text message that is intended to lure the recipient into providing their personal or financial information. These scammers often attempt to disguise themselves as a government agency, bank, or other company to lend legitimacy to their claims. USPS utilizes the 5-digit short codes to send and receive SMS to and from mobile phones.

The criminals want to receive personally identifiable information (PII) about the victim such as: account usernames and passwords, Social Security number, date of birth, credit and debit card numbers, personal identification numbers (PINs), or other sensitive information. This information is used to carry out other crimes, such as financial fraud.

The Postal Service offers free tools to track specific packages, but customers are required to either register online, or initiate a text message, and provide a tracking number. USPS does not charge for these services! USPS will not send customers text messages or e-mails without a customer first requesting the service with a tracking number, and it will NOT contain a link. So, if you did not initiate the tracking request for a specific package directly from USPS and it contains a link: don’t click the link!

If you suspect the text message you have received is suspicious but are expecting a parcel, please do not click on any links. Rather, report it and visit USPS.com from your mobile device or computer for tracking and additional resources.

 

For more information about these services and other products, please visit USPS TEXT TRACKING FAQs:

To protect yourself and others from consumer frauds, visit our fraud prevention page.


HOW TO REPORT USPS Related SMISHING:

To report USPS related smishing, send an email to spam@uspis.gov.

  • Without clicking on the web link, copy the body of the suspicious text message and paste into a new email.
  • Provide your name in the email, and also attach a screenshot of the text message showing the phone number of the sender and the date sent.
  • Include any relevant details in your email, for example: if you clicked the link, if you lost money, if you provided any personal information, or if you experienced any impacts to your credit or person.
  • The Postal Inspection Service will contact you if more information is needed.
  • Forward the smishing/text message to 7726 (this will assist with reporting the scam phone number).

 

Complaints of non-USPS related smishing can also be sent to any of the following law enforcement partners of the U.S. Postal Inspection Service:



smartphone with package tracking app

Beware the USPS Smishing Text Scam

Your phone pings with an incoming text. You swipe it open to find a message from the USPS. They’re texting to let you know that the scheduled delivery time for your package has been changed. Unfortunately, though, the message is not from the USPS and you’ve just been targeted by a scam.

Here’s what you need to know about the USPS smishing text scam.

How the scams play out

In the USPS smishing text ruse, a target will receive a text like the one described above. The message prompts the victim to click on a link to reschedule the delivery. However, if the victim follows the instructions, they’ll be falling victim to a smishing text scam.

The United States Postal Inspection Service (USPIS) is warning of an uptick in smishing scams that use the USPS as a cover, conning unsuspecting victims into downloading malware onto their phones or sharing personal information with scammers they assume is the USPS. The scammer will then go on to empty the victim’s accounts or steal their identity.

Individuals who’ve recently made online purchases and are expecting a package delivery within the next few days are especially vulnerable to this scam. To the uninformed, the text looks legitimate, and with just one careless click, the scammer has access to the victim’s device and personal information.

However, with one crucial bit of information, you can protect yourself from falling victim to the USPS smishing scam: The USPS never sends out unsolicited text messages about a package. The company will only send a message when a consumer has signed up for alerts about a package’s delivery. If you have not signed up for messages from the USPS, and you receive a text like the one described above, you know you’re being targeted by a scam.

What to do if you're targeted

If you’re targeted by a smishing text scam, the USPIS recommends taking the following steps:

  • Verify the sender. Confirm the identity of the message sender by checking with the USPS if you have a delivery schedule change. Don’t call the number on the text. Instead, reach out to your local USPS office directly.
  • Don’t reply or click on links. Replying to the message or downloading an embedded link can install malware onto your phone.
  • Delete. Save a screenshot of the text to share with law enforcement agencies and then delete the message.
    Block the number and update the security on your device. Prevent a recurrence of the scam by putting the number on your “Do Not Call” list and beefing up the security settings on your phone.
  • Keep personal information personal. Never share sensitive information, like your Social Security number or financial account details, with an unverified contact.

Report the scam

Do your part to stop the scammers by reporting it to the proper authorities.

First, you can report smishing scams that impersonate the USPS to the Inspection Service Cybercrime Team at the USPIS by email. Take a screenshot of the text and send it to spam@uspis.gov. Make sure your screenshot shows the number of the sender as well as the date it was sent. You’ll also need to include your name in the email so the team can reach you, along with any other relevant details about the scam, such as money you may have lost, links you may have downloaded, and personal information you may have shared. The USPIS will contact you if it needs any additional information to help nab the scammers.

You can also report the scam to the Federal Trade Commission at FTC.gov and let your friends and family know about the circulating scam.

Stay alert and stay safe.






USPS SCAM

USPS Text Scammers Duped His Wife, So He Hacked Their Operation

The Smishing Triad network sends up to 100,000 scam texts per day globally. One of those messages went to Grant Smith, who infiltrated their systems and exposed them to US authorities.

 

The flood of text messages started arriving early this year. They carried a similar thrust: The United States Postal Service is trying to deliver a parcel but needs more details, including your credit card number. All the messages pointed to websites where the information could be entered.

Like thousands of others, security researcher Grant Smith got a USPS package message. Many of his friends had received similar texts. A couple of days earlier, he says, his wife called him and said she’d inadvertently entered her credit card details. With little going on after the holidays, Smith began a mission: Hunt down the scammers.

Over the course of a few weeks, Smith tracked down the Chinese-language group behind the mass-smishing campaign, hacked into their systems, collected evidence of their activities, and started a months-long process of gathering victim data and handing it to USPS investigators and a US bank, allowing people’s cards to be protected from fraudulent activity.

In total, people entered 438,669 unique credit cards into 1,133 domains used by the scammers, says Smith, a red team engineer and the founder of offensive cybersecurity firm Phantom Security. Many people entered multiple cards each, he says. More than 50,000 email addresses were logged, including hundreds of university email addresses and 20 military or government email domains. The victims were spread across the United States—California, the state with the most, had 141,000 entries—with more than 1.2 million pieces of information being entered in total.

“This shows the mass scale of the problem,” says Smith, who is presenting his findings at the Defcon security conference this weekend and previously published some details of the work. But the scale of the scamming is likely to be much larger, Smith says, as he didn't manage to track down all of the fraudulent USPS websites, and the group behind the efforts have been linked to similar scams in at least half a dozen other countries.

Gone Phishing

Chasing down the group didn’t take long. Smith started investigating the smishing text message he received by the dodgy domain and intercepting traffic from the website. A path traversal vulnerability, coupled with a SQL injection, he says, allowed him to grab files from the website’s server and read data from the database being used.

“I thought there was just one standard site that they all were using,” Smith says. Diving into the data from that initial website, he found the name of a Chinese-language Telegram account and channel, which appeared to be selling a smishing kit scammers could use to easily create the fake websites.

Details of the Telegram username were previously published by cybersecurity company Resecurity, which calls the scammers the “Smishing Triad.” The company had previously found a separate SQL injection in the group’s smishing kits and provided Smith with a copy of the tool. (The Smishing Triad had fixed the previous flaw and started encrypting data, Smith says.)

“I started reverse engineering it, figured out how everything was being encrypted, how I could decrypt it, and figured out a more efficient way of grabbing the data,” Smith says. From there, he says, he was able to break administrator passwords on the websites—many had not been changed from the default “admin” username and “123456” password—and began pulling victim data from the network of smishing websites in a faster, automated way.

Smith trawled Reddit and other online sources to find people reporting the scam and the URLs being used, which he subsequently published. Some of the websites running the Smishing Triad’s tools were collecting thousands of people’s personal information per day, Smith says. Among other details, the websites would request people’s names, addresses, payment card numbers and security codes, phone numbers, dates of birth, and bank websites. This level of information can allow a scammer to make purchases online with the credit cards. Smith says his wife quickly canceled her card, but noticed that the scammers still tried to use it, for instance, with Uber. The researcher says he would collect data from a website and return to it a few hours later, only to find hundreds of new records.

The researcher provided the details to a bank that had contacted him after seeing his initial blog posts. Smith declined to name the bank. He also reported the incidents to the FBI and later provided information to the United States Postal Inspection Service (USPIS).

Michael Martel, a national public information officer at USPIS, says the information provided by Smith is being used as part of an ongoing USPIS investigation and that the agency cannot comment on specific details. “USPIS is already actively pursuing this type of information to protect the American people, identify victims, and serve justice to the malicious actors behind it all,” Martel says, pointing to advice on spotting and reporting USPS package delivery scams.

Initially, Smith says, he was wary about going public with his research, as this kind of “hacking back” falls into a “gray area”: It may be breaking the Computer Fraud and Abuse Act, a sweeping US computer-crimes law, but he’s doing it against foreign-based criminals. Something he is definitely not the first, or last, to do.

Multiple Prongs

The Smishing Triad is prolific. In addition to using postal services as lures for their scams, the Chinese-speaking group has targeted online banking, ecommerce, and payment systems in the US, Europe, India, Pakistan, and the United Arab Emirates, according to Shawn Loveland, the chief operating officer of Resecurity, which has consistently tracked the group.

The Smishing Triad sends between 50,000 and 100,000 messages daily, according to Resecurity’s research. Its scam messages are sent using SMS or Apple’s iMessage, the latter being encrypted. Loveland says the Triad is made up of two distinct groups—a small team led by one Chinese hacker that creates, sells, and maintains the smishing kit, and a second group of people who buy the scamming tool. (A backdoor in the kit allows the creator to access details of administrators using the kit, Smith says in a blog post.)

“It’s very mature,” Loveland says of the operation. The group sells the scamming kit on Telegram for a $200-per month subscription, and this can be customized to show the organization the scammers are trying to impersonate. “The main actor is Chinese communicating in the Chinese language,” Loveland says. “They do not appear to be hacking Chinese language websites or users.” (In communications with the main contact on Telegram, the individual claimed to Smith that they were a computer science student.)

The relatively low monthly subscription cost for the smishing kit means it’s highly likely, with the number of credit card details scammers are collecting, that those using it are making significant profits. Loveland says using text messages that immediately send people a notification is a more direct and more successful way of phishing, compared to sending emails with malicious links included.

As a result, smishing has been on the rise in recent years. But there are some tell-tale signs: If you receive a message from a number or email you don't recognize, if it contains a link to click on, or if it wants you to do something urgently, you should be suspicious.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

- Bloggery committed by chris tower - 2408.15 - 10:10

- Days ago = 3331 days ago

- New note - On 1807.06, I ceased daily transmission of my Hey Mom feature after three years of daily conversations. I plan to continue Hey Mom posts at least twice per week but will continue to post the days since ("Days Ago") count on my blog each day. The blog entry numbering in the title has changed to reflect total Sense of Doubt posts since I began the blog on 0705.04, which include Hey Mom posts, Daily Bowie posts, and Sense of Doubt posts. Hey Mom posts will still be numbered sequentially. New Hey Mom posts will use the same format as all the other Hey Mom posts; all other posts will feature this format seen here.

No comments: