Date: 08/09/2024
Severity: Critical
Summary
Since late last year, we’ve tracked phishing campaigns mimicking postal services globally. Each day, we encounter numerous newly-registered domains and over 200 hits on malicious sites posing as postal services. These campaigns frequently use SMS ("smishing") to distribute phishing URLs. While many sites impersonate the US Postal Service, we also observe similar attacks targeting postal services in countries like Australia, Brazil, Canada, India, Ireland, Israel, and the UK.
Indicators of Compromise (IOC) List
URL/Domains | anpost-online.com anpost.ie-delivery.online auspost.new-au.info canadapost-postscanada.one canadaposts-postalcanada.cc correios.top correios-importacao.com eevriipost.cfd evri.errpostv.click evriiposttonline.sbs indiapost-gov.com indiapostxw.vip israelpostco.click israelpostoffice.sbs liteblue-usps-gov.com postes-canada-delivery.top retidocorreios.net tracking-infocheck-auspost.com us-usps-parcel.icu usps.com.odz178.vip usps.officialpostship.top usps.uspsluv.com uspshelpar.top uspshelper.top uspsnotification.com www.anpost-collect.com |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
URL/Domain | userdomainname like "uspshelpar.top" or url like "uspshelpar.top" or userdomainname like "www.anpost-collect.com" or url like "www.anpost-collect.com" or userdomainname like "us-usps-parcel.icu" or url like "us-usps-parcel.icu" or userdomainname like "uspsnotification.com" or url like "uspsnotification.com" or userdomainname like "canadapost-postscanada.one" or url like "canadapost-postscanada.one" or userdomainname like "correios.top" or url like "correios.top" or userdomainname like "usps.uspsluv.com" or url like "usps.uspsluv.com" or userdomainname like "israelpostoffice.sbs" or url like "israelpostoffice.sbs" or userdomainname like "auspost.new-au.info" or url like "auspost.new-au.info" or userdomainname like "postes-canada-delivery.top" or url like "postes-canada-delivery.top" or userdomainname like "israelpostco.click" or url like "israelpostco.click" or userdomainname like "eevriipost.cfd" or url like "eevriipost.cfd" or userdomainname like "uspshelper.top" or url like "uspshelper.top" or userdomainname like "usps.officialpostship.top" or url like "usps.officialpostship.top" or userdomainname like "canadaposts-postalcanada.cc" or url like "canadaposts-postalcanada.cc" or userdomainname like "liteblue-usps-gov.com" or url like "liteblue-usps-gov.com" or userdomainname like "indiapostxw.vip" or url like "indiapostxw.vip" or userdomainname like "tracking-infocheck-auspost.com" or url like "tracking-infocheck-auspost.com" or userdomainname like "correios-importacao.com" or url like "correios-importacao.com" or userdomainname like "indiapost-gov.com" or url like "indiapost-gov.com" or userdomainname like "anpost-online.com" or url like "anpost-online.com" or userdomainname like "evriiposttonline.sbs" or url like "evriiposttonline.sbs" or userdomainname like "anpost.ie-delivery.online" or url like "anpost.ie-delivery.online" or userdomainname like "evri.errpostv.click" or url like "evri.errpostv.click" or userdomainname like "retidocorreios.net" or url like "retidocorreios.net" or userdomainname like "usps.com.odz178.vip" or url like "usps.com.odz178.vip" |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-08-07-domains-impersonating-postal-services.txt