The fewer items we receive via the U.S. Postal Service (USPS) these days, the more excited we get when we do get packages delivered by the service. Well, cybercriminals are always up to something and now they are trying to take away our excitement when we go get the mail. Researchers at Malwarebytes provided a detailed process of how a recently discovered malvertising campaign works and helps criminals track down our payment card information for their own use.

The USPS is delivering more than we want with respect to these two things. In this case, it doesn’t matter if you’re using a smartphone, a laptop, or any other device. What matters is that you don't do a Google search or any other browser search to track get to the website.

What's happening?

In these campaigns, ads that we see when browsing pretty much everything these days, cleverly take advantage of the official URL of the USPS while redirecting unsuspecting victims to a domain controlled by the attackers. It is important to note that the URLs displayed in the ads are visual artifacts that do not correspond to the actual destination of the click. They just cleverly appear that way. The researchers found that by doing a Google search for the incorrect order of letters for the postal service, they were redirected to a website where the attack was completed. Yes, a typo led to payment card information getting stolen.

In this scenario, no matter which device you use, users are eventually redirected to the advertiser's URL upon clicking on an infected ad. Once victims land on the attacker-controlled website, they are prompted to enter their package tracking number. However, upon submitting this information, they receive an error message indicating that the package could not be delivered due to incomplete address information or something similar. This should raise some suspicion; however, it is not unheard of for the package address to be incorrect. What IS unusual is the process that follows.

The next step of the attack involves users being asked to provide their complete address once again, along with their credit card information to pay a nominal fee of $.35. It is at this point that red flags should be waving with gusto!

Next, if victims continue on, they enter a phishing site that looks just like USPS, using the official logo and everything. Then the attackers get to work harvesting their data. The small fee requested is irrelevant. The real danger lies in surrendering payment card details, which can be utilized by the threat actor or sold on the dark web.

The final step of the attack involves a request for victims to enter their financial institution credentials on a dynamic page. This page is different based on the payment card information provided. For example, if an individual submits data for a Visa card associated with US Bank, the page will prompt the target to log in to the US Bank page. Different financial institutions and cards will trigger templates specific to the data provided.

What to do, what to do

If you are expecting a delivery, you should contact the USPS separately to find out if there is a real error. This applies to tracking a package from any company, as there are attacks that use the names of all of the delivery services these days.

You can go to their legitimate site separately and track it or use the USPS’s handy Informed Delivery service to see what’s on the way. Type in the address manually, checking it a couple of times to make sure you didn’t make any typos. The best way to do this is to bookmark your frequently visited websites to ensure they go where you expect them to. Because phishing is still prevalent and attacks change all the time, it’s always discouraged to click links, attachments, or images in email messages or texts.