There has been much information and disinformation shared about the USPS SMishing Attack. It’s been linked to kidnapping, QAnon, and misidentified as spam. In fact, this SMishing attack is a fast-moving, constantly changing credential stealing, social engineering phishing campaign.
SlashNext Labs first saw this SMishing attack and have blacklisted it since May 2020. However, our research shows this SMishing attack has many variations than the one revealed by Eric Ellason on Twitter, as mentioned in The Verge last week.
These SMishing attempts have been served to hundreds of thousands of mobile phones since it was first blocked by SlashNext in May. Reports of this SMishing attack has been reported from Palo Alto, CA, to Boston, MA. Once the link is clicked, it redirects to a landing page with surveys, log-in credentials, give-aways, and the link becomes dead immediately after clicking.
Here are a few examples:
This example is disguised to look like a visual voicemail message, and it’s personalized. The URL redirects to hxxp://rewardsprograms.daooftoday.com, and once the URL was clicked and blocked, the link is deactivated, and access to the phishing page is no longer accessible.
The next example is relatively similar. It is personalized, but it has a FedEx header, and the URL is different hxxp://dealsly.club. If you look closely, the attackers are a little lazy because the “fake” survey feedback to convince you the site is legit, has the same people and comments but different dates.
SMishing is much more dangerous than traditional email phishing because many users believe they’re protected by these fast-moving attacks, but most are not. Additionally, many users receive legitimate text messages from USPS, FedEx, and UPS about shipment status, which is why this SMishing attack has been very successful. If your users are not protected, credentials can be stolen, or backdoors can be created, leading to account takeovers and breaches.
The advanced SMishing protection feature in SlashNext’s Mobile Phishing Protection and Browser Phishing protection did block these attacks. These products are purpose-built to protect users on social media, SMS, and collaboration platforms by detecting credential stealing, rogue browser extensions, without compromise. Our fast, real-time phishing protection is a lightweight, cloud-powered app that protects iOS and Android users with no user experience degradation and does not transmit personal data. SlashNext’s Mobile Phishing Protection service is easily deployed and managed with leading UEM solutions or SlashNext’s Endpoint Management System.