USPS Phishing Kit 9514901

Recent Detections

  • hxxps://unitedpostu[.]com/verification/
  • hxxps://usps-com-tracking-update[.]utrqckigu[.]com/
  • hxxps://investify[.]themsfitness[.]com/wp-admin/user/Procces/
  • hxxp://unitedpostu[.]com
  • hxxps://usps-com-tracking-update[.]utrqckigu[.]com
  • hxxps://uspssecure[.]top/secure/secure/verification/
  • hxxps://b406fba5a0[.]nxcli[.]net/images/wp-admin.php
  • hxxps://pasca[.]umrah[.]ac[.]id/wp-content/maintenance/assets/Ho...
  • hxxps://ups-parcelservice[.]com/
  • hxxps://www[.]pensadiverso[.]org/wp-admin/user/support/

IOK Rule (edit)

title: USPS Phishing Kit 9514901

description: |
  Detects a USPS phishing kit that uses the same fake tracking ID
  & same stylesheet on every phish.

references:
  - https://urlscan.io/result/eb515c96-1e02-4d48-a07f-6fe1d1590059
  - https://urlscan.io/result/6f9262b2-7809-4000-b5d1-d89c90bd16ff
  - https://urlscan.io/result/532bc1f5-319e-4b1d-abbb-d35057788e7a
  - https://urlscan.io/result/3b801aaf-ace4-40e0-8653-0fdbe456b9e9
  - https://urlscan.io/result/d0eb1705-9e5d-40c1-81d9-56c49686b9f9

detection:

  fakeTrackingID:
    html|contains: 'class="tracking-number"> US9514901185421</span>'

  stylesheet:
    requests|contains: '1.css?apiType=css&projectid=ee38900c-6459-4e0c-95d6-896c0208d3d0'

  condition: fakeTrackingID and stylesheet

tags:
  - target.usps