Researcher Exposes Huge USPS Scam
- A security researcher exposes a massive 'smishing' operation impersonating USPS.
- Fraudsters hack into the researcher's systems after attempting to trick him with a fake package delivery message.
- The investigation reveals a wave of fraudulent text messages targeting individuals.
A security researcher has exposed a significant smishing operation that has been impersonating the United States Postal Service (USPS) through fraudulent text messages. Grant Smith, a red team engineer and founder of Phantom Security, initiated his investigation after receiving a suspicious package delivery text earlier this year. The message directed recipients to a fraudulent website, prompting them to enter sensitive personal information, a tactic commonly known as smishing. Smith's investigation revealed the extensive scale of the scam, which involved 1,133 fraudulent domains and resulted in the entry of 438,669 unique credit card numbers. Many victims had entered multiple cards, and over 50,000 email addresses were logged, including those from universities and military or government domains. California emerged as the state with the highest number of victims, totaling 141,000 entries. In total, more than 1.2 million pieces of personal information were collected by the scammers. The group behind this operation, dubbed the "Smishing Triad" by cybersecurity firm Resecurity, sells a customizable smishing kit on Telegram for $200 a month. This kit enables scammers to create fake websites that impersonate various organizations, with USPS being one of the primary targets. Smith was able to hack into the scammers' systems, revealing vulnerabilities that allowed him to access victim data and gather evidence for authorities. The United States Postal Inspection Service (USPIS) has confirmed that the information provided by Smith is being utilized in an ongoing investigation aimed at protecting the public, identifying victims, and prosecuting the perpetrators involved in this extensive fraud scheme.