How Google Searches for ‘USPS Package Tracking’ Can Lead to Banking Theft

Impersonation of USPS in a Malvertising Campaign Raises Concerns about Online Security

In a recent malvertising campaign, threat actors impersonated the United States Postal Service (USPS) to deceive victims and steal their payment-card and banking credentials. Researchers from Malwarebytes Labs discovered that a malicious ad appeared on Google searches for USPS package tracking. The ad redirected victims to a phishing site that tricked them into providing personal information such as address, credit card details, and banking credentials.

A Convincing Phishing Campaign

Jérôme Segura, director of threat intelligence at Malwarebytes Labs, explained how the threat actors behind the campaign made it look so convincing. Two ad campaigns were identified, one targeting mobile users and the other targeting desktop users. Although the ads displayed the official USPS URL, they redirected victims to an attacker-controlled domain. The URLs shown in the ad were visual artifacts and not the actual URLs victims clicked on. This brand impersonation technique makes malvertising especially dangerous.

When victims clicked on the ad, they landed on a website that asked them to enter their package tracking number, a typical request for USPS tracking. However, after submitting the tracking number, they received an error message claiming that their package couldn’t be delivered due to incomplete address information. The next step of the attack involved victims reentering their full address and submitting their credit card information to pay a small fee. This should raise a red flag, as it is unusual for USPS to request payment in this way. Finally, victims were prompted to enter their banking credentials on a dynamic page specific to their credit card information. This final step allowed the threat actors to steal victims’ banking credentials.

The Persistence of Malvertising

This latest malvertising campaign serves as a reminder that despite increased awareness of online threats, threat actors still successfully exploit tactics that deceive and defraud internet users. Malvertising campaigns that impersonate trusted brands like USPS can affect both individuals and businesses alike, undermining the trust placed in well-known brands. Earlier this year, another malvertising campaign targeted users searching for Bitwarden and 1Password’s Web vaults on Google.

Recommendations for Thwarting Malvertising

While user awareness is crucial in avoiding falling victim to malvertising campaigns, it is not always enough as attackers have become adept at creating legitimate-looking scams. To prevent these campaigns from reaching end users, search engines should implement stricter controls to combat brand impersonation. Microsoft’s Bing has already successfully applied such policies.

Furthermore, applying real-time browser protection can disrupt the malvertising kill chain from the initial ad to the payload, whether that is malware, phishing, or another scam. By implementing these measures, online platforms can mitigate the risk of malvertising and protect their users.

Increase Vigilance in the Face of Online Threats

Cybersecurity is an ongoing battle, and as the sophistication of threat actors continues to develop, it is essential for individuals and businesses to remain vigilant. By being cautious when clicking on online advertisements and staying informed about current scams, users can better protect themselves from falling victim to malvertising and other online threats.