US Post Office phishing sites get as much traffic as the real one (opens in new tab)

(bleepingcomputer.com)

66 pointsgennarro2y ago20 comments

20 comments

18 comments · 5 top-level

stcredzero2y ago· 7 in thread

The Post Office leaves themselves open to this, because their site is at a level of tech that makes it hard to distinguish from a spam site from 5 years ago. It's too easy to make the phishing site look more legit than the actual site.

kibwen2y ago

I just went to https://www.usps.com/ and it looks perfectly fine. Loads quickly, layout is clean. Maybe this is a joke about modern webdev being terrible that has gone over my head?

robertlagrant2y ago

It sort of is - the design looks bad, but you're right. The website loads too fast, almost. I would just move to usps.gov and maybe make the design look less like a template I could buy for $30.

saulpw2y ago

How would that new design not become the next $30 template? Do we just have to redesign everything important every few years so they avoid the old/commodity look?

1 more reply

eptcyka2y ago

It is actually very easy to copy some HTML from a legit site for the purposes of a phishing campaign. I don't think improving the web design will help mitigate that, unless you mean moving all rendering to a canvas element and implementing all of the functionality of the site on some obfuscated VM.

drdaeman2y ago

You forgot the DRM requirement, making sure no one can just screenshot the whole canvas ;)

j/k, of course

dangus2y ago

I don't really think that's the problem. Not at all.

The problem is that USPS is an easy mass attack target since nearly 100% of people get mail.

If you want to phish people, you need to cast a wide net, and this one is the widest possible one.

blahyawnblah2y ago

What is their level of tech?

patja2y ago· 4 in thread

Many US government sites now have a clear banner at the top with a US flag and statement declaring "An official website of the United States Government." Some go further and include a link to expose an explanation for "here's how you know" that includes the statement "Official websites use .gov"

None of this appears on www.usps.com. www.usps.gov redirects to www.usps.com. Bare usps.gov does not (goes nowhere)

I wonder how much the phishing would decrease if the USPS website was served on usps.gov with the "an official website" and "how you know" seen on other official US gov't sites.

karaterobot2y ago

I dunno, I think the phishing scammers could just copy the banner and change the "how you know" part to include a big green check mark that says "this site was verified to be the real USPS". I don't think most people who are falling for these phishing scams wouldn't also fall for a fake banner.

patja2y ago

I just think the inconsistency is glaring. Would love to be a fly on the wall of what I expect/hope was a heated debate over why USPS, one of if not the top US government websites used by people in the US, should opt-out of the anti-phishing tactics used by most other US gov't sites.

And for that matter, why does www.usps.gov redirect to the .com rather than vice-versa, and why does the bare usps.gov domain resolve to nothing? Who makes these decisions and how do they result in the opposite of what I (perhaps naively) would expect rational decision-makers to do?

bdw52042y ago

A better solution would be for the government to seize the domains and arrest the scammers impersonating the post office or the IRS or any other governmental entity.

Spivak2y ago

Seize the domains is doable but there's no guarantee the US has jurisdiction where the scammers are.

2 more replies

jrieil2y ago· 2 in thread

I got one of these messages literally moments before seeing this article. I always mark them Delete & Report Junk. It’s been years. Why can’t authorities stop this?

jmclnx2y ago

Maybe because these sites are hosted outside the US ?

But to really stop this, USPS would need o buy all possible domains that start with USPS.*

That can get very expensive that to ICAN. Plus the USPS has no $ due to what Bush II put in place when he was president and the GOP refusing to undoing that change. I believe that was done to bust the union.

kube-system2y ago

> USPS would need o buy all possible domains that start with USPS.*

Also not possible because: subdomains

ChrisArchitect2y ago

[dupe]

Actual report: https://akamai.com/blog/security-research/phishing-usps-mali...

Some more discussion: https://news.ycombinator.com/item?id=40194346

turdprincess2y ago

I recently left town for 1 month and got the post office to hold my mail. It was all delivered in bulk when I came back. Out of the huge bundle of 100 mail pieces, there was only 1 piece of mail that was not trash - a renewed car registration.

So for me, on average, 99% of mail goes right from USPS to the trash - in fact, I would probably pay a few dollars a month for a service which would automatically trash that 99% of mail for me.

That has me asking - what is the point of USPS these days? Is it just packages?

j / k navigate · click thread line to collapse