Last Updated: 2023-07-30 15:33:55 UTC
by Johannes Ullrich (Version: 1)
Phishing scams have frequently arrived as an SMS message (sometimes called "Smishing"). SMS messages are easy and cheap to send, and we have documented how attackers like to scan for exposed credentials for services like Twilio to make it even cheaper.
But today, I received a message on my Apple devices that didn't arrive as an green SMS, but instead as a blue iMessage
As I always do, I clicked on the link on my Mac. But I was immediately redirected to the legitimate USPS page (usps.com). It didn't matter if I used Safari or Chrome on macOS. So I tried Safari on my iPhone and was directed to the phishing page.
The page appears to attempt to collect credit card numbers. I didn't feel charitable enough to provide a real credit card number, so I am unsure if it would ask for any additional information.
The main domain (deliverocy.com) does not resolve. I did try a few other hostnames (FedEx, www, ups...), but no other hostname was resolved. +639468743057 is a number in the Philippines. I did try a Facetime call, but nobody picked up :(
The site's '/admin' URL presents a login screen for some kind of admin system. The background image appears to come from "Ghostblade". The admin part of the site did not restrict the user-agent like the phishing part of the site.
Restricting access to the phishing site to specific user agents may help in keeping the phishing site up. A casual test of the URL will only redirect to the legitimate USPS website, which may trick an ISP's abuse department into believing that this is not a phishing page.