The Package That Never Shipped: Following a USPS Smishing Kit Through DNS Data

Description

A sophisticated smishing campaign impersonates United States Postal Service (USPS) package delivery notifications via SMS. The kit serves genuine USPS production HTML, CSS, fonts, and images verbatim, including live Google Analytics tags firing to USPS infrastructure. It captures victim card data in real-time through WebSocket connections, streaming keystrokes, performing server-side BIN lookups, and pushing routing decisions back to victim browsers. Starting from a single lure hostname, passive DNS analysis revealed 682 unique lookalike domains across seven Tencent Cloud hosts. A parallel UPS-themed campaign runs on the same infrastructure, with both variants sharing the internal theme name us_post_ups in cookies. The operation spans two distinct backends (GoFrame and Spring Boot) while maintaining identical real-time exfiltration mechanics and Caddy reverse proxy architecture.