During the past two weeks, URLAbuse closely monitored the ongoing postal service phishing campaigns targeting more than 50 postal services (including national posts and private companies) worldwide.
This phishing campaign targets more than 50 brands (USPS, SwissPost, La Poste, etc...) all related to posting services and package deliveries. The infrastructure used in all attacks is the same suggesting either that attack is performed by a single actor (or a group of actors) or a phishing-as-a-service infrastructure.
During the past two weeks, URLAbuse detected approximately 5,000 domain names registered by phishers by only monitoring 20 new gTLDs.
* NOTE: All the following statistics and percentages are based on the first 5,000 observed domain names in this phishing campaign
Brand-Wise Phishing Analysis:
Our data reveals that USPS has been the most heavily targeted brand, accounting for a staggering 63% of all phishing attempts related to postal services. Following USPS (United States Postal Service), Correos (Spain's national postal service) and Evri (UK-based parcel delivery company) ranked second and third in terms of frequency.
| # | Target | % |
|---|---|---|
| 1 | USPS | 62.8 |
| 2 | Correos | 5.2 |
| 3 | EVRi | 5.0 |
| 4 | Ecuador Post | 3.4 |
| 5 | Turkish Post | 2.5 |
| 6 | INPOSDOM | 2.4 |
| 7 | SwissPost | 2.1 |
| 8 | Canada Post | 1.9 |
| 9 | Others | 14.7 |
This distribution suggests that cybercriminals are focusing heavily on major postal services in United States.
TLD Analysis:
It is not surprising at all that .TOP TLD (as the name suggests) is at the top of the list of malicious domains as always by having the most number of malicious domains registered by phishers followed by, .CFD, .XYZ and, .BUZZ.
The following table shows the top 5 malicious TLDs with the largest number of malicious registrations in this campaign.
| # | TLD | % of domain name registrations |
|---|---|---|
| 1 | .top | 70.1% |
| 2 | .cfd | 13.7% |
| 3 | .xyz | 7.3% |
| 4 | .buzz | 3.3% |
| 5 | .icu | 1.9% |
| 6 | others | 3.7 |
Also see: ICANN Issued Breach Notice to .TOP Registry After URLAbuse Complaint
Registrar Insights:
It comes as no surprise that Alibaba Registrar (IANA ID: 3775) has the highest number of phishing domain registrations, leading the list by a large margin. Following closely are NameSilo (IANA ID: 1479) and Gname.com (IANA ID: 1923).
| # | Registrar | IANA ID | % Registration |
|---|---|---|---|
| 1 | Dominet (HK) Limited (ALIBABA.COM) | 3775 | 69% |
| 2 | NameSilo, LLC | 1479 | 19% |
| 3 | Gname.com Pte. Ltd | 1923 | 7.3% |
| 4 | Web Commerce Communications Limited dba WebNic.cc | 460 | 2.7% |
| 5 | Others | - | 2% |
URLAbuse continues to track the campaign and notifying registries and registrars by providing all the necessary actionable evidence. The complete dataset (including MISP objects and screenshots) is also publicly available on our website, receiving updates every 5 minutes and We is sharing this data with ICANN, law enforcement agencies, and national CERT teams worldwide.
This article is not complete, and we will update it in the future.
For any inquiries, please contact us at team[at]urlabuse.com.
Comments