The Package That Never Shipped: Following a USPS Smishing Kit Through DNS Data
Essential information
- Published
- 13/06/2026 04:59
- Modified
- 15/06/2026 16:15
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- cve-2024-6387 dns pivoting phishing kit real-time credential capture smishing tencent cloud ups impersonation usps impersonation websocket exfiltration
- Tags
- 2026-06-13 CVE-2024-6387 dns pivoting phishing kit real-time credential capture smishing tencent cloud ups impersonation usps impersonation websocket exfiltration
- Related entities
- 1 vulnerabilities (cve), 8 indicators, 8 observables, 21 techniques (mitre), 4 others
Description
A sophisticated smishing campaign impersonates United States Postal Service (USPS) package delivery notifications via SMS. The kit serves genuine USPS production HTML, CSS, fonts, and images verbatim, including live Google Analytics tags firing to USPS infrastructure. It captures victim card data in real-time through WebSocket connections, streaming keystrokes, performing server-side BIN lookups, and pushing routing decisions back to victim browsers. Starting from a single lure hostname, passive DNS analysis revealed 682 unique lookalike domains across seven Tencent Cloud hosts. A parallel UPS-themed campaign runs on the same infrastructure, with both variants sharing the internal theme name us_post_ups in cookies. The operation spans two distinct backends (GoFrame and Spring Boot) while maintaining identical real-time exfiltration mechanics and Caddy reverse proxy architecture.