As it gets harder for cybercriminals to bypass business email compromise (BEC) defenses, some hackers are switching from email scams to real-mail cons.
Researchers at Flashpoint said they are monitoring hacker forums where criminals are swapping tips on a growing ID theft and financial crime area, which entails abusing the United States Postal Service.
The scam involves making bogus change-of-address or mail-forwarding requests on the behalf of unsuspecting victims. The abuse of USPS mail forwarding can facilitate credit-card fraud and numerous forms of identity theft, wrote Abigail Showman, a researcher with Flashpoint, in a recent post.
She warns that, similar to a phishing or BEC attack, a snail-mail forwarding scam can do just as much harm. Threats range from obtaining a line of credit on an unsuspecting victim’s behalf, insurance fraud and intercepting a tax return, to hijacking an existing financial account and synthetic ID theft.
“Flashpoint analysts have identified numerous discussions on closed and invite-only online communities where threat actors advertise methods and paid services that are earmarked for fraud,” Showman said. “Many of these individuals are careful to shield their location, but the majority of these discussions are about the U.S. Postal Service, with a limited number of references to the United Kingdom’s Royal Mail.”
Showman acknowledge generic scams tied to forwarding mail aren’t new. However, she said, a laser focus by cybercriminals on ID theft and financial crimes online has piqued interest among a new breed of criminals willing to also dabble in offline crimes.
An example of such an attack surfaced just last week in a “Dear John” article in the New York Post. A Florida victim said their email had been surreptitiously forwarded to Philadelphia.
“The thieves got a checking account statement and ordered new checks sent to their address. They applied for credit cards and other charge accounts,” wrote the victim, “F.J.,” to the N.Y. Post.
According to the report, when F.J. sought assistance from the United States Postal Service Office of Inspector General, the response was unsatisfactory. “The inspector general’s office in Washington, D.C., was useless. It had zero interest in investigating, let alone prosecuting,” F.J. wrote.
The U.S. Postal Inspection Service told Threatpost it has a number of safeguards in place to prevent this type of incident.
“Similar to other companies, the Postal Service’s information security program, and our federal law enforcement arm, Postal Inspection Service, use industry best practices and technology solutions to protect our customers,” wrote USPS.
It added that it does not publicly discuss security protocols, “in an effort to preserve their effectiveness and to avoid compromise.”
In an interview with Threatpost, Showman said mail-forwarding fraud is either perpetrated online via forms available on USPS.com, or physically at a post office.
“In both cases, following the mail forwarding/permanent change of address the USPS sends a confirmation to the original address. If individuals suspect that this change was made fraudulently, they can contact the USPS before the change goes into effect,” she said.
Online, she noted, individuals must create an account and provide contact information as well as pay a nominal fee when conducting a change of address. When Threatpost walked through the process, one of the safeguards was ensuring that the billing address on credit card, used to pay the fee, matched the original address of the mail to be forwarded.
Flashpoint recommends opting for paperless versions of bank statements and other official documents to reduce to odds of being hit by an attack. “Individuals should also monitor their credit report for unusual activity that may indicate a threat actor has fraudulently opened a line of credit,” Showman said.
One obvious tip is, if you suddenly stop getting mail, give the USPS a call and ask why.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.
