Yet another scam?

My wife got an SMS on her iPhone claiming to be from USPS about an undelivered parcel. She clicked on the link it contained and came to a very good lookalike USPS page. When she asked if I was expecting a parcel a few bells rang.
No, I was not
How did they have HER cell number?
Was there a tracking number?

There was a tracking number, but when I entered it on the real USPS site it did not exist.

The url in the SMS was for (without the XXX)XXXusps-rebook.comXXX. A whois search reveals

Domain name: usps-rebook.com
Registry Domain ID:
Registrar WHOIS Server: whois.eranet.com
Registrar URL: http://www.eranet.com
Updated Date: 2021-08-06T00:00:00Z
Creation Date: 2021-08-06T20:31:55Z
Registrar Registration Expiration Date: 2022-08-06T00:00:00Z
Registrar: ERANET INTERNATIONAL LIMITED
Registrar IANA ID: 1868
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +852.39995400
Reseller:
Domain Status: clientTransferProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: Kerala
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: IN
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Registrant Email:
http://www.tnet.hk/whois/message_to_contact.php?domain=usps-rebook.com&contact=Owner
Registry Admin ID: REDACTED FOR PRIVACY
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Admin Email:
http://www.tnet.hk/whois/message_to_contact.php?domain=usps-rebook.com&contact=Admin
Registry Tech ID: REDACTED FOR PRIVACY
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Tech Email:
http://www.tnet.hk/whois/message_to_contact.php?domain=usps-rebook.com&contact=Tech
Name Server: dns1.namecheaphosting.com
Name Server: dns2.namecheaphosting.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

So website just created hours ago in Hong Kong with 352 (Hong Kong) area code by an Indian registrant and hosted in Los Angeles.
It looks like a simple phishing expedition but…

Here’s the question for the security experts…how do you identify any payload in the SMS or the website? My wife’s iPhone 11 is on 14.7.1 so I hope it is fairly secure.

Sorry to hear, the scammers are everywhere. If it were an e-mail, usually companies have an e-mail address where you can forward the message (with headers) for them to investigate. But an SMS? Don’t have a clue. But I’d report them to the company hosting their fake website, who might just take the site down.

Thanks for your reply. I agree, scammers are everywhere. What interests me though is the use of SMS here. I am not aware of tools like Little Snitch or Malwarebytes for IOS. Basically I am not at all well versed at all in security on IOS and was looking for some leads.

Never click on links.

Again, never click on links.

If you’re not expecting a package there is zero reason to click so just delete it. And if you are expecting a package, look up the tracking number of the package and enter that into the shipper’s web form directly (eg. usps.com or ups.com). Again, it’s safe to delete the SMS since even when it’s legitimate you’ve already got the information you need without clicking on any links.

Did the scam have any personally identifying information other than the phone number (e.g. her or your name or an address?) If not, then it was probably a message spammed out to every single phone number in a large block of numbers (e.g. 555-123-****). No different from a telemarketing/scam phone call.

Actually, there is now a Malwarebytes for iOS just introduced with facts and AppStore link at Malwarebytes for iOS, but currently only available in these locations. There are bound to be some rough spots and it will take time to roll out to the world.

A quick update on that fake USPS site hosted by Namecheap.

El Reg had this article today:-