My wife got an SMS on her iPhone claiming to be from USPS about an undelivered parcel. She clicked on the link it contained and came to a very good lookalike USPS page. When she asked if I was expecting a parcel a few bells rang.
No, I was not
How did they have HER cell number?
Was there a tracking number?
There was a tracking number, but when I entered it on the real USPS site it did not exist.
The url in the SMS was for (without the XXX)XXXusps-rebook.comXXX. A whois search reveals
Domain name: usps-rebook.com
Registry Domain ID:
Registrar WHOIS Server: whois.eranet.com
Registrar URL: http://www.eranet.com
Updated Date: 2021-08-06T00:00:00Z
Creation Date: 2021-08-06T20:31:55Z
Registrar Registration Expiration Date: 2022-08-06T00:00:00Z
Registrar: ERANET INTERNATIONAL LIMITED
Registrar IANA ID: 1868
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +852.39995400
Reseller:
Domain Status: clientTransferProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: Kerala
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: IN
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Registrant Email:
http://www.tnet.hk/whois/message_to_contact.php?domain=usps-rebook.com&contact=Owner
Registry Admin ID: REDACTED FOR PRIVACY
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Admin Email:
http://www.tnet.hk/whois/message_to_contact.php?domain=usps-rebook.com&contact=Admin
Registry Tech ID: REDACTED FOR PRIVACY
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Tech Email:
http://www.tnet.hk/whois/message_to_contact.php?domain=usps-rebook.com&contact=Tech
Name Server: dns1.namecheaphosting.com
Name Server: dns2.namecheaphosting.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
So website just created hours ago in Hong Kong with 352 (Hong Kong) area code by an Indian registrant and hosted in Los Angeles.
It looks like a simple phishing expedition but…
Here’s the question for the security experts…how do you identify any payload in the SMS or the website? My wife’s iPhone 11 is on 14.7.1 so I hope it is fairly secure.