Loading....

USPS Directing Customers To A Fake Website

USPS Hijacked Domain

So, I went to the USPS the other day to drop-off a few packages.  While I was there, I inquired about PO Boxes.  The clerk handed me a pamphlet with details about how to apply for a PO Box.  The pamphlet didn’t list any prices though and instead, tells customers to visit a website for pricing info.:

[hr]

USPS Hijacked Domain
USPS Hijacked Domain

[hr]

Seems like a nifty little domain name someone involved in marketing came up with.  I first visited the site on my mobile device and got this:

[hr]

Fake Website
Fake Website

[hr]

That’s weird, why is the website calling me a ‘UPS Customer’, when I’m visiting a website the USPS told me to visit?  While I use Firefox with uBlock Origin ‘locked-down’ pretty tightly @ ads, redirects, etc. uBlock Origin still allowed that fake site through and the redirect to take place.  Also, look at the address bar — I’m not at ‘yourotheraddress dot com’ anymore, I’m at some ‘survey’ website.  Neat!

When I try visiting that page on an actual computer, using Firefox with NoScript and uBlock Origin, I get the following:

[hr]

Fake Shipping Website
Fake Shipping Website

[hr]

Someone’s clearly tried to make the page look like an ‘official’ shipping website, but that’s a pretty janky looking website — and definitely not the USPS’.

Keeping Javascript blocked, the site still redirects to the following landing/parked page:

[hr]

'yourotheraddress' Landing Page
‘yourotheraddress’ Landing Page

[hr]

And finally, if I enable Javascript, the site is able to load its remaining content, which uBlock Origin then detects the ad site doubleclick dot net:

[hr]

USPS Redirecting to Ad Sites
USPS Redirecting to Ad Sites

[hr]

So who owns this domain name?  Not the USPS.  If I do a whois lookup on the domain, it’s registered at a domain registrar in Shanghai and the server is located in Australia:

[hr]

USPS Domain Lost & Re-Registered in Shanghai
USPS Domain Lost & Re-Registered in Shanghai

[hr]

While I didn’t detect any immediate malware from these redirects, this is a pretty serious issue.  The USPS registered a domain name to use for advertising purposes.  In 2011, they forgot to (or just didn’t) renew the domain.  Someone else came along and bought it, taking over ownership.  That new owner has created a fake shipping website to try and make it look like what visitors expect, when they’re told to go there by the USPS.  Ads lead to malware, but more importantly, the owner of this domain can redirect visitors to anywhere they’d like.

So due to the USPS neglecting to keep hold of a domain  name they used in advertising, they’ve created a bit of a security hole and are putting customers at risk.

I contacted the USPS directly by phone and they referred me to a customer service department.  I was told this new department would be able to look into this and get to the bottom of it.  That wasn’t the case though.  When I spoke with customer service, they were a bit confused as to what I was explaining and simply asked that I go back to the USPS office where I was first handed the pamphlet, to let them know about the issue.

I tweeted USPS about this as well, but never heard back:

[hr]

[hr]

Since the USPS isn’t taking ownership of this issue and since they’re relying on me, a customer, to go around to each of the local post offices to tell them about this, there’s really nothing I can do other than bring this to the attention of those who utilize the USPS — specifically, anyone who inquires about a PO Box and wants to find out how much one costs.

The moral of this story — big companies, even the government, make major mistakes and let simple things fall through the cracks, putting individuals at risk.

Why Can’t Vendors Admit To Shortcomings?

Payment Logistics Static IP Only

tl;dr – Payment Logistics requires ‘advanced’ network setup, which you are responsible for.

I was on the phone with a tech from Payment Logistics, one of the CC processors that Liberty integrates with, along with a client.  To make a long story short, their credit card terminals only work when they have static IP addresses assigned – they do not support DHCP.  This means, each terminal has to be manually configured.

For any SysAdmins or techs out there, you are likely already seeing the shortcomings here.  The device should be able to connect to the network and obtain an IP address via DHCP — IP address management can be managed centrally in the router, thus lifting the burden off of the customer.

By requiring each terminal to have a static IP, you put the burden on the end-user.  If anything changes — e.g. they get a new router — ALL of the credit card terminals have to be reconfigured.

When I pointed out this shortcoming to Payment Logistics, they got defensive and started asking, “What do you know about PA-DSS?”  “What do you know…” — a great way to show you’re more interested in stroking your ego vs. dealing with facts.  After a period of time on the phone, the end-user was calling out which menu options he saw and lo and behold, it has DHCP.  When I asked the Payment Logistics tech why we can’t just use DHCP, he said their terminals currently only work with a static IP, but they have a new version in beta which will support DHCP.

So we took the loooooooong way around them simply stating, “Yes, right now our terminals only support static IPs, which we realize is enough of a shortcoming that we’re adding DHCP functionality and it’s currently in beta.”  Instead of just saying that, they tried to ‘protect’ themselves and get into a pissing contest.

As of right now, I can’t faithfully recommend Payment Logistics to our clients who are running Liberty, as this puts a tremendous amount of burden on the end-user and it’s an obvious shortcoming.  Did Liberty/Resaleworld tell you all of this before they recommended this credit card processor?  Did they go over the amount of work and burden it puts on you?  I’m sure all of you have SysAdmins out there or know how to manually configure your devices’ IP address settings, right?

Back To Top