USPS Directing Customers To A Fake Website

So, I went to the USPS the other day to drop-off a few packages.  While I was there, I inquired about PO Boxes.  The clerk handed me a pamphlet with details about how to apply for a PO Box.  The pamphlet didn’t list any prices though and instead, tells customers to visit a website for pricing info.:

Seems like a nifty little domain name someone involved in marketing came up with.  I first visited the site on my mobile device and got this:

That’s weird, why is the website calling me a ‘UPS Customer’, when I’m visiting a website the USPS told me to visit?  While I use Firefox with uBlock Origin ‘locked-down’ pretty tightly @ ads, redirects, etc. uBlock Origin still allowed that fake site through and the redirect to take place.  Also, look at the address bar — I’m not at ‘yourotheraddress dot com’ anymore, I’m at some ‘survey’ website.  Neat!

When I try visiting that page on an actual computer, using Firefox with NoScript and uBlock Origin, I get the following:

Someone’s clearly tried to make the page look like an ‘official’ shipping website, but that’s a pretty janky looking website — and definitely not the USPS’.

Keeping Javascript blocked, the site still redirects to the following landing/parked page:

And finally, if I enable Javascript, the site is able to load its remaining content, which uBlock Origin then detects the ad site doubleclick dot net:

So who owns this domain name?  Not the USPS.  If I do a whois lookup on the domain, it’s registered at a domain registrar in Shanghai and the server is located in Australia:

While I didn’t detect any immediate malware from these redirects, this is a pretty serious issue.  The USPS registered a domain name to use for advertising purposes.  In 2011, they forgot to (or just didn’t) renew the domain.  Someone else came along and bought it, taking over ownership.  That new owner has created a fake shipping website to try and make it look like what visitors expect, when they’re told to go there by the USPS.  Ads lead to malware, but more importantly, the owner of this domain can redirect visitors to anywhere they’d like.

So due to the USPS neglecting to keep hold of a domain  name they used in advertising, they’ve created a bit of a security hole and are putting customers at risk.

I contacted the USPS directly by phone and they referred me to a customer service department.  I was told this new department would be able to look into this and get to the bottom of it.  That wasn’t the case though.  When I spoke with customer service, they were a bit confused as to what I was explaining and simply asked that I go back to the USPS office where I was first handed the pamphlet, to let them know about the issue.

I tweeted USPS about this as well, but never heard back:

@usps – It appears a domain your docs refers customers to for PO Boxes, has been hijacked -> https://t.co/TfpYJaYLwR pic.twitter.com/SI5OgLoeJz

— The Computer Peeps (@computerpeeps) April 21, 2016

Since the USPS isn’t taking ownership of this issue and since they’re relying on me, a customer, to go around to each of the local post offices to tell them about this, there’s really nothing I can do other than bring this to the attention of those who utilize the USPS — specifically, anyone who inquires about a PO Box and wants to find out how much one costs.

The moral of this story — big companies, even the government, make major mistakes and let simple things fall through the cracks, putting individuals at risk.