Eight Distinct USPS Phishing Domains Live In Our IOC Feed Right Now. The Tracking-Number Scam Is The Consumer's Megalodon.

DugganUSA's multi-axis brand-impersonation watch list put globaluspslogistics.com in the top tier this morning at composite confidence 0.85, single-axis pattern-49 detection. The watch list is the synthesis layer; the IOC index is the raw substrate. A quick cross-query against the substrate returns eight distinct USPS-themed phishing infrastructures currently live in our feed, all sourced from OpenPhish's automated detection pipeline, all classified as active phishing, all running on different second-level domains so a single takedown breaks only one.

The eight, in no particular order: usps.bzukc.life/pay/, usps.delayed.help/cJV, usps.xyzlv.life/pay, uspss.pages.dev/entreg/loginaction_input, uspstracx.com, pelicanaviation.in/web3/USPS-dashboard.html, usps.world/, and usps-com.cfd/. The Cloudflare Pages subdomain — uspss.pages.dev — is particularly interesting because it lives on Cloudflare's own developer-hosting platform, which means takedown coordination has to go through Cloudflare's abuse process rather than a third-party registrar. The other seven are scattered across new top-level domains — .life, .help, .cfd, .world — that registrars route through abuse-response processes of varying competence. The seven are not coordinated takedowns from a single party. They are eight independent operators running the same playbook because the playbook works.

The playbook

The consumer-facing variant of the USPS phishing playbook is one of the highest-conversion phishing structures currently operating against the American consumer market. The text message arrives on the target's personal phone, claims to be from USPS, references a held parcel or a missed delivery, and includes a tracking number and a link. The link resolves to a page that imitates USPS's mobile delivery-status interface, asks the target to confirm address and pay a small redelivery fee — typically a couple of dollars — and harvests the credit card number, the billing zip, the CVV, and the OTP from the bank's friction-prevention SMS. The harvested credit card data ends up on a credit-card-as-a-service marketplace within hours of the harvest. The OTP gets used in parallel during the harvest window to authorize a higher-value transaction or to push-clone the credit card onto a different device's wallet.

The conversion rate on the USPS variant is high because the target is, statistically, expecting a package. The American consumer averages multiple active shipments at any given time. The phish has to compete only with the target's brief moment of cognitive friction between "is this real" and "wait it might be that thing I ordered from the small Etsy seller last week." The friction loses at scale because the cost of the small redelivery fee — five or six dollars — is below the threshold at which most consumers verify provenance, while the harvested card data converts to substantially larger downstream fraud.

Why the watch list flagged this one

globaluspslogistics.com was not in the eight phishing-page list above. It was in the watch list because the multi-axis detector noticed brand-shape impersonation at the domain registration layer rather than the active-phish layer. The name pattern — global + usps + logistics + .com — is a domain composition that would not be registered by United States Postal Service themselves and is constructed exactly the way a phishing operator constructs a credibility-borrowed domain. The watch list flagged it before any active phishing infrastructure landed on the domain itself. That is the asymmetric edge — surfacing the operator's preparation phase rather than waiting for the active campaign.

The operator who registered globaluspslogistics.com is, statistically, going to do one of three things with it in the next thirty days: stand up a USPS-branded phishing page identical in structure to the eight already live in the feed; resell the domain to another operator for the same purpose; or let it sit aged for ninety days before activating it to improve credibility scoring on registration-age-aware reputation systems. All three outcomes are net-negative for the consumer who eventually receives a text message containing the link.

What defenders and consumers should do tonight

For any organization with employees whose corporate access is gated by an MFA factor that uses the employee's personal phone, the practical action tonight is: warn employees by Monday morning that USPS-themed delivery-fee phishing is at active-market scale, that the campaign uses both SMS and email vectors, and that the legitimate United States Postal Service does not charge redelivery fees by text. For consumers personally, the structural rule is that an unexpected text containing a tracking number, a small payment request, and a sense of urgency is the modal phishing shape of 2026 — closing the message and going directly to the carrier's app to verify is the only durable defense.

For DugganUSA customers consuming our STIX feed, the eight live infrastructures are already in the feed with phishing classification and OpenPhish provenance, ready to be deny-listed at the SEG, the DNS resolver, and the corporate web proxy. The receipt is timestamped. The watch list will surface the next eight before they fire.

The wider read

The USPS phishing pyramid is the consumer-facing analogue of the Megalodon pattern that hit corporate developer pipelines this week. Both campaigns work because the target is reviewing the surface artifact — the package status, the workflow file — rather than the indirect-trust layer that determines whether the artifact is legitimate. The defender primitive is the same in both directions: pin to behavior, not destination. For the corporate developer, that means audit the workflow directory between releases. For the consumer's grandmother, it means open the carrier's app directly rather than tapping the link in the text message. The shape travels across audience, and the receipt is the same shape every time.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com