Anatomy of a USPS Phishing Campaign: Google-Authenticated Delivery, Rotating Hosts, and Real-Time Backend Control
Postal-themed phishing is nothing new. What made this campaign worth examining was not the lure itself, but the infrastructure and workflow behind it.
The delivery email passed SPF, DKIM, and DMARC as google.com. The email-linked URL routed visitors through a stable redirector to changing final hosts. During testing, the phishing content was reachable through residential egress, while tested datacenter-originating requests were redirected to google.com. The final application also used an encrypted Socket.IO / Engine.IO WebSocket channel that appeared capable of supporting real-time victim-state tracking and backend-controlled workflow changes.
This article walks through the observed chain from email delivery to the phishing backend. All URLs are defanged. Unless otherwise noted, conclusions are limited to the email, JavaScript, HAR data, browser observations, and live-site behavior reviewed during the investigation.
The email
The lure was a conventional USPS-themed “Delivery Exception Notice.” It claimed that a parcel with a tracking number ending in 9566 could not be delivered because of “Delivery Failed – No Access.” The recipient was told to update delivery preferences or reschedule delivery within 48 hours to avoid package return and a possible storage or return fee.
The message used two elements that could make it appear more credible:
- A genuine USPS logo loaded from
www.usps.com - A visible sender address of
no-reply@google.com
The call-to-action link, “Click Here to Fix Delivery and Resume Shipment,” pointed to:
hxxps://deerhuntings[.]icu/TylerBaker7651
The message authenticated as Google
The visible google.com sender initially appeared likely to be a simple spoof. The authentication results showed otherwise.
SPF Pass google.com; sender IP 2607:f8b0:4864:20::349
DKIM Pass d=google.com; signature verified
DMARC Pass action=none; header.from=google.com
CompAuth Pass reason=100
The receiving platform treated the message as authenticated mail from google.com. The observed header chain included:
Received: from rso-3723509943153957537-c-gea1.us-east1.4.apigee.com
(60.119.231.35.bc.googleusercontent.com. [35.231.119.60])
by gmr-mx.google.com with ESMTPS ...
Message-ID: <...JavaMail.apigee@rso-3723509943153957537-c-gea1>
These fields are consistent with a JavaMail-based application associated with a Google Apigee hostname submitting the message through Google-hosted infrastructure. The observed submission host resolved within googleusercontent.com at 35.231.119.60.
This does not establish the attacker’s true origin. It does, however, show that the campaign used a Google-hosted delivery path that resulted in valid google.com authentication at the receiving platform.
The practical lesson is that SPF, DKIM, and DMARC indicate whether a message is authorized for a domain; they do not establish that the message is benign. Controls heavily weighted toward sender authentication or provider reputation may assign lower risk to a malicious message when the sending service itself is abused.
Detection therefore needs to consider the full context:
- Message content
- Embedded URLs
- Relay and submission path
- Brand mismatch between a
google.comsender and a USPS-themed body - Domain age and reputation
- Redirect behavior
In the artifacts reviewed, the external-sender warning was the principal visible caution presented to the recipient.
The recipient mail platform also recorded a minimum-domain-age value of:
deerhuntings.icu#96
This appears to indicate that the domain was approximately 96 days old at the time of delivery. A relatively recent domain age is consistent with short-lived campaign infrastructure, although domain age alone does not establish malicious intent.
The redirector
The email-delivered URL appears to function as a redirector or campaign gate rather than the final phishing page:
hxxps://deerhuntings[.]icu/tylerbaker7651
The initial URL remained stable, while the final destination changed across visits.
One observed visit resolved to:
hxxps://tkpnql[.]icu/JustinPeters2598/?__eat=6bbce411008440a5
A later visit through the same initial URL reached a different final host:
jmkfxu[.]icu
Both final hosts served substantially similar USPS-themed phishing content. These observations provide direct evidence that the stable redirector was capable of routing visits to more than one final host.
The path components such as /tylerbaker7651 and /JustinPeters2598/ may represent campaign, victim, route, lure, or generated tracking identifiers. Their exact purpose was not established from the available artifacts.
The email used mixed-case pathing:
/TylerBaker7651
The live analysis also observed:
/tylerbaker7651
This suggests the redirector may normalize or otherwise accept path casing, but the precise behavior should not be assumed without broader testing. Hunting should account for both forms.
Likely operational advantages
Although the operator’s intent cannot be proven from redirect behavior alone, this design could provide several benefits:
- Keep the email-delivered URL stable while changing final hosts
- Replace or abandon final domains without modifying messages already delivered
- Route visitors by IP, geography, user agent, fingerprint, time, cookie state, or campaign rule
- Reduce exposure to scanners, sandboxes, and takedown crawlers
- Assign visitors to campaign-specific or operator-specific workflows
Access gating and anti-analysis behavior
During testing, the phishing content was served when accessed through residential egress. Tested datacenter-originating requests were redirected to google.com and did not reach the phishing pages.
This behavior is consistent with server-side network-type, ASN, or IP-reputation gating. The available evidence does not establish which specific classification method was used, and other factors such as geography, cookies, fingerprinting, or prior-visit state may also have influenced the response.
The operational effect is significant. Many URL scanners, cloud sandboxes, crawlers, and analyst systems originate from datacenter networks. Redirecting those visitors to a benign destination can reduce automated visibility while still allowing likely residential users to reach the phishing flow.
For validation of similar infrastructure, analysts should consider testing from more than one network type and should avoid concluding that a site is benign based on a single datacenter-originating request.
The phishing application
Once the content was reached, the observed flow contained three primary stages.
Stage 1: Tracking lure
/a_index.html
The first page imitated USPS Tracking. It displayed a weather-alert banner, a tracking number, an “Out for Delivery” status, an address-verification problem, and a “Request Redelivery” call to action.
Observed tracking number:
9505556249179352689361
Stage 2: Personal-information collection
/b_info.html
The second page presented a “Delivery Address” form requesting:
- First name
- Last name
- Email address
- Phone number
- Country
- Street address
- Apartment or suite
The page also stated that photo identification would be required for collection from a Post Office, which may have been intended to make the request appear routine.
Stage 3: Payment-card collection
/c_pay.html
The third page presented a “Quick Payment” flow and claimed that a $0.99 redelivery fee was required because of an address discrepancy.
The form requested:
- Card number
- Expiration date
- Security code
- Cardholder name
The page displayed branding for Visa, Mastercard, American Express, JCB, Discover, and Diners Club.
The nominal fee appears to have served as a pretext for collecting full payment-card information.
Page naming varied across observed or analyzed deployments. The live host used:
/a_index.html
/b_info.html
/c_pay.html
The JavaScript-analyzed instance also referenced routes including:
/index
/phoneCode
/emailCode
/pinCode
/appCode
/tempCustomCode
/expressCvv
This suggests that route naming may differ between deployments of the same or related kit.
Real-time WebSocket communication
The frontend opened a Socket.IO / Engine.IO WebSocket connection to:
wss://tkpnql[.]icu/console/?uuid=<victim_uuid>&EIO=4&transport=websocket
No browsable administrative interface was observed at /console/. In the captured traffic, that path functioned as a Socket.IO / Engine.IO communication endpoint.
The HAR showed an HTTP 101 Switching Protocols response and an Engine.IO open frame:
{
"sid": "...",
"upgrades": [],
"pingInterval": 5000,
"pingTimeout": 10000
}
Normal Engine.IO keepalive frames were also observed:
2 = ping
3 = pong
This confirms that the endpoint accepted a WebSocket upgrade and exchanged Engine.IO control traffic during collection.
The final phishing host was proxied through Cloudflare. The HAR did not expose the true backend IP. A serverIPAddress value of 192.168.100.1 appeared in the capture, but that is an RFC1918 private address and is more consistent with a local gateway, proxy, VPN path, or capture artifact than attacker infrastructure.
Encryption provided limited protection against client-side analysis
The WebSocket messages and browser storage values used AES-CBC with PKCS#7 padding.
The relevant key and IV values were embedded in the delivered JavaScript:
| Use | AES key | AES IV |
|---|---|---|
| Socket messages | ZQMWLSPXJRDHKTNV |
YFBCUENAGPQLXJWR |
| Local or session storage | NLFRWBHXVQJTCPYK |
DMAGSZEIOPQUNTVC |
Because these values were present in the client-side code, captured WebSocket data and browser storage values could be decrypted by an analyst with access to the JavaScript.
Decrypted traffic included a server-to-browser configuration message:
{
"event": "userSiteConfig",
"data": {
"money": "",
"successUrl": "",
"currencySymbol": "",
"products": []
}
}
It also included browser-to-server state reporting:
{
"event": "changleField",
"data": {
"router": "..."
}
}
The event name changleField appears to be a misspelling and may be a useful kit-specific hunting string.
An additional message was observed:
{
"event": "changleField",
"data": {}
}
No victim PII, payment-card data, OTP, PIN, password, or other submitted sensitive data was present in the specific HAR capture reviewed.
Backend-controlled step-up capability
The JavaScript referenced several follow-on routes:
/phoneCode
/emailCode
/pinCode
/appCode
/tempCustomCode
/expressCvv
These routes appear intended to collect:
- SMS or phone OTPs
- Email verification codes
- Card PINs
- Banking-app approval responses
- Custom verification values
- American Express CVV values
The code also referenced backend workflow states including:
rejected
rejectedCode
waitVerificationPhone
waitVerificationEmail
waitVerificationPin
waitVerificationExpressCvv
waitVerificationApp
waitVerificationCustomCode
completed
success
Together, these artifacts are consistent with a backend-controlled phishing workflow capable of changing the victim’s page or requested information during a session.
The evidence does not prove that a human operator was actively controlling the specific session captured. It does support the assessment that the backend could direct victims into different verification flows, potentially under operator control.
This architecture could support real-time fraud activity in which submitted card details are tested and the victim is then prompted for a corresponding OTP, PIN, app approval, or other challenge. That use case is consistent with real-time OTP interception and step-up verification phishing, but it was not directly observed in the reviewed capture.
Data-collection capability
The JavaScript referenced fields associated with several categories of victim data.
Personal information
firstName
lastName
fullName
address
city
state
zipCode
phone
email
ssn
birthday
Payment-card information
cardHolder
cardNumber
expiryDate
cvv
Verification and step-up data
code
pin
customCode
customCode1
customCode2
expressCvv
account
password
confirmedApp
notReceivedApp
resendCode
The exact fields presented to any individual victim may vary by deployment, campaign configuration, card type, backend decision, or operator action.
The available collection surface could support payment-card fraud, identity theft, account compromise, and attempts to defeat step-up verification.
Client-side anti-automation
The primary JavaScript contained checks for multiple automation and headless-browser indicators.
Examples included:
HeadlessChrome
selenium
webdriver
puppeteer
playwright
cypress
nodriver
undetected
Additional artifacts included:
__webdriver_evaluate
__selenium_evaluate
$cdc_asdjflasutopfhvcZLmcfl_
$wdc_
_phantom
__nightmare
callPhantom
__playwright__binding__
__puppeteer_evaluation_script__
The application also contained fingerprinting logic involving:
- WebGL
- Canvas
- Audio
- Fonts
- Emoji rendering
- Media devices
- WebRTC
- Battery status
- Permissions API
- Chrome runtime behavior
- Workers
The combination of client-side automation checks and observed network-based gating would likely reduce the chance that a basic sandbox or crawler receives the same content as a residential user with a conventional browser.
Indicators and hunting artifacts
The indicators below are separated by confidence and operational use. Provider-owned or shared infrastructure should not be treated the same as confirmed malicious campaign infrastructure.
High-confidence malicious infrastructure
deerhuntings[.]icu
tkpnql[.]icu
jmkfxu[.]icu
Observed URLs and paths
hxxps://deerhuntings[.]icu/TylerBaker7651
hxxps://deerhuntings[.]icu/tylerbaker7651
hxxps://tkpnql[.]icu/JustinPeters2598/?__eat=6bbce411008440a5
wss://tkpnql[.]icu/console/?uuid=<uuid>&EIO=4&transport=websocket
/TylerBaker7651
/tylerbaker7651
/JustinPeters2598/
/a_index.html
/b_info.html
/c_pay.html
/console/
/index
/phoneCode
/emailCode
/pinCode
/appCode
/tempCustomCode
/expressCvv
Observed loaded assets
BEaJxlwt.js
CJjEG3KW.js
C9Lg4Na1.js
CVIEK_kr.css
gS0Gah9-.css
Kit-specific strings
changleField
userSiteConfig
waitVerificationExpressCvv
waitVerificationCustomCode
VERIFICATION_STATE
t_form_data
t_config
AES key and IV strings
ZQMWLSPXJRDHKTNV
YFBCUENAGPQLXJWR
NLFRWBHXVQJTCPYK
DMAGSZEIOPQUNTVC
MD5-derived storage keys
t_config
2e14a1ac17c37597f4579a51c5f26330
t_form_data
6677b6f7dd5ca11774f0f0e484baa3c0
VERIFICATION_STATE
ddafc76f38596c8b6769b63034d43f1d
router
f3395cd54cf857ddf8f2056768ff49ae
JavaScript SHA-256 hashes
Browser or RUM-related code
e1ac4849b9d4a498b68f8aca01e6ed99a11d94b35a2cec533b3916b8fb722fd6
Bundled framework and dependencies
e6d5449ff52125009b6cb10113b28275a1a61cc7c61adf2ddaa4ab6bb9ebbb8c
Primary phishing application logic
e374aeef6b5ca5f66cc43133fe70c82c8458c791f1e113b59d83bc7ec5ee35cc
Contextual delivery infrastructure
The following values were observed in the delivery path but belong to Google or other shared-provider infrastructure. They should not be blocked or treated as independently malicious without supporting context.
Observed From address:
no-reply@google.com
Observed Apigee-associated host:
rso-3723509943153957537-c-gea1.us-east1.4.apigee.com
Observed Google Cloud egress IP:
35.231.119.60
Observed reverse DNS:
60.119.231.35.bc.googleusercontent.com
Observed Google relay:
gmr-mx.google.com
These values are most useful when combined with:
- USPS-themed subject or content
- The identified redirector domains
- Matching Message-ID patterns
- Similar body links or paths
- Comparable Apigee and JavaMail header characteristics
static.cloudflareinsights[.]com was also observed as a loaded third-party resource, but it is legitimate Cloudflare infrastructure and should not be treated as a campaign IOC by itself.
Detection ideas
The following are platform-neutral hunting concepts. Field names and syntax will require adaptation to the local SIEM, proxy, DNS, email, or endpoint schema.
DNS, proxy, and firewall hunting
destination.domain IN (
"deerhuntings.icu",
"tkpnql.icu",
"jmkfxu.icu"
)
url.path IN (
"/TylerBaker7651",
"/tylerbaker7651",
"/JustinPeters2598/",
"/console/"
)
WebSocket hunting
destination.domain = "tkpnql.icu"
AND url.path = "/console/"
AND url.query CONTAINS "EIO=4"
AND url.query CONTAINS "transport=websocket"
destination.domain IN ("tkpnql.icu", "jmkfxu.icu")
AND url.path = "/console/"
AND http.response.status_code = 101
Mail-flow hunting
Search for messages that combine several of the following:
no-reply@google.com- USPS-themed subject or body content
- Apigee-associated
Receivedheaders - JavaMail and Apigee characteristics in the
Message-ID - Links to
deerhuntings[.]icu - Paths matching
/TylerBaker7651or/tylerbaker7651
The Google IP address, sender address, and Apigee hostname should not be used as standalone block indicators because they are associated with shared provider infrastructure.
Key takeaways
1. Authentication success does not equal message trust
This message passed SPF, DKIM, and DMARC as google.com. That result showed that the message was authenticated for the observed sending domain. It did not establish that the content or embedded destination was safe.
2. The stable redirector supported multiple final hosts
The same email-delivered URL routed to at least two different final hosts serving similar USPS-themed content. This design can improve campaign resilience and complicate blocking or takedown efforts.
3. Network context affected what the site served
During testing, residential egress reached the phishing content while tested datacenter egress was redirected to google.com. Analysts should avoid judging similar hosts from one network perspective alone.
4. The frontend supported real-time backend control
The observed WebSocket endpoint, route inventory, workflow states, and decrypted messages are consistent with a phishing application capable of victim-state tracking and backend-directed verification prompts.
5. Shared infrastructure must be handled carefully
Google, Apigee, Cloudflare, and other provider-owned infrastructure appeared in the campaign chain. These values are useful as contextual evidence, but treating them as standalone malicious IOCs would create false positives and could lead to overblocking.
This assessment is based on artifacts available at the time of analysis. Phishing infrastructure, routing logic, hosted content, certificates, DNS records, and provider assignments can change rapidly. Observations should therefore be validated against current telemetry before operational action is taken.