Get AI summaries of any video or article — Sign up free
Hackers Rekt By Red Team - USPS SMS Scam Defeated thumbnail

Hackers Rekt By Red Team - USPS SMS Scam Defeated

The PrimeTime·
5 min read

Based on The PrimeTime's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Grant Smith’s infiltration of USPS-themed smishing infrastructure helped collect evidence and victim data after his wife entered card details into a fraudulent delivery flow.

Briefing

A red-team style investigation helped dismantle a large-scale USPS smishing operation that used fake “package delivery” texts to harvest credit card details—an effort that reached hundreds of thousands of victims and exposed how attackers weaponized vulnerabilities in scam infrastructure. The key breakthrough came from security researcher Grant Smith, who infiltrated the scammers’ systems after his wife accidentally entered her card information into a fraudulent shipping flow. From there, Smith collected evidence, gathered victim data, and delivered it to U.S. authorities, enabling card protection and supporting an ongoing Postal Inspection Service investigation.

The smishing campaign, tied to a Chinese-language group dubbed the “smishing Triad,” pushed up to 100,000 scam messages per day globally. Messages impersonated the United States Postal Service, claiming a parcel needed “more details” and directing victims to a website where attackers could collect highly sensitive payment data. Smith’s work traced the operation’s infrastructure across 438,000 domains used by the scammers and revealed the scale of what victims entered: more than 50,000 email addresses (including hundreds of university accounts and about 20 military or government domains) and over 1.2 million total pieces of information. California led in entries with 141,000, reflecting how broadly the lure spread.

Technically, Smith described chaining multiple weaknesses in the scam websites. A path traversal vulnerability combined with a SQL injection—along with GraphQL-related access—allowed him to pull files from the server and read database contents. He also found that many scam sites left administrative credentials at default values, including a classic “admin/admin” pattern, which let him pull victim data faster and more automatically. Smith further identified that the scammers’ kit was sold and maintained through Telegram, where a subscription model (reported as $200 per month) enabled buyers to spin up customized fake delivery sites.

The investigation didn’t just map the threat; it helped blunt immediate harm. Smith’s wife canceled her card quickly, but attackers still attempted transactions afterward, including attempts to use the card with services like Uber. Smith’s findings were shared with a bank that had contacted him after his initial reporting, and he also provided information to the FBI and the United States Postal Inspection Service. Michael Martell, a national public information officer at USPIS, said the information is being used as part of an ongoing investigation and that agencies cannot comment on specific details.

The broader implication is that smishing is increasingly effective because it bypasses the “hover and inspect” safety habits people use against email links. Instead, SMS notifications create urgency and immediacy, driving victims to interact with fraudulent pages. Smith’s presentation at DEF CON highlighted not only the operational scale of the “smishing Triad,” but also the uncomfortable legal gray zone around “hacking back”—even when the target is foreign-based criminal infrastructure and the end goal is evidence collection and victim protection.

Cornell Notes

Grant Smith investigated a large USPS “smishing” campaign after his wife entered credit card details into a fake package-delivery flow. By infiltrating the scammers’ systems, he collected evidence and victim data tied to 438,000 scam domains and more than 1.2 million total data entries. The operation, linked to a Chinese-language group dubbed the “smishing Triad,” sent 50,000–100,000 texts per day and sold a customizable smishing kit via Telegram. Smith attributed access to weaknesses such as path traversal and SQL injection (with GraphQL-related access) and noted many sites used default admin credentials. His findings supported bank protections and an ongoing U.S. Postal Inspection Service investigation.

How did the USPS smishing lure work, and what made it effective?

The messages impersonated USPS delivery notifications, claiming a parcel needed additional information such as credit card details. Victims were directed to a website where they could enter payment data and security codes. Smishing’s effectiveness comes from SMS immediacy: the notification arrives directly on a phone, so people act quickly without the “hover to inspect” cues common with email links.

What did Smith find about the scale of the scam infrastructure and victim data?

Smith reported that scammers used 438,000 domains and that victims entered more than 1.2 million pieces of information in total. He also logged over 50,000 email addresses, including hundreds of university emails and about 20 military or government domains. California had the most entries at 141,000, illustrating the campaign’s broad U.S. reach.

Which technical weaknesses enabled Smith to access the scam websites and databases?

Smith described a path traversal vulnerability paired with a SQL injection that, together with GraphQL-related access, allowed him to retrieve files from the website server and read data from the database. He also found administrative passwords were often not changed from default credentials, enabling faster extraction of victim records.

How was the “smishing Triad” operation organized and monetized?

The group appeared to include a smaller team that created, sold, and maintained the smishing kit, plus another group that bought and used the tools. The kit’s back door let the creator access administrator details. The kit was reportedly sold on Telegram for about $200 per month, with customization to impersonate the target organization.

What happened after Smith shared findings with authorities and financial institutions?

Smith provided information to a bank that contacted him after his reporting, and he also reported incidents to the FBI and later provided details to the United States Postal Inspection Service. USPIS public information officer Michael Martell said the information is being used in an ongoing USPIS investigation, while declining to share specific case details.

Review Questions

  1. What combination of vulnerabilities did Smith describe using to access scam infrastructure, and why did default admin credentials matter?
  2. How do smishing messages differ from email phishing in terms of user behavior and safety checks?
  3. What evidence suggests the “smishing Triad” was a kit-based operation rather than a single-off scam?

Key Points

  1. 1

    Grant Smith’s infiltration of USPS-themed smishing infrastructure helped collect evidence and victim data after his wife entered card details into a fraudulent delivery flow.

  2. 2

    The “smishing Triad” campaign pushed tens of thousands of SMS messages daily and used hundreds of thousands of domains to route victims to data-harvesting pages.

  3. 3

    Smith reported more than 1.2 million total data entries, including over 50,000 email addresses and sensitive payment information such as security codes and dates of birth.

  4. 4

    Technical access relied on weaknesses including path traversal and SQL injection, with GraphQL-related access enabling database and server data retrieval.

  5. 5

    Many scam sites left administrative credentials at default values, allowing faster automated extraction of victim records.

  6. 6

    The operation’s kit was sold and customized via Telegram on a subscription model, enabling other actors to run impersonation campaigns.

  7. 7

    Smith’s findings were shared with financial institutions and U.S. authorities, including the FBI and the United States Postal Inspection Service, supporting an ongoing investigation and fraud mitigation.

Highlights

Smith traced a USPS-themed smishing operation to 438,000 scam domains and reported over 1.2 million total data entries from victims.
A path traversal flaw plus SQL injection (with GraphQL-related access) enabled retrieval of server files and database contents from scam sites.
The “smishing Triad” sold a customizable smishing kit on Telegram for about $200 per month, scaling the attack through buyers.
USPIS public information officer Michael Martell said Smith’s information is being used in an ongoing Postal Inspection Service investigation.

Topics

Mentioned

  • Grant Smith
  • Michael Martell
  • Sha Loveland
  • SMS
  • USPS
  • FBI
  • USPIS
  • DEF CON
  • SQL
  • API
  • DoD

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library