Smishing Smackdown: Unraveling the Threads of USPS Smishing and Fighting Back
S1nn3r
DEF CON 32 Main Stage · Day 1 · Main Stage
In "Smishing Smackdown: Unraveling the Threads of USPS Smishing and Fighting Back," S1nn3r, a red team operator and bug bounty hunter, takes the audience on a journey through his personal investigation into a prevalent **smishing** (SMS phishing) campaign targeting United States Postal Service (USPS) customers. Motivated by his wife falling victim to such a scam and subsequently receiving a similar fraudulent text message himself, S1nn3r transformed a personal grievance into a deep technical dive, uncovering significant vulnerabilities and operational security (OpSec) flaws within the attackers' infrastructure.
AI review
S1nn3r's dive into USPS smishing, spurred by personal experience, provides a robust case study in turning the tables on attackers. He leveraged a path traversal vulnerability in the scammer's websocket implementation to access server logs, revealing their use of BT panel, PHPMyAdmin, and even pinpointing their operational IP. This research delivers high practical impact by exposing common attacker OpSec failures and offering actionable intelligence for both individual users and security professionals.