One more attampt at "you have a delivery" scam, with some Vibe AI coding
Take action: Never trust unexpected messages, and DON'T RUSH. Nothing is too urgent. Don't click on links, respond or call numbers in unexpected messages. Instead, call or visit the official website/phone of the claimed institution.
Learn More
We are detecting another package delivery phishing scam impersonating multiple post services - we detected at least the Macedonian Post service and Kazakh Post.
The attack combines SMS/messaging phishing (smishing) carrying a shortened URL that hides a fake Post service site and payment portal designed to harvest credit card information.
Initial contact is sent via SMS or WhatsApp messaging from faked international phone numbers (e.g., +61 480 837 849 - Australian number) which has nothing to do with the impersonated country. This is an immediate red flag - why would a local post use a phone number half way around the world?
Message Content (Translated): "6.4th Reminder: Package tracking number 736977971. We cannot deliver because the street name is missing. Please update your information through the following link: https://is.gd/esCVn2?GgA=Fv8Qy9
The shortened url https://is.gd/esCVn2?GgA=Fv8Qy9 points to a destination https://www.editoastcen.top which is currently running on a server with IP 91.195.240.123
The domain editoastcen.top has nothing to do with posta.mk (official Macedonian Post). The website is designed to render only on mobile browsers, targeting mobile users are have a lot less tools for analysis on mobile phones. Also, any automated scanners for abuse will be redirected to some other benign site.
The scam website has a completely broken language, even some of the language isn't in Macedonian. It's probably generated with AI which has recycled previous versions of the code with some errors and nobody made any checks.
The backend logic of the scam site is poorly built, exposes the endpoint where the cards are sent (which enables a counterattack by security teams) and has a client side script that loops and creates a lot of useless traffic (again, easily seen for blocking). The code has comments in Chinese. Looks like a Vibe coding (AI generated code).
<script>
$.ajax({
url: "/Postd/paymentTemp?key=b2dbdf70671d0d54fa3d2756eaa49350", // 替换为要加载的 HTML 页面的 URL
method: 'GET',
dataType: 'html',
success: function(data) {
// console.log(data);
$('.bodyContent').html(data);
},
error: function() {
console.log('加载失败');
}
});
</script>
How to stay safe
- Don't rush - they are trying to make you panic by implying urgency
- Don't trust unexpectd messages triggering you in any way- anything can be faked these days.
- Verify independently - go to the official site (never click on links or call numbers in the unexpected message)
- Consult with others
