Threat actors are impersonating critical and general services, online platforms, and cryptocurrency exchanges in a massive smishing campaign that has been ongoing since April 2024, Palo Alto Networks warns.
The cybersecurity firm first warned of the campaign in early March, when it identified over 10,000 domains linked to the impersonation of toll and package delivery services. Roughly a month later, it warned of over 91,500 root domains employed in these attacks.
Subsequent analysis revealed that the campaign is much more extensive, with over 194,000 malicious domains used in these attacks since January 1, 2024.
In addition to toll and package delivery services, the attacks also impersonate healthcare organizations, banks, cryptocurrency platforms, ecommerce and online payment platforms, law enforcement, and social media platforms.
“The campaign is highly decentralized, lacking a single point of control, and uses a large number of domains and a diverse set of hosting infrastructure. This is advantageous for the attackers as churning through thousands of domains weekly makes detection more difficult,” Palo Alto Networks notes.
Most of the attacks focus on US users, but the campaign’s reach is, in fact, global, with victims identified in Argentina, Australia, Canada, France, Germany, Ireland, Israel, Lithuania, Malaysia, Mexico, Poland, Russia, UAE, the UK, and other countries.
Responsible for the campaign, Palo Alto Networks says, is a Chinese-speaking threat actor known as the Smishing Triad, which has been active since at least 2023. In addition to SMS phishing, it was also seen sending emails to iPhone users’ iMessage app in attacks impersonating India Post.
Earlier this year, the threat actor was seen boasting on its Telegram channel about a new phishing kit dubbed Lighthouse that could target major Western financial organizations and banks in Australia and the APAC region.
Smishing Triad’s attacks, Palo Alto Networks notes, are constantly evolving, and the large number of domains associated with the campaign proves that.
The constant remains the personalized SMS messages that rely on social engineering to imply urgency and lure victims to the malicious domains where they are tricked into sharing their personal information, including their Social Security numbers and similar national identifiers.
The campaign is likely supported by a phishing-as-a-service (PhaaS) operation. The threat actors involved are likely specialized in different stages of the supply chain and include a data broker, domain seller, hosting provider, a phishing kit developer, an SMS spammer, and support roles checking for valid phone numbers and blocked domains.
Most of the domains (82.6%) used in the campaign had a life span of two weeks or less, and less than 6% were active three months after registration. According to Palo Alto Networks, 29.19% of the domains were active for two days or less.
Roughly 90,000 of the fraudulent domains impersonated toll services, and more than 28,000 impersonated the US Postal Service (USPS).
Other domains impersonated a consumer electronics company, a financial services firm, government services such as the IRS and US state vehicle departments, mail and delivery services, police forces, carpooling applications, hospitality services, personal cloud services, and online games and marketplaces for in-game skins.
“We advise people to exercise vigilance and caution. People should treat any unsolicited messages from unknown senders with suspicion. We recommend that people verify any request that demands urgent action using the official service provider’s website or application,” Palo Alto Networks notes.
Related: Mobile Security: Verizon Says Attacks Soar, AI-Powered Threats Raise Alarm
Related: SIM Farm Dismantled in Europe, Seven Arrested
Related: In Other News: PQC Adoption, New Android Spyware, FEMA Data Breach
Related: Two Arrested in UK for Smishing Campaign Powered by Homemade SMS Blaster
