Triad cleverly impersonates postal/delivery services like Royal Mail or USPS to trap unsuspecting US citizens in its newly detected smishing campaign.
Cybersecurity rsearcgers at Resecurity have published an advisory about the newly discovered large-scale smishing campaign from the Chinese-speaking cybercrime group Smishing Triad targeting US-based users through impersonating popular mail and delivery services.
According to Resecurity, Smishing Triad originates from China and uses smishing attacks as its primary attack vector. Researchers found that Smishing Triad has affiliations with several different cybercrime groups and that the group offers cybercrime-as-a-service infrastructure with its Smishing kit subscription starting at $200/month. Subscribers receive activation codes and deployment scripts with different frameworks.
“It is complicated to disrupt cyber-criminal activity committed by actors located in foreign jurisdictions like China without proper regulatory harmonization and mutual legal assistance abroad. Resecurity is thus sharing information about the ‘Smishing Triad’ with the cybersecurity community and general public to raise awareness to help organizations better safeguard their customers,” the advisory read.
What is a Smishing Attack?
Smishing (aka SMS Phishing), scammers exploit SMS or text message features and services to trap unsuspecting users into revealing sensitive personal and financial details, including passwords, banking credentials, and debit/credit card numbers, and lure them into downloading malicious software.
Threat actors mimic some credible government or private entity for instance, postal services, government institutions, or banks for creating a sense of legitimacy around these messages.
How Does the Attack Occur?
The group generally exploits iMessage service for sending package-tracking scams, and steals PII (personally identifiable information) and financial data (such as payment card details or banking credentials) to conduct credit card fraud and identity theft.
This time, Smishing Triad has changed its strategy slightly and exploits messages from compromised Apple iCloud accounts to trick users. Its smishing kit is also up for sale on Telegram IM groups to create an extensive and well-organized fraud-as-a-service network.
Resecurity threat intelligence team accessed and reverse-engineered one such kit and discovered an SQL injection vulnerability through which they could retrieve sensitive data of more than 108,000 victims and warned them about the likelihood of identity theft.
Who are the Targets?
In this campaign, Smishing Triad is targeting US citizens. The group impersonates most leading postal and delivery services to trick users, including the following:
- Correos (Spain)
- New Zealand Post
- The Royal Mail (UK)
- Postnord (Sweden)
- Poczta Polska (Poland)
- J&T Express (Indonesia)
- New Zealand Postal Service (NZPOST)
- Poste Italiane and the Italian Revenue Service (Agenzia delle Entrate)
The victim receives a message from any of these services requesting additional information or payment of delivery fees through a credit card. After obtaining the desired information, the attackers can commit financial fraud.
In its earlier campaigns, the group targeted users from diverse regions such as the UK, Poland, Japan, Indonesia, Sweden, and Italy.
Protection from Smishing Attacks
Protecting yourself from smishing (SMS phishing) is important for safeguarding your personal information and financial security. Here are five points to help you stay safe from smishing:
- Verify the Sender: Always verify the sender’s identity before responding to any SMS messages, especially those that ask for personal or financial information. Legitimate organizations usually include their name and contact information in their messages.
- Don’t Click on Links: Avoid clicking on links or downloading attachments in text messages, especially if you didn’t expect to receive such a message. These links may lead to malicious websites or install malware on your device.
- Be Cautious with Personal Information: Never share personal or financial information via text messages, such as Social Security numbers, credit card details, or login credentials. Legitimate organizations will not ask for such sensitive data through SMS.
- Use Trusted Sources: If you receive an SMS claiming to be from a bank, government agency, or other official institution, don’t trust it blindly. Instead, contact the organization directly using a trusted phone number or website to verify the message’s authenticity.
- Install Security Software: Use reputable antivirus and anti-malware software on your mobile device. These tools can help detect and block malicious SMS messages and links.
Additionally, keeping your phone’s operating system and apps up-to-date, using strong and unique passwords for your accounts, and enabling two-factor authentication wherever possible can further enhance your protection against smishing and other cyber threats.