A Chinese-speaking cyber-criminal group named “Smishing Triad” has been observed conducting a large-scale smishing campaign targeting US citizens.
This campaign has skillfully impersonated various postal and delivery services, including Royal Mail (UK), New Zealand Postal Service, Correos (Spain), PostNord (Sweden), Poste Italiane, Italian Revenue Service, USPS, Poczta Polska (Poland), J&T Express (Indonesia) and New Zealand Post.
The group uses iMessage to send package-tracking text scams, aiming to collect personally identifying information (PII) and payment credentials for identity theft and credit card fraud.
According to a new advisory published by Resecurity on Wednesday, the Smishing Triad campaign differs from previous smishing attacks by exclusively utilizing iMessages from compromised Apple iCloud accounts as their primary delivery method, setting it apart from traditional SMS or calls.
The smishing kits used by the group have been offered for sale in Telegram IM groups, creating a thriving fraud-as-a-service network. Resecurity obtained and reverse engineered one such kit, uncovering an SQL injection vulnerability that allowed them to retrieve data from over 108,000 victims to warn them of potential identity theft.
Further investigation revealed that Smishing Triad collaborates with other cyber-criminals and offers cybercrime-as-a-service infrastructure. Their smishing kit subscriptions start at $200 per month, providing customers with activation codes and scripts for deployment, often using various frameworks.
The group has targeted multiple postal and delivery services worldwide. They have also attacked online shopping platforms by injecting malicious code to intercept customer data.
Smishing attacks continue to evolve, exploiting users’ trust in SMS and iMessage communication channels. In their advisory, Resecurity highlighted the need for consumer awareness and advised organizations to safeguard their customers better.
“It is complicated to disrupt cyber-criminal activity committed by actors located in foreign jurisdictions like China without proper regulatory harmonization and mutual legal assistance abroad,” reads the technical write-up.
“Resecurity is thus sharing information about the ‘Smishing Triad’ with the cybersecurity community and general public to raise awareness to help organizations better safeguard their customers.”
Editorial image credit: The Toidi / Shutterstock.com