iPhone users have been a target to the rise of an ongoing smishing campaign. A group of threat actors whose skills are centered on impersonating mail delivery services and postal agencies, has been discovered to be carrying out a high-level smishing campaign that targets U.S citizens, who are iPhone users.
The 2022 statistics from IC3 (Internet Crime Complaint Centre), shows that internet fraud complaints reported so far, has increased to over 800,944 and a total loss exceeding $USD10.3 billion, has been recorded to various types of cybercrime.
These threat group are high skilled in the way they conduct their games, developing convincing parcel websites, with sophisticated tracking features.
Carrying out their game, what the threat actors do:
The threat actors take a list of steps in carrying out their game, by first developing a sophisticated website, imitating the likes of USPS and UPS. In a more progressing step, they trick victims via a smishing text (A phishing attack propagated by sending SMS with phishing links), in order to obtain victims personal information and credit cards.
Over 108,000 of US citizens have been victims to these fraudsters.
According to Resecurity, the incident has previously affected victims who are from Poland, Italy, UK, Japan, Indonesia, and other countries. It is said that the malicious actors have been responsible in impersonating The Royal Mail, New Zealand Postal Service (NZPOST), Correos (Spain), PostNord, Poste Italiane, and a list of others.
Information discovered, shows that the threat actors are of Chinese origin (country of origin China), and their mode of operation involves sending scam-text to its target via iMessage. The group which have been named “Smishing Triad”, as a result of the primary attack vector which they utilize in carrying out their activities.
“These frauds can manifest as a text from the postal service like the United States Postal Service (USPS), requesting payment for additional delivery fees via credit card. Once the victim shares payment information, the bad actors use it to commit financial fraud.”
USPS has notified that the summer months are usually times when these acts are perpetrated. In August it is notable that this activity has spiked, and a large number of domains have been discovered to be registered.
Patterns, text messages gathered from victims, and historical Passive DNS data retrieved, shows the domain name used by the group to be “. top” zones, the domains were registered via NameSilo, and protected by Cloudflare sometime in August 2023.
Further investigation by Resecurity HUNTER team, revealed an active SQL-injection in status parameter, exploiting this they were able to retrieve sensitive information from the threat groups database, which includes records belonging to the 108,044 victims. It is advised that an indicator of compromise should be looked out for by anyone who has received such SMS, and report to USPS if they ever receive such messages.
USPS Information on encountering a Smishing attack.
Please do let us know in the comment section what are your thoughts about this.