A threat group specializing in impersonating postal agencies and mail delivery companies has been running a major smishing campaign targeting U.S. iPhone users, according to researchers at Resecurity.
The group is adept at developing fake but convincing parcel tracking websites, using smishing (SMS phishing) techniques to trick victims into disclosing personally identifying information (PII) and payment credentials.
Its latest campaign, impersonating the U.S. Postal Service (USPS), appears to have snared at least 108,000 victims.
In an Aug. 30 post, Resecurity said that as well as orchestrating last month’s successful campaign, the Chinese-speaking group, which it calls Smishing Triad, has also sold a range of country-specific postal service “smishing kits” to other cybercriminals.
Smishing campaigns that dupe victims into supplying PII or credit card details, or downloading malware, have been a popular ruse for many years. The USPS issued a general warning about smishing scams in March.
Smishing Triad has developed sites that impersonate those of FedEx and UPS as well as the postal services in several countries including the UK, Poland, Sweden, Italy, Indonesia, Malaysia and Japan.
Resecurity researchers said Smishing Triad’s latest U.S. campaign differed from most others because contact with victims was initiated solely using iMessages delivered from compromised Apple iCloud accounts.
As it ramped up last month’s campaign, Smishing Triade registered several new .top domain names with deceptive “usps” and “usus” prefixes, such as “uspshhg[.]top.”
When the Resecurity team analyzed the kits, they discovered an SQL injection vulnerability they were able to use to recover the compromised data of more than 108,000 Smishing Triad victims.
“The vulnerability was present in every smishing resource set up by the threat group. But it is not clear if threat actors created this backdoor deliberately or if it was an unintended code flaw,” the researchers said.
It was possible key members of the gang had engineered the back door as a “covert channel” to intercept and collect the PII and payment data users of the kit were collecting, they said.
“Such tradecraft is widely used by cybercriminals in password stealers and phishing kits, allowing them to profit from the activities of their clients, or at least to seamlessly monitor their activity just by logging into an administration panel.”
By reverse engineering one of the smishing kits, Resecurity was able to identify Chinese-speaking members of the group, including an actor previously known for selling customized phishing kits.
The group also included graphic designers responsible for preparing high-quality imitation web pages, web developers, and salespeople who marketed the kits primarily through Chinese-speaking dark web cybercriminal communities.
They also identified several Vietnamese-speaking members of the group collaborating with the primary threat actors.
“The group has an ongoing collaboration with other threat actors involved in similar activity. This synergy enables ‘Smishing Triad’ to scale their operations more effectively.”
The group was observed selling smishing kits for a minimum of $200 per month, with higher prices for buyers wanting enhanced customer support.
Resecurity’s threat intelligence and research team said they had observed online discussions between threat actors about “how effectively they were able to harvest compromised U.S. citizen payment data” using the USPS smishing kits.
Watch the USPS’s advice on dealing with smishing texts below: