The “Smishing Triad” Campaign – My information Resource (blog.mir.net)

Have you received a text message regarding an unpaid toll or package misdelivery lately? You are not the only one. Researchers discovered a SMiShing (SMS text phishing) campaign attributed to the “Smishing Triad” that has been circulating since April 2024. A China-based threat actor has been impersonating a variety of international services within critical infrastructure, including banking, cryptocurrency, e-commerce, healthcare, law enforcement, and social media. The campaign places a significant focus on targeting US residents by impersonating organizations, such as commercial and state-owned mail and package delivery services, state vehicles and licensing agencies, and state and federal tax services or agencies. The “Smishing Triad” employs standard tactics by sending text messages that create urgency to trick victims into acting immediately. Once victims click on an included link, they are directed to a phishing page that captures sensitive information, including Social Security numbers, addresses, payment information, and login credentials.

This threat actor has been challenging to detect due to their operation and hosting infrastructure. Researchers have identified 194,000 malicious domains linked to the operation. The attack infrastructure is primarily hosted on popular US cloud services, despite the malicious domains being registered through a Hong Kong-based registrar and utilizing Chinese nameservers. A majority of the “Smishing Triad” root domains were created with a hyphenated series of strings followed by a top-level domain (TLD) (e.g., [string1]-[string2].[TLD]). For example, one of the domains linked to this threat actor is “ezpassnj[.]gov-mhmt[.]xin,” which could be mistaken for the legitimate ezpassnj.gov. Notably, this campaign is evolving to impersonate many types of services, as there has been a significant increase in the registration of “.gov” TLDs in the past three months.