Smishing is a form of phishing where victims receive a deceptive text message sent via SMS or instant messaging systems such as iMessage with the aim of tricking the recipient into providing their personal or financial information: as explained some time ago on Italian Techthe term smishing comes from the combination of the words “SMS” and “phishing”.

The messages appear as coming from reliable sources or legitimate institutions, such as government agencies, banks and financial institutions. The messages often contain malicious links that direct victims to phishing pages designed to ask them to respond with personal or financial information. Smishing allows cybercriminals to steal victims’ identities, steal their money, gain unauthorized access to online accounts, and conduct other fraudulent activities.

Researchers from the cybersecurity firm Resecurity have identified a large-scale smishing campaign called the Smishing Triadwhich targeted US, British and Italian citizens.

Recently the same campaign has targeted users from different countries around the world, such as Poland, Sweden, Indonesia, and Japan: the criminal group behind the campaign impersonates organizations known to victims such as the Royal Mail, New Zealand Postal Service (NZPOST ), Correos (Spain), Postnord, Poste Italiane and the Revenue Agency Italian. In the past, similar companies have targeted customers of express shipping and transportation companies such as Fedex, DHL and UPS.

The attackers are Chinese-speaking and use the scam of parcel tracking (like the one, real, offered by Gmail) to collect personal information (PII) and payment information from victims with the aim of stealing their identity and carrying out credit card fraud. The Chinese origin of the group, and the specialization in smishing campaigns, led Resecurity to identify the criminal group as the Smishing Triad.

In the case of attacks against Italian users, some of the messages appear to come from a postal service such as Poste Italiane and ask victims to pay additional shipping fees by credit card. Once the victim shares the payment information, the bad actors use it for fraudulent purposes and unauthorized charges.

Another one variant of smishing attacks used by the Smishing Triad group involves sending victims a false tax notification on behalf of a government agency. Smishing Triad has developed a custom tool for crafting messages so they appear to come from legitimate and trusted organizations. In the case of the attacks on Italy, the criminals, posing as the Revenue Agency, send a false payment notification relating to unpaid taxes which must be paid immediately using the credit card. The willingness of users to pay by regularizing their tax position will unfortunately cause their digital identity to be stolen and their credit card details to be stolen, which will subsequently be used by scammers for unauthorized transactions.

A feature of the Smishing Triad campaign is that the bad guys have used iMessage exclusively to send messages from previously compromised Apple iCloud accounts. The Smishing Triad group has also been observed attacking online shopping platforms: the group attacks ecommerce sites by injecting a malicious code that intercepts customer data by offering them a fake 3D secure payment form.

Smishing Triad gestisce its own Telegram channel with over 2725 members and several private groups. This aspect is extremely concerning, as the criminal group uses the cybercrime-as-a-service model by offering its tools to other cybercriminals. In particular, the group offers channel members the opportunity to purchase “smishing kits” which are prepared to create messages that target users of popular US, UK and European brands. With only $200 a month it is possible to subscribe to a subscription that allows criminals to use the kit and receive support.

Resecurity experts have purchased the “smishing kit” to analyze it and managed to identify an intentionally inserted vulnerability of the Smishing Triad group. Experts say the flaw serves as a hidden backdoor in the code that allows the criminal group to silently extract personal and payment data collected from its customers. Criminals who steal from other criminalsIn short.

Resecurity researchers managed to recover further 108,044 records with stolen data to unsuspecting victims. The company then alerted the victims of the identity theft perpetrated against them and shared the information collected with the relevant law enforcement agencies and the Italian Revenue Agency. According to Resecurity, stopping such cybercriminal activities is complex, as they are foreign actors located in jurisdictions such as China, a nation that does not stand out for the collaboration offered to international investigations of the police forces.

Per avoid falling victim to smishing attacks it is essential to be wary of unexpected or suspicious text messages and never share personal or financial information via SMS or through pages associated with links in messages. A wake-up call is the urgency character of the messages, which invites victims to take action: if you receive a suspicious message, it is advisable to check directly with the organization or institution involved using official communication channels before taking any action.

