close
close

Smishing Triad hackers target banking and e-commerce platform

Posted on by darion

Hackers often target online banking platforms, e-commerce portals and payment systems for illicit purposes.

Security researchers recently revealed that the Smishing Triad group has launched a new smishing campaign targeting Pakistani mobile phone users.

Gang members send malicious messages impersonating Pakistan Post via iMessage and SMS in an attempt to steal personal and financial information.

They continue their previous activities in: –

Following recent data breaches, the crew is estimated to be sending between 50,000 and 100,000 automated messages daily using stolen dark web databases containing the phone numbers of Pakistani citizens.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Technical analysis

This massive operation indicates that telecommunications companies should improve their fraud detection capabilities and take a proactive approach in stopping this malicious activity from continuing to occur against customers.

Funny news (source – Resecurity)

The Smishing Triad has spread its operations across Pakistan by sending malicious messages purporting to be from Pakistan Post aimed at stealing personal and financial information from mobile phone users.

Using databases of stolen local phone numbers, attackers send up to 100,000 text messages a day, using URL shorteners and QR codes to avoid detection.

Some are used as a validation tactic for targeted attacks on active users.

Fake message from Pakistan Post (Source – Security)

Entities are taking advantage of these recent data breaches that exposed the data of Pakistani citizens to pose as legitimate local businesses and ask for payment details.

Accordingly, on March 27, 2020, PKCERT published a security advisory on this large-scale campaign targeting Pakistan’s major carriers.

In addition to Pakistan Post, the group also impersonates courier services by offering fake delivery scams, showing how their tactics are evolving across countries.

Fake Pakistan Post Payment Page (Source – Security)

Additionally, the Smishing Triad group continues to target victims from all over the world.

They have different hosts and domain names mapped to the same IP address 23.231.48.129 for their amazing sets.

The actors, in addition to impersonating the Pakistan Postal Service, recently attacked Correos, the Spanish state-owned postal operator, confirming their earlier actions in July 2023.

This shows that the gang is still operating on a large scale and is changing the way it launches massive attacks on postal and courier services in regions such as Pakistan and the EU.

Mitigation

Below we have listed all the remedies provided:-

  • Be skeptical
  • Do not answer
  • Check the source
  • Don’t click on links
  • Use security software
  • Report suspicious messages
  • Educate

IOC

Domain Names:-

  • ep-gov-ppk(.)cyou
  • pk-post-goi(.)xyz
  • pak-post(.)com/id
  • pakpotech(.)top/id

URLs:-

  • l(.)ead(.)me/bf6fB8
  • is(.)gd/bpEPk3
  • l(.)ead(.)me/BjsT
  • to(.)gd/8vcwYW
  • 2h(.)ae/nwxP
  • 2h(.)ae/cNRd
  • ytfrt(.)top/id
  • linkr(.)it/4bStpB
  • qrco(.)de/bf56c0

Telephone numbers:-

  • +923361021455
  • +923301956704
  • +923315640313
  • +601128430746
  • +923301956704
  • +923328862313
  • +923121461238

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free