Smishing Triad has expanded its UAE-focused operations, using domain registrations via Gname.com to host fake Emirates Post lures and geo-targeted delivery of smishing pages. The group hijacks iCloud accounts to send iMessages, leverages Dark Web data for geo-specific PII, and even sells smishing kits as Fraud-as-a-Service to scale operations. #SmishingTriad #EmiratesPost
Keypoints
- Smishing Triad has expanded its footprint in the UAE with UAE-specific, geo-filtered lures impersonating Emirates Post.
- Most malicious domains are registered through the Singapore-based registrar Gname.com Pte. Ltd., linking infrastructure to the attackers.
- The group targets UAE citizens, using geo-specific IP filtering to restrict scam access.
- Compromised Apple iCloud accounts are used to deliver iMessages that impersonate trusted local entities.
- They obtain UAE resident PII from Dark Web sources and use it to tailor their attacks and select victims.
- Fraud-as-a-Service (FaaS) is offered via platforms like Telegram, enabling others to deploy similar smishing campaigns.
- UAE authorities, awareness campaigns, and reporting tools are highlighted as defenses against this threat.
MITRE Techniques
- [T1583] Acquire Infrastructure – Domain registrations used to host smishing infrastructure. ‘The domain, dwu6.top, is a critical asset in “Smishing Triad’s” campaign against the UAE. Its structure and registration details closely mirror those of domains used in earlier campaigns, suggesting a consistent and evolving modus operandi.’
- [T1566.003] Phishing: Spearphishing via Service – iMessages delivered from hijacked services. ‘The group typically sends out malicious text messages from iCloud accounts they have previously hijacked, while masquerading as reputable organizations like government agencies, financial institutions (FIs), and shipping firms.’
- [T1078] Valid Accounts – Use of hijacked iCloud accounts to stage attacks. ‘The threat actor acquires UAE resident databases from the Dark Web and launches their smishing attacks from iCloud accounts they have previously compromised.’
- [T1036] Masquerading – Impersonation of Emirates Post and other organizations. ‘masquerading as reputable organizations like government agencies, financial institutions (FIs), and shipping firms.’
Indicators of Compromise
- [Domain] context – telegram-1[.]org, telegram-j[.]org, and 12 more domains (Telegram-focused domains used in the campaigns)
- [Domain] context – 0pti[.]top, comnmbak[.]vip, and numerous other domains (All Other Domains listed in the IOC table)