Threat Research

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

admin

The Smishing Triad group has launched a fresh smishing campaign targeting Pakistani mobile users, impersonating Pakistan Post via iMessage and SMS to steal personal and financial information. The operation uses stolen phone-number databases, mass messaging (50,000–100,000 daily), URL shorteners, and QR codes to deliver fake delivery and payment pages across Pakistan, the EU, UAE, and KSA. #SmishingTriad #PakistanPost #Correos #Resecurity #gbhackers

Keypoints

  • Smishing Triad targets Pakistani mobile users with iMessage and SMS impersonations of Pakistan Post.
  • The gang uses stolen dark web phone-number databases to send up to 50,000–100,000 automated messages per day.
  • Messages aim to steal personal and financial information, extending impersonation to other couriers like Correos.
  • URL shorteners and QR codes are used to evade detection and drive victims to fraudulent pages.
  • Campaigns leverage data breaches to pose as legitimate local firms requesting payment details.
  • The operation spans regions including USA, EU, UAE, and KSA, with a shared infrastructure (same IP) for smishing kits.
  • Mitigations include skepticism, not responding, verifying sources, avoiding links, using security software, reporting suspicious messages, and user education.

MITRE Techniques

  • [T1566.003] Spearphishing via Service – The Smishing Triad uses iMessage and SMS to send harmful messages pretending to be Pakistan Post to steal personal and financial information. β€œThe gang members send harmful messages pretending to be Pakistan Post via iMessage and SMS in an attempt to steal personal and financial information.”
  • [T1204.001] User Execution: Malicious Link – They rely on URL shorteners and QR codes to avoid detection. β€œUsing URL shorteners and QR codes to avoid detection.”
  • [T1566.002] Spearphishing Link – They direct victims to a fake Pakistan Post Payment Page. β€œFake Pakistan Post Payment Page (Source – Resecurity)”

Indicators of Compromise

  • [Domain] Domains used in the campaign infrastructure – ep-gov-ppk.cyou, pk-post-goi.xyz, pak-post.com/id, pakpotech.top/id
  • [URL] Smishing-related URLs – l[.]ead[.]me/bf6fB8, is[.]gd/bpEPk3, l[.]ead[.]me/BjsT, is[.]gd/8vcwYW, 2h[.]ae/nwxP, 2h[.]ae/cNRd, ytfrt[.]top/id, linkr[.]it/4bStpB, qrco[.]de/bf56c0
  • [IP Address] Shared infrastructure IP used for smishing kits – 23.231.48.129
  • [Phone] Target phone numbers – +923361021455, +923301956704

Read more: https://gbhackers.com/smishing-triad-attacks-financial-customers/