Resecurity flags the Smishing Triad expanding its operations to Pakistan, impersonating Pakistan Post to steal personal and financial data from mobile users. The campaign uses local numbers, mass messaging, and smishing kits hosted on domains tied to delivery services, with data sourced from the Dark Web. #SmishingTriad #PakistanPost
Keypoints
- The Smishing Triad has expanded its operations to Pakistan, targeting local mobile customers with impersonated delivery notices.
- Attackers impersonate Pakistan Post and use local phone numbers to appear legitimate, prompting victims to share payment/details.
- Estimates suggest the group sends between 50,000β100,000 messages daily, leveraging stolen Dark Web data to fuel campaigns.
- Smishing kits were hosted on hosts such as pk-post-goi.xyz and ep-gov-ppk.cyou, linked to the Express Mail Track & Trace system impersonation.
- Domain names and infrastructure used for the campaign have been registered anonymously via NameSilo and later taken down by researchers.
- Attackers employ URL shortening and QR code generation services to evade detection and facilitate link delivery.
- PKCERT issued advisory on observed smishing patterns, highlighting broader delivery-scams beyond Pakistan Post.
MITRE Techniques
- [T1566] Phishing β Smishing messages impersonating Pakistan Post to obtain credit card details via a payment form. βthe threat actors are using local phone numbers, making it appear to the end recipient as if they are receiving a text from a local postal office or a company attempting to reach out.β
- [T1583] Acquire Infrastructure β Attackers leverage stolen databases acquired from the Dark Web containing personal data to scale campaigns. βthey leverage stolen databases acquired from the Dark Web, which contain sensitive personal data of citizens including phone numbers.β
- [T1036] Masquerading β Use of URL shortening services to disguise malicious links and enable QR code generation. βThe actors employ techniques to evade detection, including the use of URL shortening services, such as those that provide QR code generation capabilities.β
Indicators of Compromise
- [Domain Names] Smishing infrastructure domains used for campaigns β ep-gov-ppk.cyou, pk-post-goi.xyz, and pak-post.com/id, pakpotech.top/id
- [URLs] Shortened or obfuscated links used in campaigns β l.ead.me/bf6fB8, is.gd/bpEPk3, l.ead.me/BjsT, is.gd/8vcwYW, 2h.ae/nwxP, 2h.ae/cNRd, ytfrt.top/id, linkr.it/4bStpB, qrco.de/bf56c0
- [Phone Numbers] Contact numbers used in campaigns β +923361021455, +923301956704, +923315640313, +601128430746, +923328862313, +923121461238