Threat Research

“Mobile Phishing Campaign in India Exploits India Post Lures | FortiGuard Labs”

Fortinet

Fortinet FortiGuard Labs observed a mobile phishing campaign targeting India Post users in India, using iMessage smishing to lure iPhone users with fake India Post package delivery notices. The operation involves hundreds of newly registered domains impersonating India Post and is attributed to the China-based threat actor group known as the Smishing Triad.
#SmishingTriad #IndiaPost

Keypoints

  • The campaign targets iPhone users in India using iMessage-based smishing that impersonates India Post and hints at a package waiting at an India Post warehouse.
  • Public reporting attributes this activity to the China-based threat actor group “Smishing Triad” with a history of targeting multiple regions.
  • Investigations found extensive domain-name abuse: over 470 domains registered to mimic India Post, including homograph phishing attempts with lookalike domains.
  • Most domains are hosted on Tencent infrastructure, with a substantial number tied to a single IP and numerous domains registered in a few regions.
  • The phishing sites clone India Post’s website and request sensitive information, including personal data and debit/credit card details, under the guise of redelivery fees.
  • Fortinet protections (WebFilter, IP Reputation, and related services) detect and block these phishing domains, and Fortinet offers training and simulation tools to improve user awareness.
  • Recommendations emphasize skepticism of unexpected messages, URL verification, HTTPS awareness, MFA, and reporting incidents to authorities.

MITRE Techniques

  • [T1071] Phishing – Threat actors send fraudulent messages via iMessage to lure victims into providing personal information. ‘The threat actors begin by sending a message via iMessage directly to the recipients’ registered Apple ID email addresses.’
  • [TLDs] Domain Spoofing – Domain registrations mimic India Post to host phishing sites; This activity exemplifies a homograph phishing attack, where domain names are created to look visually similar to legitimate ones.
  • [T1070] Credential Harvesting – Fraudulent websites request debit/credit card information; on the next page, the fraudulent site requests debit/credit card information for a payment of INR 25.02, and continuing as a regular user, the fraudsters collect sensitive information such as name, full residential address, email ID, and phone number.
  • [T1203] Social Engineering – Impersonating India Post to manipulate victims; the messages create a sense of urgency, prompting victims to click on malicious links.

Indicators of Compromise

  • [Sender Email Address] – Phishing emails used to impersonate India Post – ital enbabusik@hotmail[.]com, jessica467@qlq-online[.]de, marrotte436915@gmail[.]com, orozcoharryavw@hotmail[.]com, chermonahscales2980545@gmail[.]com
  • [Domain Names] – Impersonating India Post – indiapost.xyz, indiapost.online, and 2 more domains
  • [IP Address] – 119.28.68[.]187 (hosted on Tencent) as a common hosting target for multiple phishing domains

Read more: https://feeds.fortinet.com/~/901765292/0/fortinet/blog/threat-research~Phishing-Campaign-Targeting-Mobile-Users-in-India-Using-India-Post-Lures

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint