Threat Research

Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit

Silentpush
Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit

The Smishing Triad, a Chinese eCrime group, has launched aggressive SMS phishing “smishing” campaigns affecting organizations across 121 countries, targeting various sectors including finance, logistics, and public services. Its infrastructure is rapidly evolving, with recent developments indicating a focus on sophisticated phishing kits aimed at the banking sector. Over 25,000 domains are used frequently, making tracking their activities challenging. Several high-profile banks and financial institutions have become targets. Affected: postal services, logistics, telecommunications, transportation, finance, retail, public sectors

Keypoints :

  • The Smishing Triad has targeted organizations in at least 121 countries with SMS phishing campaigns.
  • Research indicates that over one million page visits occurred within just 20 days, suggesting a much higher volume of messages than previously estimated.
  • A new phishing kit called “Lighthouse” was announced targeting major financial institutions, particularly in Australia and the APAC region.
  • The group claims to have over 300 staff enlisted to support various fraud operations.
  • The infrastructure relies heavily on two Chinese hosting companies: Tencent and Alibaba.
  • Smishing campaigns initially relied on compromised Apple iCloud accounts before shifting to local phone numbers.
  • Recent reports show a significant uptick in phishing attempts aimed at USPS and other postal services.
  • The group rotates domains frequently, having utilized approximately 25,000 domains over eight days.

MITRE Techniques :

  • Phishing (T1566): The Smishing Triad uses SMS to lure victims into providing sensitive information.
  • Credential Dumping (T1003): Phishing kits like Lighthouse collect victim credentials in real-time.
  • Exploitation of Public-Facing Application (T1190): The phishing pages exploit public-facing services to trick users, particularly targeting banks.
  • Drive-by Compromise (T1189): Multiple domains are used in these campaigns, tricking victims into visiting compromised sites.

Indicator of Compromise :

  • Domain: appexpress[.]top
  • Domain: address-4-72[.]top
  • Domain: autopistes[.]asia
  • Domain: evriuk[.]top
  • Email Address: ceshi@gmail[.]com

Full Story: https://www.silentpush.com/blog/smishing-triad/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint