Threat Research

The Smishing Deluge: China-Based Campaign Flooding Global Text Messages

Unit42
The Smishing Deluge: China-Based Campaign Flooding Global Text Messages

A large, evolving smishing campaign attributed to the Smishing Triad has used hundreds of thousands of short-lived domains to impersonate toll services, postal carriers, banks, cryptocurrency platforms, healthcare, law enforcement and social media to harvest credentials and personal data. The campaign leverages decentralized infrastructure (many domains, U.S.-hosted IPs, Chinese nameservers and a Hong Kong registrar) and is likely powered by a phishing-as-a-service ecosystem. #SmishingTriad #Dominet(HK)

Keypoints

  • Since Jan 1, 2024, analysts identified 194,345 FQDNs across 136,933 root domains tied to the campaign, with heavy domain churn and short lifetimes to evade detection.
  • Most root domains (≈68%) were registered through Dominet (HK) Limited and used Chinese nameservers, while hosting infrastructure concentrated on U.S. cloud IP space (notably AS13335, 104.21.0.0/16).
  • The campaign impersonates a wide range of services—U.S. tolls and USPS (largest single impersonation), banks, crypto exchanges, e-commerce, healthcare and law enforcement—to extract SSNs, addresses, payment data and login credentials.
  • Smishing messages use urgent social engineering, sometimes via email-to-SMS or direct phone-number senders (notably +63 Philippines and increasing +1 U.S. numbers) to deliver phishing URLs.
  • Evidence indicates a PhaaS ecosystem (Smishing Triad Telegram channel) with specialized roles: data brokers, domain sellers, hosting providers, kit developers, SMS spammers, liveness and blocklist scanners.
  • Tracking relied on a multi-faceted intelligence framework combining WHOIS/pDNS, evolving domain patterns, visual clustering of screenshots and graph-based infrastructure analysis.
  • Palo Alto Networks and CTA members have protections available (Advanced URL Filtering, Advanced DNS Security) and provide incident response support via Unit 42 contact channels.

MITRE Techniques

  • [T1204] User Execution – SMS messages use urgent social engineering to trick victims into clicking phishing URLs and divulging credentials: “…using SMS messages for social engineering to create a sense of urgency and prompt victims into immediate action.”
  • [T1583] Acquire Infrastructure – Attackers register large numbers of domains and use registrar/services to host phishing sites: “…identified over 194,000 malicious domains linked to this operation since Jan. 1, 2024…registered through a Hong Kong-based registrar and use Chinese nameservers.”
  • [T1588.001] Phishing Infrastructure: Domains – Use of thousands of short-lived, typosquatted and hyphenated domains to impersonate legitimate services: “…domains such as irs.gov-addpayment[.]info could trick people into thinking they are navigating to irs[.]gov.”
  • [T1071.001] Application Layer Protocol: Web Protocols – Phishing pages hosted on web infrastructure (U.S. cloud IPs, AS13335) deliver credential-harvesting forms and fake CAPTCHAs: “…landing pages containing fake notices…fake CAPTCHA page that is designed to manipulate users into executing malicious scripts.”
  • [T1585] Establish Accounts – Use of third-party services (domain registrars, DNS providers, cloud hosting) and consolidation of DNS under providers like AliDNS and Cloudflare: “…a large majority of the FQDNs use just two providers: AliDNS (45.6%) and Cloudflare (34.6%).”
  • [T1403] Phishing-as-a-Service (adversary-infrastructure-as-service) – Underground PhaaS ecosystem on Telegram enabling selling of phishing kits, domain registration and delivery services: “…channel has evolved…advertising various underground services such as domain registration, data sales and message delivery.”

Indicators of Compromise

  • [Domain ] example phishing FQDNs used to impersonate services – usps.com-posewxts[.]top, irs.gov-addpayment[.]info, and many others (e.g., 194,345 FQDNs across 136,933 root domains).
  • [Registrar ] dominant registrar used for malicious registrations – Dominet (HK) Limited (≈93,197 root domains) – context: bulk registrations for campaign domains.
  • [Nameserver Providers ] DNS infrastructure providers frequently observed – AliDNS, Cloudflare – context: majority of FQDNs use these nameservers for DNS management.
  • [IP/Subnet ] hosting infrastructure concentration – AS13335, notably 104.21.0[.]0/16 – context: many attack domains resolve to IPs in this subnet hosted on U.S. cloud services.
  • [Phone Number Country Codes ] sender patterns observed in smishing messages – +63 (Philippines), increasing use of +1 (U.S.) phone numbers – context: SMS origins used to deliver phishing URLs.

Read more: https://unit42.paloaltonetworks.com/global-smishing-campaign/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint