Threat Research

“Smishing Triad” Targeted USPS and US Citizens for Data Theft

Securonix

Resecurity uncovered a large-scale smishing campaign called Smishing Triad that impersonates postal services to harvest PII and payment data from US and international victims, delivered primarily via iMessage from compromised iCloud accounts. The operation functions as a cybercrime-as-a-service network, distributing ready-to-use smishing kits and targeting USPS and other postal/logistics services worldwide. #SmishingTriad #USPS #RoyalMail #AgenziaDelleEntrate #NewZealandPost #Correos #PostNord #PocztaPolska #PosteItaliane #JTExpress #iMessage #iCloud

Keypoints

  • The Smishing Triad campaign impersonates multiple postal and government-linked services to collect PII and payment credentials, targeting US citizens and others globally.
  • Bad actors deliver scams exclusively via iMessages from compromised Apple iCloud accounts, rather than traditional SMS or voice calls.
  • The operation includes a productized “smishing kit” marketed as a service on Telegram, enabling others to deploy phishing/smishing campaigns.
  • Resecurity recovered and analyzed over 108,000 victim data records and observed an active SQL-injection backdoor in kit resources.
  • Dozens of malicious domains (and many more in various TLDs) were registered to host the kits, often protected by Cloudflare.
  • The group operates as a Cybercrime-as-a-Service network, with pricing (e.g., “shuju” subscriptions starting at $200/month) and multi-role members (designers, developers, sales).

MITRE Techniques

  • [T1566.003] Phishing via Service – Smishing delivered via iMessage using compromised iCloud accounts to harvest PII and payment data. Quote: “The key detail of ‘Smishing Triad’ campaign is that bad actors solely used iMessages sent from compromised Apple iCloud accounts as their main fraud delivery method instead of traditional SMS or calls.”
  • [T1190] Exploit Public-Facing Application – The exploitation of the identified SQL-injection vulnerability enabled HUNTER analysts to collect additional insights about the structure and origin of the smishing kit. Quote: “The exploitation of the identified SQL-injection vulnerability enabled HUNTER analysts to collect additional insights about the structure and origin of the smishing kit.”
  • [T1583] Acquire Infrastructure – Domain names used by Smishing Triad registered in “.top” zone via NameSilo and protected by Cloudflare around August 2023. Quote: “domains names used by ‘Smishing Triad’ registered in ‘.top’ zone via NameSilo and protected by Cloudflare around August 2023.”

Indicators of Compromise

  • [Domain] – ususmx.top, ususnb.top, ususgs.top, ususcgh.top, uspoddp.top, uspsjh.top, ususnu.top, usushk.top, ususcsa.top, uspoky.top, usplve.top, ususcac.top, uspshhg.top, uspodad.top, uspogumb.top, uspsuiu.top, uspskkq.top, ususuua.top (and 2 more domains) – domains used to host/supply kit infrastructure.
  • [Domain] – wangduoyu.me, wangduoyu.shop, wangduoyu.site – aliases/signatures tied to actors and kit operations.
  • [Email] – mjlozak@icloud[.]com – compromised iCloud option used to deliver iMessages in the campaign.

Read more: https://www.resecurity.com/blog/article/smishing-triad-targeted-usps-and-us-citizens-for-data-theft

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint