Have you received a text message regarding an unpaid toll or package misdelivery lately? You are not the only one. Researchers discovered a SMiShing (SMS text phishing) campaign attributed to the “Smishing Triad” that has been circulating since April 2024. A China-based threat actor has been impersonating a variety of international services within critical infrastructure, including banking, cryptocurrency, e-commerce, healthcare, law enforcement, and social media. The campaign places a significant focus on targeting US residents by impersonating organizations, such as commercial and state-owned mail and package delivery services, state vehicles and licensing agencies, and state and federal tax services or agencies. The “Smishing Triad” employs standard tactics by sending text messages that create urgency to trick victims into acting immediately. Once victims click on an included link, they are directed to a phishing page that captures sensitive information, including Social Security numbers, addresses, payment information, and login credentials.

This threat actor has been challenging to detect due to their operation and hosting infrastructure. Researchers have identified 194,000 malicious domains linked to the operation. The attack infrastructure is primarily hosted on popular US cloud services, despite the malicious domains being registered through a Hong Kong-based registrar and utilizing Chinese nameservers. A majority of the “Smishing Triad” root domains were created with a hyphenated series of strings followed by a top-level domain (TLD) (e.g., [string1]-[string2].[TLD]). For example, one of the domains linked to this threat actor is “ezpassnj[.]gov-mhmt[.]xin,” which could be mistaken for the legitimate ezpassnj.gov. Notably, this campaign is evolving to impersonate many types of services, as there has been a significant increase in the registration of “.gov” TLDs in the past three months.

Recommendations

• Identify red flags, such as unexpected requests for personal information, suspicious links, or urgent requests to take immediate action.
• If you are unsure about a text message, contact the organization or individual mentioned in the message directly through trusted sources to verify the information and request.
• Be cautious of spoofed numbers, as scammers can disguise their phone numbers to appear as if they are from a trusted source.
• Block the sender’s number to prevent further unwanted messages.
• Share information about SMiShing scams to help others stay safe.
• Forward the scam text message to 7726 (SPAM).
• Report SMiShing scams to the NJCCIC, the FBI’s IC3, and the FTC.