FlagThis - #sms

A China-based cybercriminal gang known as the "Smishing Triad" is reportedly launching a wave of SMS phishing attacks, or "smishing," targeting users in both the US and the UK. These attacks are themed around road tolls, with victims receiving text messages that appear to be from toll road operators. The messages warn recipients of unpaid toll fees and potential fines if the fees are not promptly addressed. Cybersecurity researchers have issued warnings about this widespread and ongoing SMS phishing campaign, noting that it has been actively targeting toll road users since mid-October 2024, aiming to steal their financial information.

Researchers have linked the surge in these SMS scams to new features added to a popular commercial phishing kit sold in China. This kit simplifies the process of creating convincing lures that spoof toll road operators across multiple US states. The phishing pages are designed to closely mimic the websites of these operators as they appear on mobile devices, and in some cases, will not even load unless accessed from a mobile device. The goal of these kits is to obtain enough information from victims to add their payment cards to mobile wallets. These cards can then be used for fraudulent purchases in physical stores, online, or to launder money through shell companies.

The phishing campaigns often impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across several states including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas. The texts prompt recipients to click on a fake link, often requiring them to reply with "Y" to activate the link, a tactic used in other phishing kits. Victims who click the link are directed to a fraudulent E-ZPass page where they are asked to enter personal and financial information, which is then stolen by the attackers.


References :

• blog.knowbe4.com: Toll-themed smishing attacks surge in US and UK
• krebsonsecurity.com: Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid.
• The Hacker News: Cybersecurity researchers are warning of a widespread and ongoing SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024.
• ciso2ciso.com: Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States – Source:thehackernews.com
• The DefendOps Diaries: Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States
• ciso2ciso.com: Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States – Source:thehackernews.com
• www.scworld.com: Massive ongoing US toll fraud underpinned by Chinese smishing kit

Classification:

• HashTags: #Smishing #PhishingAttacks #CyberSecurity
• Company: Resecurity
• Target: US and UK Citizens
• Attacker: Smishing Triad
• Product: SMS
• Feature: SMS Phishing
• Malware: Smishing Kit
• Type: Phishing
• Severity: Medium

Tolling agencies throughout the United States are currently grappling with an escalating cybersecurity threat: deceptive text message scams known as smishing. These scams involve cybercriminals sending text messages that impersonate toll payment notifications, tricking individuals into clicking malicious links and making unauthorized payments. These messages often embed links that, if clicked, take the victim to a phishing site impersonating E-ZPass, The Toll Roads, FasTrak, Florida Turnpike, or another toll authority.

These scams are part of a sophisticated campaign leveraging platforms, most recently a PhaaS platform called Lucid. This platform enables cybercriminals to launch large-scale phishing campaigns with minimal effort. Cybercriminals behind this scheme are exploiting legitimate communication technologies like Apple iMessage and Android RCS to bypass traditional spam filters and deliver their malicious messages at scale.

The phishing messages typically claim unpaid toll fees and threaten fines or license suspension if recipients fail to respond. The Lucid platform offers advanced features such as dynamic targeting, device-specific focus, and evasion techniques. These features allow attackers to tailor campaigns for iOS or Android users, block connections from non-targeted regions, and prevent direct access to phishing domains.


References :

• aboutdfir.com: Have you ever received an odd text message on your phone, purporting to be from a toll provider or package delivery service? If you have a U.S. cell phone, chances are you’ve encountered one of these SMiShing attempts—cybercriminals’ latest ploy to trick you into giving up your personal
• www.cysecurity.news: Tolling agencies throughout the United States are battling an escalating cybersecurity threat that is causing deceptive text message scams, which are often called smishing, to escalate.
• Cyber Security News: Beware! Phishing Scam Uses Fake Unpaid Tolls Messages to Harvest Login Credentials
• gbhackers.com: Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials
• www.bleepingcomputer.com: E-ZPass toll payment texts return in massive phishing wave
• BleepingComputer: An ongoing phishing campaign impersonating E-ZPass and other toll agencies has surged recently, with recipients receiving multiple iMessage and SMS texts to steal personal and credit card information.
• The DefendOps Diaries: The Toll Payment Text Scam: A Modern Cybersecurity Threat
• blog.knowbe4.com: Upgraded Phishing-as-a-Service Platform Drives a Wave of Smishing Attacks
• cybersecuritynews.com: A sophisticated cybercriminal operation has emerged targeting toll payment services across multiple regions, with evidence suggesting this campaign will continue expanding globally.
• Cyber Security News: Toll Payment Services Abused in Large-Scale Hacking Campaign
• gbhackers.com: Threat Actors Exploit Toll Payment Services in Widespread Hacking Campaign
• securityonline.info: Resecurity report details escalation of smishing by China-based Smishing Triad targeting toll payments in US and UK.
• securityonline.info: Smishing Triad Expands Fraud Campaign, Targets Toll Payment Services
• www.scworld.com: Toll payment service-targeted schemes by Smishing Triad escalates
• Cisco Talos Blog: Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.
• krebsonsecurity.com: China-based SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad†mainly impersonated toll road operators and shipping companies.
• www.silentpush.com: Smishing Triad is a Chinese eCrime group systematically targeting organizations in at least 121 countries with SMS phishing “smishing†campaigns.
• bsky.app: SilentPush has published a profile of Chinese cybercrime group Smishing Triad. The group is massive, with operations across 121 countries. The report also looks at the group's new phishing kit, named Lighthouse.
• gbhackers.com: Chinese eCrime Group Targets Users in 120+ Countries to Steal Banking Credentials
• www.silentpush.com: Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit
• blog.talosintelligence.com: Have you received a suspicious text that seemed to be from a toll road service? Discover how this widespread smishing scam is targeting U.S. drivers and uncover the actors behind it in our latest blog post:
• Cisco Talos: Have you received a suspicious text that seemed to be from a toll road service? Discover how this widespread smishing scam is targeting U.S. drivers and uncover the actors behind it in our latest blog post:
• cyberpress.org: “$5 SMS Scam Alert: Toll Road Users Targeted in New Phishing Campaignâ€
• Daily CyberSecurity: Nationwide Smishing Scam Targets Toll Road Users, Stealing Payment Data
• Cyber Security News: Cisco Talos has uncovered an ongoing financial theft campaign targeting toll road users across the United States through SMS phishing, or “smishing,†attacks. This campaign, active since October 2024, impersonates toll payment services to steal sensitive user information.
• gbhackers.com: Cybersecurity researchers at Cisco Talos have uncovered a large-scale smishing campaign targeting toll road users across the United States.

Classification:

• HashTags: #Smishing #TollScams #Cybersecurity
• Company: US Tolling agencies
• Target: Motorists
• Attacker: Smishing Triad
• Feature: SMS Phishing
• Type: Phishing
• Severity: Medium

A China-based eCrime group known as the Smishing Triad has expanded its operations, targeting users across more than 121 countries with sophisticated SMS phishing campaigns. Originally focused on impersonating toll road operators and shipping companies, the group has now pivoted to directly target customers of international financial institutions. This expansion is accompanied by a dramatic increase in their cybercrime infrastructure and support staff, signaling a significant escalation in their activities. The group's operations span a diverse range of industries, including postal, logistics, telecommunications, transportation, finance, retail, and public sectors.

The Smishing Triad's infrastructure is vast, utilizing over 8,800 unique IP addresses and stretching across more than 200 Autonomous System Numbers (ASNs). Recent data from server logs analyzed by Silent Push reveal that the group's infrastructure has been highly active, with over one million page visits logged in just 20 days. This suggests that the actual number of SMS phishing messages sent may be significantly higher than the previously estimated 100,000 per day. A large portion of the group's phishing sites are hosted by major Chinese companies, Tencent and Alibaba, indicating a strong connection to Chinese cyberspace.

The group's latest tactic involves the introduction of the "Lighthouse" phishing kit, unveiled on a Telegram channel by the developer identified as Wang Duo Yu. This kit targets numerous financial institutions, particularly in Australia and the broader Asia-Pacific region, as well as major Western financial institutions like PayPal, Mastercard, and HSBC. The Lighthouse kit boasts advanced features such as one-click setup, real-time synchronization, and mechanisms to bypass multiple layers of security like OTP, PIN, and 3DS verification, making it a formidable tool for stealing banking credentials. Smishing Triad boasts it has “300+ front desk staff worldwide” supporting the Lighthouse kit, and continues to sell its phishing kits to other threat actors via Telegram.


References :

• krebsonsecurity.com: China-based SMS Phishing Triad Pivots to Banks - Krebs on Security
• www.silentpush.com: Silent Push blog on Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit
• gbhackers.com: GBHackers article on Smishing Triad
• Cyber Security News: CyberPress report on Chinese eCrime Group Launches Global Attack to Steal Banking Credentials from Users in 120+ Countries
• securityonline.info: Smishing Triad: eCrime Group Targets 121+ Countries with Advanced Smishing
• Security Latest: Smishing Triad: The Scam Group Stealing the World’s Riches

Classification:

• HashTags: #Smishing #Phishing #eCrime
• Company: Apple, Google
• Target: Customers
• Attacker: Smishing Triad
• Product: SMS
• Feature: SMS Phishing
• Malware: Lighthouse
• Type: Phishing
• Severity: Medium