Chinese-speaking cybercriminals have launched a iMessage smishing (SMS phishing) campaign in the United States. This campaign involves sending iMessages from compromised Apple iCloud accounts, for identity theft and financial fraud.
The orchestrators of this campaign, identified as the Smishing Triad, are involved in a fraudulent package-tracking text scam sent through iMessage. Their goal is to gather personally identifiable information (PII) and payment credentials from unsuspecting victims.
Resecurity’s Analysis of Smishing Triad
Resecurity, in a recent analysis, pointed out that this campaign has connections to identity theft and credit card fraud.
One distinctive feature of this cybercrime group is their “fraud-as-a-service” offering. They provide ready-made smishing kits via Telegram, priced at $200 per month. These kits impersonate well-known postal and delivery services in various countries, including the U.S., the U.K, Poland, Sweden, Italy, Indonesia, Malaysia, Japan, and others.
A notable aspect of this campaign is the utilization of breached Apple iCloud accounts to deliver package delivery failure messages. These messages prompt recipients to click on a link to reschedule the delivery and input their credit card information into a counterfeit form.
Resecurity’s examination of the smishing kit unveiled an SQL injection vulnerability, resulting in the retrieval of more than 108,044 records of victims’ data. The possibility of key members of the Smishing Triad covertly collecting intercepted personal and payment data from others using this vulnerability or potential backdoor has been raised.
The Telegram group linked to the Smishing Triad comprises individuals with diverse roles, including graphic designers, web developers, and salespeople. They oversee the development of high-quality phishing kits and their marketing on dark web cybercrime forums.
Additionally, there is evidence of collaboration between Vietnamese-speaking members of the group and the primary threat actors, as well as cooperation with financially motivated groups to expand their operations.
In addition to package tracking text scams, the Smishing Triad is known for engaging in Magecart-like attacks, where they infect online shopping platforms with malicious code injections to intercept customer data.
The Smishing Triad’s tactics combine social engineering with the deployment of a phishing kit via iMessage. This approach capitalizes on the trust users place in SMS and iMessage communication channels, resulting in the successful compromise of numerous victims.