A China-based hacking group known as Smishing Triad has waged text message-borne phishing attacks against individuals in India, using the country’s government-operated postal system as a lure.
The threat actors are targeting iPhone users with text messages falsely claiming that a package is awaiting collection at an India Post warehouse. The deceptive messages contain URLs leading to fraudulent websites.
According to a new Fortinet FortiGuard Labs report, between January and July 2024, more than 470 domain registrations were mimicking India Post’s official domain, with the majority registered via Chinese and American domain registrars.
Researchers at FortiGuard Labs discovered phishing emails sent via iMessage using third-party email addresses like Hotmail, Gmail, and Yahoo. Apple ID accounts configured with these third-party emails send the malicious messages containing short URLs that direct recipients to the fraudulent websites.
Text Phishing Goes Postal
India Post is just the latest mail service to face mobile phishing attacks. The US Postal Service (USPS) recently found its name abused in smishing attacks orchestrated by a single threat actor based in Tehran. Another recent smishing attack aimed at US citizens informed them they had unpaid road tolls, with the aim of coercing targets into giving up their bank information.
Stephen Kowski, field CTO at SlashNext Email Security+, says the India Post phishing campaign highlights the evolving tactics of threat actors.
“They are now leveraging trusted communication channels like iMessage to deceive victims, underscoring the need for comprehensive mobile Web threat protection that can detect and block malicious URLs, even when wrapped in encrypted messages,” he says.
As SMS- and other text-based attacks become increasingly sophisticated, organizations must prioritize educating their users on how to identify and report suspicious messages, he notes. “They must also implement robust security measures that can inspect and mitigate threats in real-time, regardless of the communication channel used.”
By extending security controls to the mobile Web, organizations can better protect their users from these types of attacks, even when they occur outside of traditional network perimeters.
“Mobile First” Attacks Rise
Mobile devices are a prime target for phishing campaigns, given the amount of phishing vectors available to attackers, be it SMS, QR codes, third-party communication apps, or personal email.
This, combined with a relative false sense of security most users and organizations have on mobile, and a lack of active security controls, make mobile phishing campaigns a low risk, high reward for attackers for both personal and corporate information.
Krishna Vishnubhotla, vice president of product strategy at Zimperium, says this type of “mobile first” attack is something that is occurring more and more every day.
“Cybercriminals and hackers have begun to realize that there’s a false sense of security with mobile devices, particularly those on iOS,” he says.
Users tend to be less careful on their mobile devices than on a standard computer or laptop, and they rarely have proper security controls in place on their mobile devices.
“Our own research has shown a significant rise recently in mobile-targeted phishing attacks that only fully execute the attack when the link is clicked from a mobile device,” he says. “Users must be on guard for anything that appears unusual, especially related to a text message or SMS.”
He advises companies to have strong mobile endpoint protection defenses on employee phones to protect against exactly this type of attack, or worse.
Source: www.darkreading.com