A sophisticated cybercriminal group known as the Smishing Triad has been linked to an extensive smishing campaign, utilizing over 194,000 malicious domains since January 1, 2024. This operation has targeted a diverse array of services worldwide, as detailed in recent findings by Palo Alto Networks’ Unit 42.
Despite registering these domains through a Hong Kong-based registrar and employing Chinese nameservers, the group’s attack infrastructure predominantly relies on popular U.S. cloud services. Security researchers Reethika Ramesh, Zhanhao Chen, Daiping Liu, Chi-Wei Liu, Shehroze Farooqi, and Moe Ghasemisharif have highlighted this strategic choice, noting that it allows the attackers to blend their activities within legitimate traffic, thereby evading detection.
The Smishing Triad, a China-linked entity, is notorious for inundating mobile devices with fraudulent messages. These messages often pertain to toll violations or package misdeliveries, designed to prompt recipients into immediate action, leading them to divulge sensitive personal information. The effectiveness of these campaigns is underscored by their financial success; reports indicate that the group has amassed over $1 billion in the past three years through such fraudulent activities.
Further analysis by Fortra reveals that phishing kits associated with the Smishing Triad are increasingly targeting brokerage accounts. The second quarter of 2025 saw a fivefold increase in attacks on these accounts compared to the same period in the previous year. Once attackers gain access, they manipulate stock market prices using ramp and dump tactics, a method that leaves minimal paper trails and significantly heightens financial risks.
The Smishing Triad has evolved from merely supplying phishing kits to fostering a highly active community within the phishing-as-a-service (PhaaS) ecosystem. This ecosystem comprises various specialized roles:
– Phishing Kit Developers: Create and maintain the tools used for crafting phishing campaigns.
– Data Brokers: Sell databases of target phone numbers, enabling precise targeting.
– Domain Sellers: Register disposable domains that host phishing sites, facilitating rapid deployment and rotation.
– Hosting Providers: Offer server space for hosting malicious content.
– Spammers: Distribute phishing messages to victims on a large scale.
– Liveness Scanners: Validate the activity status of phone numbers to ensure messages reach active users.
– Blocklist Scanners: Monitor phishing domains against known blocklists to manage domain rotation effectively.
Unit 42’s investigation uncovered that approximately 68.06% of the 136,933 root domains are registered under Dominet (HK) Limited, a Hong Kong-based registrar. While domains with the com prefix dominate, there has been a notable increase in gov domains over the past three months, indicating a strategic shift to enhance credibility.
The lifespan of these domains is remarkably short:
– 29.19% were active for two days or less.
– 71.3% remained active for less than a week.
– 82.6% were active for two weeks or less.
– Less than 6% had a lifespan beyond three months.
This rapid turnover underscores the campaign’s reliance on continuously registering new domains to evade detection mechanisms. The 194,345 fully qualified domain names (FQDNs) identified resolve to 43,494 unique IP addresses, predominantly located in the U.S. and hosted on Cloudflare’s infrastructure.
Key aspects of the infrastructure analysis include:
– Impersonation of Services: The U.S. Postal Service (USPS) is the most impersonated entity, with 28,045 FQDNs mimicking its services.
– Toll Service Lures: Approximately 90,000 phishing FQDNs are dedicated to campaigns using toll service-related lures, reflecting the effectiveness of this tactic.
– Geographical Hosting Distribution: The majority of attack infrastructure generating high traffic volumes is based in the U.S., followed by China and Singapore.
– Diverse Targeting: The campaigns have impersonated a wide range of entities, including banks, cryptocurrency exchanges, mail and delivery services, police forces, state-owned enterprises, electronic toll systems, carpooling applications, hospitality services, social media platforms, and e-commerce sites in countries such as Russia, Poland, and Lithuania.
In phishing campaigns that impersonate government services, users are often redirected to landing pages claiming unpaid tolls or other service charges. Some campaigns employ ClickFix lures, tricking users into running malicious code under the guise of completing a CAPTCHA check.
Unit 42 emphasizes that the smishing campaign impersonating U.S. toll services is part of a larger, decentralized operation with global reach, targeting various services across multiple sectors. The attackers’ strategy involves registering and rapidly cycling through thousands of domains daily, making detection and mitigation challenging.
