As our dependence on digital communication continues to grow, so does the complexity and pace of the cybersecurity threat landscape. Among the new threats that have emerged is 'Smishing,' a specialized type of phishing attack that uses text messages as the medium to trick its targets. A recent article by Resecurity highlights a large-scale smishing campaign targeting US citizens and impersonating the United States Postal Service (USPS). The threat actors, dubbed the "Smishing Triad," are Chinese-speaking cybercriminals who specialize in identity theft and financial fraud. This blog post aims to dissect the intricacies of this campaign, offering insights into its modus operandi, and suggesting preventive measures.
The Anatomy of the Attack
The Smishing Triad primarily uses iMessages sent from compromised Apple iCloud accounts for their fraudulent activities. Unlike traditional smishing campaigns that relied on SMS or calls, this group has adapted to use a method that people generally consider more secure—iMessage. They also offer 'smishing kits' for sale via Telegram IM groups, essentially creating a Fraud-as-a-Service (FaaS) model.
The discovery of an active SQL-injection vulnerability in the Smishing Triad's smishing kit by Resecurity's HUNTER team adds another layer of complexity to the group's operations. SQL-injection is a code injection technique that attackers use to interfere with the queries an application makes to its database. It's a well-known vulnerability, and its presence in a toolkit designed by a sophisticated cybercriminal group raises several intriguing questions.