Researchers track surge in high-level Smishing Triad activity
Researchers have uncovered a long-running phishing campaign that uses text messages to trick victims, and it’s both bigger and more complex than previously thought. The operation, dubbed Smishing Triad, is managed in Chinese and involves thousands of malicious actors, including dozens of active, high-level participants, Palo Alto Networks’ research unit told CyberScoop.
Unit 42 has traced about 195,000 domains to the highly decentralized phishing operation since January 2024. Researchers say more than two-thirds of the malicious domains are registered through Hong Kong-based registrar Dominet (HK) Limited using China-based domain name system infrastructure.
Most of the attack domains (58%) are hosted on U.S.-based IP addresses, while 21% are hosted in China and 19% reside in Singapore. The global phishing operation is designed to collect sensitive information, including national identification numbers, home addresses, financial details and credentials, according to Unit 42.
The malicious domains, which include hyphenated strings followed by a top-level domain, trick victims into thinking they are visiting a legitimate site. These domains impersonate services across many critical sectors including toll road services, multinational financial service and investment firms, e-commerce markets and cryptocurrency exchanges, health care organizations, law enforcement agencies and social media platforms.
Smishing Triad has changed its tactics over time and brought in a range of specialists to support its operations. These include data brokers, domain sellers, hosting providers, phishing kit developers, platform providers, spammers who deliver the phishing lures via mobile messaging apps, and support staff who verify which phone numbers are active and can be targeted.
The group’s Chinese language Telegram channel has attracted many associates because the underlying infrastructure is effective, and other threat groups rely on the phishing kits sold for widespread use as well, said Zhanhao Chen, principal researcher at Palo Alto Networks.
The operation began as a dedicated phishing kit marketplace and has grown into an active community supporting a large-scale phishing ecosystem.
Smishing Triad’s Telegram channel has evolved from a dedicated phishing kit marketplace to an active community over the past six months, attracting threat actors across the phishing ecosystem.
Unit 42 doesn’t know how many people have received phishing messages from this operation. Yet, researchers have traced part of the group’s infrastructure and domains, which phishing kits are being used, how much traffic they get, and which targets are being focused on by tracking changes in domain-naming conventions.
“We don’t necessarily know how many victims we can attribute to this technology or this group,” said Reethika Ramesh, senior staff researcher at Palo Alto Networks. “But we know that the number of domains is growing on a daily basis and they’re churning through different infrastructure, and that most of the query volume for the domains were towards domains hosted on U.S. IP addresses.”
The U.S. Postal Service is the most impersonated service, spanning more than 28,000 domains, according to researchers. Toll road agencies account for the most impersonated category, with these services traced to nearly 90,000 domains.
Unit 42 said the operation is active and evolving, as researchers have observed a significant jump in the registration of domain prefixes containing gov, as evidenced by a shift toward impersonating the Internal Revenue Services and U.S. state tax agencies during the past couple months. Researchers have traced more than 37,000 new domains to the campaign since June.
The lifespan of the domains traced to Smishing Triad is short — 29% were active for less than two days, 71% were in use for less than a week and 83% were disposed within two weeks, according to Unit 42.
The real-world consequences of the operation are difficult to track and likely delayed, as the phishing sites are largely designed to steal data for potential follow-on attacks.
“We don’t know how many messages they’re sending out or how many people are receiving them,” Ramesh said. “They’re definitely harvesting the data for later use.”
