Smith went to Reddit and other online sources to find people reporting the scam and looked for URLs being used, which he then publishedSome of the sites running the Smishing Triad tool were collecting thousands of people’s personal information every day, Smith said. Among other details, the sites would ask for people’s names, addresses, payment card numbers and security codes, phone numbers, dates of birth, and bank websites. That level of information could allow a scammer to make online purchases with a credit card. Smith said his wife quickly canceled her card, but noticed that scammers were still trying to use it, for example with Uber. The researcher said he would collect data from a site and return to it a few hours later, only to find hundreds of new records.
The researcher provided details to a bank that contacted him after seeing his initial blog posts. Smith declined to name the bank. He also reported the incidents to the FBI and then provided the information to the United States Postal Inspection Service (USPIS).
Michael Martel, a national public information officer at USPIS, said the information provided by Smith is being used as part of an ongoing USPIS investigation and the agency cannot comment on specifics. “USPIS has been aggressively pursuing this type of information to protect the American people, identify victims, and bring justice to the malicious actors behind it all,” Martel said, pointing to the tip on Detect and report USPS delivery scams.
Initially, Smith said, he was wary of making his research public because this kind of “back hacking” fell into a “gray area”: It could violate the Computer Fraud and Abuse Act, a comprehensive U.S. computer crime law, but he was doing it with criminals overseas. One thing he definitely not the first or last time to do.
Many prongs
The Smishing Trio is prolific. In addition to using the postal service as bait for their scams, the Chinese-speaking group has targeted online banking, e-commerce and payment systems in the United States, Europe, India, Pakistan and the United Arab Emirates, according to Shawn Loveland, chief executive of Resecurity, which has been tracking the group.
According to Smishing Triad, Smishing Triad sends between 50,000 and 100,000 messages per day. Research by Resecurity. Its scam messages are sent using SMS or Apple’s iMessage, the latter of which is encrypted. Loveland said the Triad consists of two separate groups—a small group led by a Chinese hacker who creates, sells, and maintains the smishing toolkit, and a second group of people who buy the phishing tool. (A backdoor in the toolkit allows the creators to access the details of administrators using the toolkit, Smith said in blog post.)
“It’s very mature,” Loveland said of the operation. The group sells a phishing kit on Telegram for a $200-a-month subscription and can be customized to show the organization the scammers are trying to impersonate. “The main mastermind is Chinese and speaks Chinese,” Loveland said. “They don’t appear to be hacking Chinese-language sites or users.” (In conversations with the main Telegram contact, the individual told Smith they were a computer science student.)
The relatively low monthly subscription cost of the smishing kit means that, given the amount of credit card details the scammers are collecting, it is likely that those using it are making a significant profit. Loveland said that using text messages, which send people a notification instantly, is a more direct and successful way to scam people than sending emails containing malicious links.
As a result, smishing was performed. increase in recent yearsBut there are some warning signs: If you get a text message from a phone number or email you don’t recognize; if it contains a link to click; and asks you to do something urgently, you should be suspicious.
