The attackers behind a large-scale, ongoing smishing campaign are believed to have engaged in more than 194,000 malicious domains targeting a wide range of services around the world since January 1, 2024, according to new research from Palo Alto Networks Unit 42.
Security researchers Reethika Ramesh, Zhanhao Chen, Daiping Liu, Chi-Wei Liu, Shehroze Farooqi, and Moe Ghasemisharif said, “Although these domains are registered through a Hong Kong-based registrar and use Chinese nameservers, the attack infrastructure is primarily hosted on popular cloud services in the United States.”
The activity was attributed to a China-linked group known as the Smishing Triad, which is known for bombarding mobile devices with fraudulent toll violation and misdelivery notifications to trick users into taking immediate action or providing sensitive information.
According to a recent report in the Wall Street Journal, these campaigns have proven lucrative, allowing attackers to earn more than $1 billion over the past three years.
In a report published earlier this week, Fortra said phishing kits associated with the Smishing Triad are increasingly being used to target brokerage accounts to obtain banking credentials and authentication codes, and attacks targeting these accounts have jumped five times in the second quarter of 2025 compared to the same period last year.
“Once compromised, attackers use ‘ramp and dump’ tactics to manipulate stock prices,” security researcher Alexis Ober said. “These methods leave little paper trail, further increasing the economic risk posed by this threat.”
The adversary group is said to have evolved from a specialized purveyor of phishing kits into a “very active community” of disparate attackers, each playing a key role in the phishing-as-a-service (PhaaS) ecosystem.
These include phishing kit developers, data brokers (selling target phone numbers), domain sellers (registering disposable domains to host phishing sites), hosting providers (providing servers), spammers (delivering messages to victims at scale), liveness scanners (verifying phone numbers), and blocklist scanners (matching phishing domains against known blocklists for rotation).
Smishing Triad’s PhaaS Ecosystem
Unit 42’s analysis revealed that nearly 93,200 (68.06%) of the 136,933 root domains were registered with Dominet (HK) Limited, a Hong Kong-based registrar. Domains with the prefix “com” make up the majority, but the past three months have seen an increase in “gov” domain registrations.
Of the identified domains, 39,964 (29.19%) were active for less than 2 days, of which 71.3% were active for less than 1 week, 82.6% were active for less than 2 weeks, and less than 6% of domains survived beyond the first 3 months of registration.
“This rapid churn clearly demonstrates that the campaign’s strategy relies on a continuous cycle of newly registered domains to evade detection,” the cybersecurity firm notes, adding the 194,345 fully qualified domain names (FQDNs) used in the resolution to 43,494 unique IP addresses, most of which are located in the United States and hosted on Cloudflare (AS13335).
Some of the other important aspects of infrastructure analysis are listed below.
The United States Postal Service (USPS) is the most impersonated single service with 28,045 FQDNs. Campaigns using paid service lures are the most spoofed category, with approximately 90,000 phishing-specific FQDNs. The attack infrastructure for the domains that generate the most traffic is located in the United States, followed by China and Singapore. The campaign imitates banks, virtual currency exchanges, postal and delivery services, police forces, state-owned enterprises, electronic toll booths, rideshare applications, hospitality services, social media, and e-commerce platforms in Russia, Poland, and Lithuania.
Phishing campaigns masquerading as government services often redirect users to landing pages that charge unpaid tolls or other service fees, and in some cases use the lure of ClickFix to run malicious code under the pretext of completing a CAPTCHA check.
“Smishing campaigns masquerading as paid services in the United States are not isolated,” Unit 42 said. “Instead, this is a massive campaign spread across the globe, impersonating many services across a variety of sectors. The threat is highly distributed. Attackers register thousands of domains and move back and forth every day.”
Source link
