Smishing Operation Expands
The Smishing Triad has launched a massive phishing operation using more than 194,000 fake domains worldwide. Since January 2024, these domains have targeted countless users across many industries, according to a recent report.
The campaign uses fraudulent text messages that claim to be toll or package delivery notices. However, the real goal is to trick victims into clicking malicious links and sharing personal data. Researchers revealed that while the domains use Chinese servers, most of the attack infrastructure operates on U.S.-based cloud services.
How the Smishing Triad Works
The group behind this operation is linked to China and is responsible for sending fake mobile alerts at scale. These messages pressure users into acting quickly, often leading them to phishing pages.
Over the past three years, this scheme has reportedly generated more than $1 billion in illegal profits. Furthermore, phishing kits connected to the Triad are now being used to target brokerage accounts. Therefore, attackers can steal banking details and authentication codes more efficiently than before.
Financial Manipulation and Hidden Tactics
Once they gain access to accounts, attackers often manipulate stock prices using “ramp and dump” schemes. These tactics are difficult to trace, increasing the financial damage they cause.
The Triad has evolved into a complex network of criminals working together in a phishing-as-a-service model. This system includes developers, data brokers, domain sellers, and even blocklist checkers who keep the operation running smoothly.
Rapid Domain Turnover Strategy
Researchers found that nearly 93,000 domains were registered under a Hong Kong-based provider. Most of these domains stay active for less than a week. In fact, only 6% survive longer than three months.
This fast turnover helps the attackers stay hidden from security tools. Moreover, they rely on thousands of new domains each day to avoid detection. Many of the phishing websites resolve to over 43,000 unique IP addresses, mainly hosted in the U.S.
Services and Countries Targeted
The campaign impersonates various global institutions. For example, attackers copy banks, toll agencies, postal services, and government offices. The U.S. Postal Service remains the top impersonated organization, with over 28,000 fake domains.
Additionally, phishing messages often appear in countries like Poland, Russia, and Singapore. Some even use fake CAPTCHA checks to install malicious code. Therefore, this decentralized campaign reaches users worldwide.
Protecting Against Smishing Attacks
To avoid falling victim to smishing scams, users should never click links in suspicious texts. Always verify messages directly through official apps or websites. Organizations can further protect their systems by using advanced threat monitoring, phishing simulation training, and domain protection tools. These cybersecurity measures help detect and block such large-scale phishing operations before they spread.
Sleep well, we got you covered.
