Smith searched Reddit and other online sources to find people reporting the scam and the URLs being used, which… published laterSome of the websites running the Smishing Triad tools collected personal information from thousands of people a day, Smith says. Among other details, the websites asked for names, addresses, payment card numbers and security codes, phone numbers, birth dates and banking websites. This level of information can allow a scammer to make online purchases using the credit cards. Smith says his wife quickly canceled her card, but noticed that the scammers were still trying to use it, for example, with Uber. The researcher says he would collect data from one website and return to it a few hours later, only to find hundreds of new records.
The researcher provided the details to a bank that had contacted him after seeing his initial blog posts. Smith declined to reveal the name of the bank. He also reported the incidents to the FBI and later provided information to the United States Postal Inspection Service (USPIS).
Michael Martel, USPIS’s national public information officer, says the information provided by Smith is being used as part of an ongoing USPIS investigation and that the agency cannot comment on specific details. “USPIS is already actively seeking this type of information to protect the American people, identify victims, and bring justice to the malicious actors behind all of this,” Martel says, pointing to tips about How to spot and report USPS package delivery scams.
Smith says he was initially hesitant to go public with his research, as this type of “fightback” falls into a “gray area”: He may be violating the Computer Fraud and Abuse Act, a broad U.S. law against computer crime, but he is doing so against criminals based overseas. Something he is certainly not the first or last to do.
Multiple tips
The smishing triad is prolific. In addition to using postal services as lures for its scams, the Chinese-speaking group has attacked online banking, e-commerce and payment systems in the United States, Europe, India, Pakistan and the United Arab Emirates, according to Shawn Loveland, chief operating officer of Resecurity, which has closely followed the group.
The Smishing triad sends between 50,000 and 100,000 messages daily, according to Resecurity ResearchTheir scam messages are sent using SMS or Apple’s iMessage, the latter of which is encrypted. Loveland says the Triad is made up of two distinct groups: a small team led by a Chinese hacker who creates, sells and maintains the smishing kit, and a second group of people who buy the scam tool. (A backdoor in the kit allows the creator to access the details of administrators using the kit, Smith says in a statement.) blog entry.)
“It’s a very mature process,” Loveland says of the operation. The group sells the scam kit on Telegram for a $200-a-month subscription, which can be customized to show the organization the scammers are trying to impersonate. “The main actor is Chinese and communicates in Chinese,” Loveland says. “It doesn’t appear that they are hacking Chinese-speaking websites or users.” (In communications with the main contact on Telegram, the individual told Smith he was a computer science student.)
The relatively low cost of the monthly subscription for the smishing kit means that, given the amount of credit card data the scammers collect, it is highly likely that those using it will make significant profits. Loveland says that using text messages that immediately send people a notification is a more direct and successful form of phishing, compared to sending emails with malicious links embedded in them.
As a result, smishing has been on the rise in recent years. But there are some telltale signs: if you receive a message from a number or email you don’t recognise, if it contains a link to click on or if it asks you to do something urgently, you should be suspicious.
