Chinese Phishing Crew Poses As Delivery Services to Steal Data

There’s finally an explanation for who’s sending so many scammy text messages that claim to be from the US Postal Service and other delivery services.

For the past 18 months, a Chinese phishing operation has impersonated well-known brands to trick potentially millions of victims into turning over their credit card information as part of an unusually effective ruse.

Cyber specialists have dubbed the group Smishing Triad, a reference to its use of SMS messages as phishing lures. The hackers send texts masquerading as the USPS, the UK’s Royal Mail or dozens of other delivery services from around the world, luring people into giving up their payment data.

Attackers typically send messages to victims seeking extra fees in order to deliver their products. They then trick people into clicking a link to a site that appears to be a legitimate service, like USPS, and ask for their financial information.

With that personal data in hand, the hackers add those numbers to Apple Pay or Google wallet accounts on burner smartphones and then start spending victims’ money, according to Ford Merrill, senior director of cyber intelligence for Danish cyber firm CSIS Security Group A/S, who’s due to present the findings at the Cyberhagen cybersecurity conference in Copenhagen in September. They have used the stolen payment data for online purchases, to withdraw cash from ATMs and to make fraudulent payments at cash registers.

Smishing Triad is the first hacking gang “we saw supporting a seamless workflow for real-time phishing with abuse of digital wallets in mind,” Merrill said in an interview. The group also leases out its malware to cybercriminals and uses particularly convincing phishing websites, enabling hackers to perpetrate fraud at a vast scale.

“Banks are only beginning to catch on to the greater problem of digital wallet abuse, with many simply not having visibility into the issue prior to the past several months,” Merrill said. Based on researchers’ analysis of thousands of web domains and other data, the number of victims could be as high as 10 million, he added.

The USPS said in a statement that it’s investigating this type of activity. The Royal Mail declined to comment, though it offers an online guide for avoiding common scams.

Other cyber firms have previously investigated the same scammers.

Los Angeles-based Resecurity Inc. previously reported that Smishing Triad sends upwards of 100,000 messages a day. It uses personal data that was previously leaked to the dark web, including names and phone numbers, as leads on who to hack.

And at the Def Con security conference this month in Las Vegas, another researcher described how he investigated some of Smishing Triad’s operations to uncover some details about the people it hacked, Wired reported.

Merrill said his team’s research adds new details about the scope of the operation and how the hackers are extracting money from compromised accounts.

It doesn’t look like artificial intelligence-generated content is making much of a difference when it comes to spreading disinformation focused on US audiences.

OpenAI on August 16 said it removed an Iranian operation that tried influencing Americans’ opinions about presidential candidates Kamala Harris and Donald Trump. The network used AI to create longform articles and social media comments that ultimately failed to attract many eyeballs, according to Ben Nimmo, principal investigator on OpenAI’s intelligence and investigations team.

Microsoft and Meta both recently published reports that flagged pro-Russian campaigns that used AI to little effect. In one case, suspected Russian operatives created a video that dubbed a fake voice of Tom Cruise over images of violence at the Paris Olympics, Microsoft found.

For all that effort, the video seemed to attract more attention from anti-misinformation researchers than from actual organic followers. — Jeff Stone

Truly incredible.

Got a News Tip?You can reach Jeff Stone at [email protected]. Jordan Robertson is at [email protected]. You can also send us files safely and anonymously using our SecureDrop.

Get Tech Daily and more Bloomberg Tech weeklies in your inbox: