A Chinese-speaking phishing gang dubbed PostalFurious has been linked to a new SMS campaign that’s targeting users in the U.A.E. by masquerading as postal services and toll operators, per Group-IB.
The fraudulent scheme entails sending users bogus text messages asking them to pay a vehicle trip fee to avoid additional fines. The messages also contain a shortened URL to conceal the actual phishing link.
Clicking on the link directs the unsuspecting recipients to a fake landing page that’s designed to capture payment credentials and personal data. The campaign is estimated to be active as of April 15, 2023.
“The URLs from the texts lead to fake branded payment pages that ask for personal details, such as name, address, and credit card information,” Group-IB said. “The phishing pages appropriate the official name and logo of the impersonated postal service provider.”
The exact scale of the attacks is currently unknown. What’s known is that the text messages were sent from phone numbers registered in Malaysia and Thailand, as well as via email addresses through the Apple iMessage service.
In a bid to stay undetected, the phishing links are geofenced such that the pages can only be accessed from U.A.E.-based IP addresses. The threat actors have also been observed registering new phishing domains every day to expand their reach.
According to the Singapore-based cybersecurity company, a second near-identical campaign observed on April 29, 2023, mimicked a U.A.E. postal operator.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!
Join the Session
The smishing activity marks an expansion of the threat actor’s efforts since at least 2021, when it began targeting users in the Asia-Pacific region. Group-IB said PostalFurious operations demonstrate the “transnational nature of organized cybercrime.”
To avoid falling prey to such scams, it’s recommended to practice careful clicking habits when it comes to links and attachments, keep software up-to-date, and ensure strong digital hygiene routines.
The development comes on the heels of a similar postal-themed phishing campaign dubbed Operation Red Deer that has been discovered targeting various Israeli organizations to distribute a remote access trojan called AsyncRAT. The attacks have been pinned on a threat actor codenamed Aggah.