Zimperium Blog

Smashing Smishing with MTD - Zimperium

Written by Santiago Rodriguez | Sep 18, 2023
Share this blog

On September 04, The Hacker News reported on research published by Resecurity about a phishing campaign distributed through SMS (smishing). This campaign is targeting US citizens. The key elements of these campaigns are: 

  • Background and Tactics:
    • Large-scale smishing (SMS phishing) campaign, targeting U.S. citizens and other countries.
    • Orchestrated by a group named “Smishing Triad,” operating from China.
    • The group uses deceptive text messages sent via compromised Apple iCloud accounts to collect Personally Identifying Information (PII) and payment details.
  • Delivery Method
    • Unique to this campaign, bad actors solely used iMessages sent from compromised Apple iCloud accounts instead of traditional SMS or calls.
  • Technical Details
    • The campaign saw a spike in August, with almost 30 different domain names registered by attackers.
    • They also offer ‘smishing kits’ via Telegram, creating a fraud-as-a-service network effect.
  • Cybercrime-as-a-Service (CaaS)
    • Besides smishing, the group provides customized phishing kits to other cybercriminals.
  • Infrastructure and Domains
    • Domains registered mostly using “.top” top level domain via NameSilo and protected by Cloudflare.
  • Scope of Impact
    • The group has previously targeted postal and delivery services in various countries.

Zimperium’s research team is constantly monitoring newly registered domains in order to detect those that could be used to perform phishing attacks. These domains are detected in a zero-day fashion, without any external indicator. From the reported domains in the original blog post, 85% of them were already being tracked as malicious (some of them as far as 8 days before the release of the blog). Moreover, from the remaining 15% that we haven’t seen, 50% were correctly classified by our on-device machine learning classifiers as malicious. Zero day, this gives an overall coverage for the campaign of 92.5%. 

For Zimperium customers, this means that our machine learning engine is proactively stopping these links and rendering this attack completely ineffective. Moreover, this is performed without requiring any engine or heuristics database file update and is effective even for devices using our ‘on-device’ only phishing solution. 
View full post