- More than 194,000 malicious domains linked to a global smishing campaign have been registered since January 2024.
- The attack infrastructure primarily uses U.S.-hosted cloud services but is registered through a Hong Kong-based registrar.
- The China-linked group called the Smishing Triad is behind the campaign, exploiting fake toll violation and delivery notices.
- Phishing kits from this group are increasingly targeting brokerage accounts to steal banking credentials and authentication codes.
- The campaign involves a phishing-as-a-service network including kit developers, domain sellers, spammers, and Hosting providers operating worldwide.
Since January 1, 2024, malicious actors linked to a widespread smishing campaign have registered over 194,000 harmful domains worldwide. According to findings from Palo Alto Networks Unit 42, the attack targets various services globally with domains mainly registered via a Hong Kong-based registrar but hosted on U.S. cloud platforms.
The group identified behind these operations, known as the Smishing Triad and believed to have ties to China, sends fraudulent messages about unpaid tolls or missed deliveries to prompt victims into revealing sensitive data. These schemes have generated more than $1 billion over three years, reports The Wall Street Journal.
A recent report by Fortra highlights a rise in attacks using phishing kits from the same group that now focus on brokerage accounts. This shift has caused a fivefold increase in such attacks in the second quarter of 2025 compared to the previous year. Security researcher Alexis Ober noted, “Once compromised, attackers manipulate stock market prices using ‘ramp and dump’ tactics,” which leave little evidence and increase financial risk.
Unit 42’s research explains that the smishing campaign operates as a large, decentralized “phishing-as-a-service” (PhaaS) ecosystem. This includes kit developers who create phishing tools, data brokers selling phone numbers, domain registrars for disposable sites, hosting providers managing servers, spammers distributing messages, and scanners verifying active phone numbers and avoiding detection.
Nearly 93,200 root domains are registered with Dominet (HK) Limited, and many domains exist for only a few days to evade security measures. The domains resolve to over 43,000 unique IP addresses, mostly hosted in the U.S. on Cloudflare services. The most impersonated service is the U.S. Postal Service with 28,045 domains, followed by toll services with about 90,000 dedicated phishing sites.
Phishing messages often redirect victims to fake landing pages claiming traffic or delivery fines, sometimes prompting users to run malicious code disguised as CAPTCHA verification. According to Unit 42, “The smishing campaign impersonating U.S. toll services is not isolated. It is instead a large-scale campaign with global reach, impersonating many services across different sectors.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Tether CEO Projects $15B Profit With 99% Margin Amid Investor Buzz
- Ledger adds “clear signing” for multisig with $10 fee per txn
- Tether Targets 100 Million U.S. Users with New USAT Token Launch
- Chinese Yuan Loans Increase by $480 Billion
- Zelle to Use Stablecoins for Faster, Cheaper Cross-Border Payments
