Chinese-language phishing gang nicknamed PostalFurious has been linked to a new SMS campaign targeting users in the UAE under the guise of postal services and toll operators, per Group-IB.
The fraudulent scheme requires users to send fake text messages asking them to pay for a vehicle ride to avoid additional fines. The message also contains a shortened URL to hide the actual phishing link.
Clicking the link redirects unsuspecting recipients to a fake landing page designed to retrieve payment credentials and personal data. The campaign is expected to be active on April 15, 2023.
“The URL of the text leads to a fake branded payment page asking for personal details, such as name, address and credit card information,” Group-IB said. “The phishing page matches the impersonated postal service provider’s official name and logo.”
The exact scale of the attack is currently unknown. What is known, the SMS was sent from telephone numbers registered in Malaysia and Thailand, as well as via email addresses through the Apple iMessage service.
In an effort to remain undetected, phishing links are geo-restricted so that pages can only be accessed from UAE-based IP addresses. Threat actors are also seen registering new phishing domains every day to expand their reach.
According to the Singapore-based cybersecurity firm, a second, nearly identical campaign was observed on April 29, 2023, modeled after the UAE postal operator.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
The smishing activity marks an expansion of the threat actor’s efforts since at least 2021, when it started targeting users in the Asia-Pacific region. Group-IB said the PostalFurious operation demonstrated the “transnational nature of organized cybercrime.”
To avoid falling victim to such scams, it is advised to practice the habit of careful clicking on links and attachments, keep software up to date, and ensure a strong digital hygiene routine.
This development comes after a similarly dubbed post-themed phishing campaign Operation Red Deer which has been found targeting various Israeli organizations for distributing a remote access trojan called AsyncRAT. The attack has been pinned on a codenamed threat actor Wow.