🙄
p1k4chu@p1k4chu-host
  • About Me
  • Tools
    • Defensive Tools
      • H0neyTr4p
    • Offensive Tools
      • Ransomware Simulator - PyRan
  • Security Research
    • AI Security Research
      • Attacking using (and defending against) Input manipulation attacks against AI
      • (Ab)using AI to attack M365 and other services to conduct plethora of attacks
    • Cloud Security Research
      • Azure Storage Account Security - Attack & Defend: Part 1
      • Attack and Defend Azure Serial Console - Part 1
      • Azure Serial Console Attack and Defense - Part 2
    • Adversarial Tradecraft Research & Detection
      • RDP Exfil - The technique that works almost every time
      • Smishing Traid targets India with large scale "India Post" themed iMessage phish texts
      • Quick Assist: Friend or Foe? How adversaries can exploit this tool and how can you defend?
      • EDR Silencer - Embracing the Silence
      • Dissecting & Detecting Lsass Shtinkering
      • Detecting malicious OOB: Part -1: Hunting for OOB server - Interact.sh
      • Abusing Windows VPN for EXFIL
      • Analyzing Nobelium's HTML Dropper - EnvyScout
    • Web & Mobile App Sec
      • [CVE-2015-2300] ENL-Newsletter CSRF Full Disclosure
      • Yandex Mobile App vulnerable to Insecure Data storage
      • Bug on paypal worth 1000$
      • Session fixation bug on coinbase.
      • CyanogenMod (In)Secure Folder Lock !
  • Security Talk
    • Review of CRTP - Pentester Academy
    • Review of Hacking and Securing Kubernetes
Powered by GitBook
On this page
  • Background
  • The Modus Operandi
  • Evasion tactics
  • Attack Timeline
  • Analysis of Adversary Infrastructure
  • Indicators
  • Recommendation

Was this helpful?

  1. Security Research
  2. Adversarial Tradecraft Research & Detection

Smishing Traid targets India with large scale "India Post" themed iMessage phish texts

PreviousRDP Exfil - The technique that works almost every timeNextQuick Assist: Friend or Foe? How adversaries can exploit this tool and how can you defend?

Last updated 10 months ago

Was this helpful?

Background

A lot of people who own an iPhone in India woke up to an "Indian Post" themed phishing iMessage from a spurious and suspicious email ID. A lot of people are talking about it an about it to some extent. This blog is an attempt to uncover infrastructure and identify the scale of infrastructure in an attempt to identify the scale of the operation & to discuss the TTPs leveraged in detail.

As of 12/07/2024, this campaign was attributed to a group called "Smishing Triad", a Chinese speaking threat actor group that has previously targeted USPS and US citizens in a similar fashion.

References:

The Modus Operandi

The threat actor seemed to be careful not to follow a specific pattern but here's the most general characteristics of these messages:

  • Sender is {{something}}@gmail.com/@outlook.com/@hotmail.com in most cases but in a few cases, custom domains were identified.

  • The content(hook) is mostly uniform and revolves around a specific package that was undelivered due to incomplete address information and it's urging users to open a link and update the address to receive the post.

  • Further, the page attempts to steal payment information along with information related to the user. This data was identified to be used

Evasion tactics

  • The email message contains "Reply with Y" and then come back to active the link. This is to combat Apple's protection of disabling links from unknown senders.

  • Few of the landing pages were "User-agent" fenced. For instance, the URL (currently inactive): hxxps(:)//indiapost-id(.)top/BRblTi/ reacts differently for a Windows user agent v/s when used with an iPhone user agent. However this wasn't the case with all the URLs. a few URLs didn't contain this protection.

  • Usage of Cloudflare was seen in a few URLs. Cloudflare, often used by threat actors to hide the IP behind the domains was also used.

Attack Timeline

The attack around first week of April with a domain called "indiaapost[.]icu" and this domain pointed to 74.48.84.92. As of now, several domains including this one point to "Department of Posts, Government of India". This isn't a legitimate domain but I believe the this is a way to disrupt investigations that are happening right now.

Analysis of Adversary Infrastructure

The infra is mostly on the following ASNs:

  • Limenet

  • Alibaba Cloud

  • Tenacent Cloud

  • LightNode

  • Multacom

The targets currently identified are: India Post, Singapore Post & Morgan Stanley (IoCs are below)

Indicators

Recommendation

  • There is no action required from your end except for not being foolish to click links and submit information. The IoCs are shared with law enforcement authorities.

  • Upon looking at analysis done by fellow analysts, the money and resources spent on this seem to be substantial and the techniques that they're using indicate that these are not script kiddies.

  • Implement MFA and don't re-use passwords as the credentials you've entered in these phishing pages might be reused when leaked onto dark web.

- Excellent analyis doxing the group and their activities.

The link was seem mostly a typo squat domain of India post. In a few cases, they've used a URL shortener.

Few domains that are used in the campaign are not pointed to Department of Posts IP addresses. More details .

All the indicators are published . A total of 135 domains and 15 IP addresses are present. The IoC's should be used in conjunction with other indicators mentioned in the following blogs:

If you've been impacted, please reach out to the relevant authorities at .

https://www.resecurity.com/blog/article/smishing-triad-targeted-usps-and-us-citizens-for-data-theft
https://malpedia.caad.fkie.fraunhofer.de/actor/smishing_triad
Click here to learn more about typo squats.
here
Resecurity's blog on Smishing Traid
A CTI Analyst - Bablu Kumar's Blog post regarding this campaign
https://cybercrime.gov.in/
below
analyst blogged
An AI generated Image that depicts a hacker working on computer along with eating Pizza.
Phishing messages that were received.
The Initial landing page.
Phishing iMessage links
DNS History of a malicious domain
A few domains currently pointing to Dept of posts