The Chinese-speaking threats behind the scenes Scam Triad It was observed that the company pretended to be the Federal Authority for Identity and Citizenship of the United Arab Emirates and sent malicious text messages with the ultimate goal of collecting sensitive information about residents and foreigners in the country.
“These criminals send malicious links to victims’ mobile devices via SMS or iMessage and use URL shortening services such as Bit.ly to randomize the links they send,” Resecurity said in a report released this week. “This This helps them protect the domain and hosting location of the fake website.”
The cybersecurity firm first documented the scam triad in September 2023, highlighting that the group used compromised Apple iCloud accounts to send fraudulent messages to commit identity theft and financial fraud.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
It is understood that the threat actor also sells ready-to-use fraud toolkits to other cybercriminals for $200 per month, while conducting Magecart-style attacks on e-commerce platforms, injecting malicious code and stealing customer data.
“This fraud-as-a-service (FaaS) model allows the ‘phishing triad’ to scale their operations by allowing other cybercriminals to leverage their tools and launch independent attacks,” Resecurity noted.
The latest wave of attacks targets individuals who have recently used harmful information to renew their residence visas. This SMS fraud campaign works on Android and iOS devices, and operators may use SMS spoofing or spam services to carry out the scheme.
Recipients who click on the link embedded in the email will be taken to a fake, look-alike website (“rpjpapc[.]top”) impersonates the UAE Federal Identity, Citizenship, Customs and Port Security (ICP), prompting them to enter personal information such as name, passport number, mobile phone number, address and card information.
What is noteworthy about this campaign is that the phishing form was loaded using a geofencing mechanism only when accessed from a UAE-based IP address and mobile device.
“The perpetrators of this act may have had private access to information about UAE residents and foreigners residing in or visiting the country,” Resecurity said.
“This can be accomplished through a third-party data breach, a commercial email breach, a database purchased on the dark web, or other sources.”
Smishing Triad’s latest event is in conjunction with a project called OLVX Marketplace (“olvx[.]cc”), a company that operates on the Transparent Network and claims to sell tools used to conduct online fraud, such as phishing kits, web shells, and leaked credentials.
ZeroFox said: “While the OLVX Marketplace offers thousands of individual products in numerous categories, its webmasters maintain relationships with various cybercriminals who create custom toolkits and obtain specialized files to This further enhances OLVX’s ability to maintain and attract customers to the platform.”
Cybercriminals abuse Predator bot detection tool for phishing attacks
This revelation comes as Trellix reveals how threat actors are leveraging Predator, an open source tool designed to combat fraud and identify requests from automated systems, bots or web crawlers, as a base for various phishing campaigns. part.
The starting point of the attack is a phishing email sent from a previously compromised account, which contains a malicious link that, when clicked, checks whether the incoming request comes from a bot or crawler before being redirected to a phishing page.
The cybersecurity firm said it discovered various artifacts from threat actors repurposing the original tool by providing a hard-coded list of links, rather than dynamically generating random links when a visitor is detected to be a bot.
“Cybercriminals are always looking for new ways to evade detection by organizations’ security products,” said security researchers Vihar Shah and Rohan Shah. “Open source tools like these make their task easier because they can easily use them. to avoid detection and achieve their malicious goals more easily.”
