EXECUTIVE SUMMARY
The campaign, attributed to a financially motivated criminal group, employs a large‐scale smishing operation that masquerades as legitimate brands. It targets telecom operators, financial institutions, and consumer loyalty programs across more than 70 countries, with a heavy focus on Latin America. The attackers use spoofed SMS messages and shortened URLs to lure mobile users, then present a fake CDN error page to hide malicious content. Their ultimate goal is the real‐time theft of credit‐card credentials and personal identifiers for resale.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign, attributed to a financially motivated criminal group, employs a large‐scale smishing operation that masquerades as legitimate brands. It targets telecom operators, financial institutions, and consumer loyalty programs across more than 70 countries, with a heavy focus on Latin America. The attackers use spoofed SMS messages and shortened URLs to lure mobile users, then present a fake CDN error page to hide malicious content. Their ultimate goal is the real‐time theft of credit‐card credentials and personal identifiers for resale.[emaillocker id="1283"]
The infection vector begins with an SMS that appears to originate from a local carrier and contains a shortened link. When a qualifying mobile device clicks the link, the server checks IP location and user‐agent fingerprints before delivering a decoy CDN error page to all other traffic. For vetted victims, a minimal HTML shell loads a single‐page application whose core code is Base64‐encoded and decoded client‐side, evading static analysis. The page then opens an encrypted WebSocket channel, streaming harvested card numbers, expiration dates, and CVV in binary packets while heartbeat pings keep the tunnel alive.
The threat matters because the decoy error pages and geofencing make the infrastructure blend with legitimate traffic, limiting detection by traditional scanners. Encrypted exfiltration further obscures the data flow, while the rapid credential harvest leaves little time for victims to react. Organizations should strengthen SMS anti‐spoofing controls and monitor for anomalous short‐link activity targeting employees. Deploying real‐time network inspection for encrypted WebSocket traffic, enforcing multi‐factor authentication on financial portals, and maintaining regular backups of critical systems will reduce exposure and improve recovery options.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Command and Control | T1090.003 | Proxy | Multi-hop Proxy |
| Defense Evasion | T1027.007 | Obfuscated Files or Information | Dynamic API Resolution |
| Defense Evasion | T1036.001 | Masquerading | Invalid Code Signature |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
reports contain further technical details:
https://securityonline.info/smishing-error524-campaign-report/
https://www.group-ib.com/blog/error-524-decoy-smishing/