EXECUTIVE SUMMARY:
A significant surge in malicious online activity has been identified, where threat actors have registered thousands of domains designed to impersonate legitimate brands and government services. These fraudulent domains are being used to launch smishing campaigns, targeting unsuspecting individuals through deceptive text messages. The attackers aim to steal sensitive data or trick victims into making fraudulent payments through counterfeit landing pages.
The malicious domains follow carefully crafted naming conventions, often blending legitimate brand names or government services with suspicious subdomains. These domains are designed to visually mimic authentic services, creating a false sense of trust among users. The domains are primarily registered with a specific registrar, and it have observed millions of interactions with these domains, demonstrating the effectiveness of the attackers' methods. Attackers continue to refine their tactics, including cloaking techniques that change the content displayed based on the user accessing the site, making it harder for both users and automated security systems to detect malicious activity.
The rapid expansion of this smishing campaign highlights the increasing use of domain spoofing to deceive users. As the techniques evolve, both individuals and organizations must remain vigilant, implementing proactive measures such as blocking newly registered domains and monitoring for suspicious activity. While traditional defenses may be effective for a limited time, attackers’ use of short-lived domains and cloaking methods presents a growing challenge for systems. Ongoing adaptation and awareness will be crucial in mitigating the impact of these pervasive threats.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Collection | T1056 | Input Capture |
| T1213 | Data from Information Repositories | |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1485 | Data Destruction |
REFERENCES:
The following reports contain further technical details: