Skip to content

Smishing Triad hits Indian users with India Post phishing scams

  • by
  • 4 min read

Photo by Novikov Aleksey / Shutterstock.com

A new campaign by the Chinese Smishing Triad gang is targeting Indian Android and iOS users by impersonating India Post SMS messages. This technique, also known as SMS phishing or ‘smishing’, is a known method used by this cybercriminals syndicate and has been used previously to target users in the United States, France, the United Arab Emirates, the Kingdom of Saudi Arabia, and Pakistan.

The campaign began around July 8, 2024, and involved impersonating India Post to conduct fraudulent activities. The objective is clear: to harvest vast amounts of personally identifiable information (PII) and payment data from unsuspecting victims.

With over 1.4 billion population, India has been a favourite target of cybercriminals, especially from China. The vulnerability is amplified by the swift adoption of mobile technology, with projections indicating that smartphone users in the country will reach the billion mark by the mid-2020s.

“Aggregating stolen data in large volumes can be an excellent catalyst for cyberespionage. Nation-state actors, in particular, would be highly interested in collecting such information, potentially masking their activities under the guise of traditional cybercrime,” researchers explained.

Researchers found that although the threat actors had registered multiple domain names impersonating India Post around June, the activity was lulled. On July 8, researchers observed that two domain names became active: inddiapost[.]top (Cloudflare) and indiapostyt[.]vip (Tencent).

Malicious phishing website impersonating India Post. | Source: Resecurity

Two more domain names were active on July 9: indiapostos-in[.]com (Cloudflare) and huangcn[.] SBS (Alibaba).

The web addresses used in this deceptive campaign were largely obtained through two specific domain registers, mirroring tactics observed in earlier operations attributed to the same cybercriminal group.

Researchers found that many of these web addresses were linked with IP addresses previously flagged for fraudulent activities, many of which were hosted on servers operated by major Chinese technology companies.

A sample of the phishing page requesting financial and personal information from victims. | Source: Resecurity

The deceitful text messages employed in this scheme often follow a common pattern. They typically inform the recipient that a package delivery has been unsuccessful due to inaccurate address information. The message then encourages the individual to click on an embedded link, ostensibly to update their delivery details and ensure a new attempt within the next day.

However, this seemingly helpful prompt is merely a ruse. The links direct unsuspecting victims to malicious websites. These sites are cleverly designed to appear legitimate, but their true purpose is to illicitly gather personal information and financial data from those who fall for the scam.

Smishing Triad has been known to impersonate Singapore’s SingPost, France’s La Poste, and several Fortune 500 companies, including Visa and McKinsey & Company.

This massive and growing pool of potential targets in India has caught the attention of online fraudsters and cybercriminals. Of particular concern are text message-based scams, a tactic that has gained popularity among malicious actors. These deceptive messages often masquerade as legitimate communications, tricking recipients into divulging sensitive personal information or financial data.

Recently, there were reports that a Pakistan-based cybercriminal gang, APT-36, was distributing CapraRAT via malicious APKs. On July 10, an RTO phishing campaign was found to target Indian Android users via WhatsApp.

Last month, Pakistani threat actors were found to target Indian government officials via Discord emojis. Furthermore, another Pakistan-based threat actor, Cosmic Leopard, targeted Indian digital users in an operation dubbed ‘Celestial Force.’

Cybercriminals hacked Microsoft India’s X account in June to run a cryptocurrency scam. In May, yet another Pakistani cybercrook group, Transparent Tribe, targeted the Indian aerospace and defence sector.

In other news, more than 15 cybercriminal groups from different countries tried to sabotage the Indian elections in May.

The combination of a large population, rapidly increasing digital connectivity, and the relative ease of executing text-based scams due to low cybersecurity awareness in the country has created a perfect storm for cybercriminals in the region.

Researchers have urged users to verify the sender’s name and email address before replying to an email, report suspicious emails to cybercrime.gov.in, and keep their devices’ operating systems up-to-date.

In the News: Hackers stole “nearly all” AT&T customer data in breach

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>