To safeguard their consumers, telecom operators are reminded by this warning sign to improve their fraud detection skills and aggressively stop such illegal conduct. The researchers have obtained several samples of smishing messages from a purported campaign shared by users of Jazz/Warid, Zong, Telenor Pakistan, and Ufone, among other popular mobile carriers in Pakistan.

By using local phone numbers, the threat actors provide the impression that the recipient is getting a text message from a local postal service or a business trying to get in touch. The actors would pretend as Pakistan Post and demand that the victim arrange payment and enter their credit card details to cover additional fees purportedly required to get a delivery if the victim responds to the phishing link.

Early signs of this activity began to appear in the latter part of May, and early June saw the height of activity. Certain smishing text versions demand that recipients reply to the message to verify receipt. By verifying whether a user is using their mobile device, actors can modify their strategy and more precisely target the user. Concerns over possible fraud or smishing efforts were raised recently after several Pakistani users reported questionable behavior and received suspicious SMS messages.

The threat actors use a variety of evasive tactics to avoid being discovered, such as URL shortening services that can generate QR codes. In a security advisory, the National Cyber Emergency Response Team of Pakistan (PKCERT) shared patterns of detected smishing behavior and urged citizens to take preventative steps to stay safe. The team was also instrumental in uncovering several fraudulent delivery package schemes besides Pakistan Post. People who were expecting authentic shipments from reliable courier firms like FedEx, TCS, and Leopard were the main targets of these scams.

Security researchers discovered that attackers using smishing kits were using several hosts to target Pakistan's postal providers, including Correos, a Spanish state-owned postal company that was previously the victim of Smishing Triad activity from the previous year. Multiple domain names were found to be linked to the same IP address. This attests to the group's ongoing targeting of victims who are EU citizens. Smishing Triad was earlier targeting Correos in July 2023.

Smishing, also known as SMS phishing, is a tactic used in text messaging that tries to fool recipients into divulging personal information or clicking on rogue links. Unwanted text messages should be carefully ignored, especially if they request personal information or include dubious links. Trustworthy companies usually do not SMS requests for private information. Ignoring and refusing to answer dubious text messages is the easiest line of protection against smishing attempts.

Impact

• Sensitive Data Theft
• Financial Loss
• Identity Theft

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails or SMSs from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement email filtering and anti-phishing solutions to detect and block malicious emails before they reach users' inboxes.
• Educate employees about the risks of phishing attacks and provide training on how to recognize and report suspicious emails or SMSs.
• Regularly backup your data to a secure location, such as a cloud storage service or external hard drive.
• Deploy endpoint security solutions, including antivirus software and intrusion detection systems, to detect and mitigate malicious payloads delivered through phishing emails.
• Regularly update and patch software and operating systems to address vulnerabilities that could be exploited by cyber attackers.
• Utilize network monitoring and logging tools to detect and respond to unusual or suspicious network activity indicative of a phishing attack.
• Enforce strict access controls and least privilege principles to limit the impact of successful phishing attacks by restricting user permissions and access to sensitive data and systems.
• Implement multi-factor authentication (MFA) to add an extra layer of security to user accounts and prevent unauthorized access in the event of compromised credentials.
• Establish incident response procedures and protocols to quickly identify, contain, and remediate phishing attacks, including communication plans for notifying affected parties and stakeholders.
• Collaborate with industry partners, government agencies, and cybersecurity organizations to share threat intelligence and best practices for defending against phishing attacks.