Mobile phishing attack targets users of the Indian postal system

A China-based hacker group called Smishing Triad has been conducting text message phishing attacks against individuals in India, using the country’s government postal system as bait.

The threat actors target iPhone users with text messages that falsely claim that a package is ready for pickup at an India Post warehouse. The deceptive messages contain URLs that lead to fraudulent websites.

After a new Report from Fortinet FortiGuard LabsBetween January and July 2024, more than 470 domain registrations mimicked India Post’s official domain, with the majority registered through Chinese and American domain registrars.

Researchers at FortiGuard Labs discovered phishing emails sent via iMessage using third-party email addresses such as Hotmail, Gmail, and Yahoo. Apple ID accounts configured with these third-party email addresses send the malicious messages with short URLs that redirect recipients to the fraudulent websites.

Text phishing becomes a mass phenomenon

India Post is just the latest postal service to face mobile phishing attacks. The US Postal Service (USPS) recently was abused in smishing attacks orchestrated by a single threat actor based in Tehran. Another recent smishing attack targeted US citizens and informed them that they unpaid road tollswith the aim of forcing victims to disclose their banking details.

Stephen Kowski, Field CTO at SlashNext Email Security+, says the India Post phishing campaign underscores the evolving tactics of threat actors.

“They are now using trusted communication channels like iMessage to deceive victims. This highlights the need for comprehensive protection against mobile web threats that can detect and block malicious URLs, even when they are wrapped in encrypted messages,” he says.

As SMS and other text-based attacks become more sophisticated, organizations must prioritize training their users to recognize and report suspicious messages, he notes. “They must also implement robust security measures that can verify and mitigate threats in real time, regardless of the communication channel used.”

By extending security controls to the mobile internet, companies can better protect their users from these types of attacks, even when they occur outside traditional network boundaries.

“Mobile First” attacks are increasing

Given the variety of phishing vectors available to attackers – be it SMS, QR codes, third-party communication apps or private emails – mobile devices are a preferred target for phishing campaigns.

This, combined with a relatively false sense of security that most users and organizations have on mobile devices and a lack of active security controls, makes mobile phishing campaigns a low-risk but high-reward endeavor for attackers seeking to obtain personal and corporate information.

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says these types of “mobile-first” attacks are becoming more common every day.

“Cybercriminals and hackers have realized that there is a false sense of security with mobile devices, especially iOS devices,” he says.

Users tend to be less cautious on their mobile devices than they would on a traditional computer or laptop and rarely have appropriate security controls in place on their mobile devices.

“Our own research has shown that there has been a significant increase in mobile phishing attacks recently, which do not fully execute the attack until the link is clicked from a mobile device,” he says. “Users need to be wary of anything that seems unusual, especially in the context of a text message or SMS.”

He advises companies to protect their employees’ phones with strong mobile devices to protect them from exactly this type of attack or worse.