A large-scale smishing campaign impersonating critical services, online platforms, and cryptocurrency exchanges has been targeting users worldwide since April 2024, cybersecurity firm Palo Alto Networks warns.
The operation, which has been linked to a Chinese-speaking threat group known as Smishing Triad, has used over 194,000 malicious domains since the beginning of 2024. The campaign initially focused on toll and package delivery impersonations but has since expanded to mimic healthcare providers, banks, cryptocurrency exchanges, law enforcement agencies, social media platforms, and government services.
Palo Alto Networks first reported on the threat in March 2024 after detecting more than 10,000 domains spoofing toll and delivery services. By April, that number had increased to over 91,500 root domains.
While most of the attacks target US users, victims have also been identified in Europe, Asia-Pacific, and the Middle East, including countries such as Australia, Germany, the UK, and the UAE.
The Smishing Triad, active since at least 2023, is known for sending SMS phishing messages that impersonate legitimate entities and direct recipients to fake websites designed to steal sensitive information such as Social Security numbers and national identifiers. Earlier this year, the group promoted a new phishing kit dubbed Lighthouse on its Telegram channel, advertising its ability to target major Western banks and financial institutions.
Researchers believe the campaign operates as part of a phishing-as-a-service (PhaaS) ecosystem involving multiple roles, including data brokers, domain sellers, hosting providers, phishing kit developers, and SMS spammers. Analysis shows that over 82% of the domains used had a lifespan of less than two weeks, with nearly 30% active for two days or less.
“The campaign is highly decentralized, lacking a single point of control, and uses a large number of domains and a diverse set of hosting infrastructure. This is advantageous for the attackers as churning through thousands of domains weekly makes detection more difficult,” the company noted.