Palo Alto Networks Reveals Wider And Dangerous Smishing Campaign

Illustration of cyber attacks (photo: Freepik)

JAKARTA - The Unit 42 intelligence team from Palo Alto Networks revealed a large-scale global smishing campaign that was successfully linked to a group known as the Smiles.

While conducting in-depth research, Palo Alto Networks found that threats are much wider and complex. Where since April 2024, the attackers have expanded their operations to many countries with increasingly mature social engineering tactics.

Based on these findings. imitation targets include important sectors ranging from banking, crypto platforms, health services, law enforcement, social media, to e-commerce.

We have identified more than 194,000 dangerous domains associated with this operation since January 1, 2024. Although these domains are registered through Hong Kong-based registrars and use Chinese nameservers, the main attack infrastructure is hosted on popular US cloud services," the findings read.

The campaign is also said to be very decentralized and process thousands of new domains every week, which makes detection much more difficult because the domain is short-lived and constantly changing.

The highly realistic global scale, complex infrastructure, and phishing pages suggest the large phishing-as-a-service (Phaas) operation behind this campaign, Unit 42 said in its report.

Generally, the perpetrators use SMS messages designed to create an urgency, then direct victims to phishing sites to steal sensitive data, such as national identification numbers, home addresses, payment details, and login credentials.

Even worse, these findings show a shift to the use of direct phone numbers. Unit 42 found messages sent from +63 (Philippines) and +1 (US) coded numbers.

In its investigation, Unit 42 also mapped activity on the Telegram channel associated with the Smileshell. Over the past six months, the canal has grown into a large community offering various illegal services, such as domain registration, data sales, to SMS/RCS/IM mass messaging.

The perpetrators are divided into supply chains of smishing, ranging from data brokers, domain sellers, hosting providers, phishing kit developers, to spammers who send messages on a large scale. There are also supporting services such as active number scanners and block list inspectors.

With thousands of new domains daily and updated tactics, Unit 42 assesses the campaign poses a global threat to individual users in various countries.