Security Awareness – Smishing Campaign Targeting U.S. Citizens in Postal Scam

A group of cyber criminals, tracked as “Smishing Triad,” is conducting a large-scale smishing (SMS phishing) campaign targeting U.S. citizens and purporting to be from the United States Postal Service (USPS), according to security researchers at Resecurity. Since users typically trust SMS communication channels more than e-mail, this campaign has reportedly compromised over 100,000 victims.

According to security researchers, Smishing Triad’s latest campaign targeting U.S. users is unique because the victims were contacted solely through iMessages delivered from compromised Apple iCloud accounts. The message, purporting to be from USPS, urges victims to click the link and enter their information so they can receive their package. In reality, the threat actors collect the victims’ personal identifiable information (PII) and financial information to use for fraud and other malicious activities. Researchers previously observed similar scams targeting FedEx and UPS customers. Smishing Triad has also sold a range of country-specific postal service “smishing kits” to other cybercriminals. When the Resecurity team analyzed the kits, they discovered an SQL injection vulnerability, which they used to recover the compromised data of more than 108,000 Smishing Triad victims.

Water and wastewater systems continue to experience phishing and smishing attacks. WaterISAC has received reports this year of utilities being targeted in smishing attacks, with one case involving a spoofed text message purporting to be from a financial institution. In this instance, the utility notified its employees of the threat and submitted a report to WaterISAC to ensure others in the sector would be aware of the malicious activity.

Members are encouraged to report suspicious or criminal activity, including smishing attempts to their local FBI field office. WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email an*****@*******ac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form. Reporting to WaterISAC helps utilities and stakeholders stay aware of the threat environment of the sector. Access the original blog post at Resecurity or read a related article.