Smishing Campaign Attributed to Over 194,000 Malicious Domains
A large-scale, ongoing smishing campaign has been linked to more than 194,000 malicious domains since January 1, 2024, targeting various services worldwide, according to recent findings from Palo Alto Networks Unit 42.
Security researchers Reethika Ramesh, Zhanhao Chen, Daiping Liu, Chi-Wei Liu, Shehroze Farooqi, and Moe Ghasemisharif observed that although these domains are registered through a Hong Kong-based registrar and use Chinese nameservers, the attack infrastructure is primarily hosted on popular U.S. cloud services.
The activity has been attributed to a China-linked group known as the Smishing Triad, which is known to flood mobile devices with fraudulent toll violation and package misdelivery notices to trick users into taking immediate action and providing sensitive information.
These campaigns have proven to be lucrative, allowing the threat actors to make more than $1 billion over the last three years, according to a recent report from The Wall Street Journal.
In a report published earlier this week, Fortra said phishing kits associated with the Smishing Triad are being used to increasingly target brokerage accounts to obtain banking credentials and authentication codes, with attacks targeting these accounts witnessing a fivefold jump in the second quarter of 2025 compared to the same period last year.
“Once compromised, attackers manipulate stock market prices using ‘ramp and dump’ tactics,” security researcher Alexis Ober said. “These methods leave almost no paper trail, further heightening the financial risks that arise from this threat.”
The adversarial collective is said to have evolved from a dedicated phishing kit purveyor into a “highly active community” that brings together disparate threat actors, each of whom plays a crucial role in the phishing-as-a-service (PhaaS) ecosystem.
This includes phishing kit developers, data brokers (who sell target phone numbers), domain sellers (who register disposable domains for hosting the phishing sites), hosting providers (who provide servers), spammers (who deliver the messages to victims at scale), liveness scanners (who validate phone numbers), and blocklist scanners (who check the phishing domains against known blocklists for rotation).
 |
| The PhaaS ecosystem of the Smishing Triad |
Unit 42’s analysis has revealed that nearly 93,200 of the 136,933 root domains (68.06%) are registered under Dominet (HK) Limited, a registrar based in Hong Kong. Domains with the prefix “com” account for a significant majority, although there has been an increase in the registration of “gov” domains in the past three months.
Of the identified domains, 39,964 (29.19%) were active for two days or less, 71.3% of them were active for less than a week, 82.6% of them were active for two weeks or less, and less than 6% had a lifespan beyond the first three months of their registration.
“This rapid churn clearly demonstrates that the campaign’s strategy relies on a continuous cycle of newly registered domains to evade detection,” the cybersecurity company noted, adding the 194,345 fully qualified domain names (FQDNs) used in the resolve to as many as 43,494 unique
Source Link
