A sophisticated text message phishing campaign originating from China has emerged as one of the most extensive cybersecurity threats targeting users worldwide.<\/p>\n
The operation, attributed to a threat collective known as the Smishing Triad, represents a massive escalation in SMS-based fraud, impersonating services across banking, healthcare, law enforcement, e-commerce, and government sectors.<\/p>\n
What began as isolated incidents of toll violation notices has evolved into a coordinated global campaign affecting users in over 121 countries.<\/p>\n
Palo Alto Networks analysts identified the campaign\u2019s unprecedented scale through comprehensive threat intelligence gathering.<\/p>\n
Their research uncovered 194,345 fully qualified domain names spanning 136,933 root domains registered since January 2024.<\/p>\n
The attack infrastructure demonstrates remarkable sophistication, with threat actors registering and cycling through thousands of domains daily to evade detection mechanisms.<\/p>\n
The majority of these domains<\/a> flow through Dominet (HK) Limited, a Hong Kong-based registrar, while utilizing Chinese nameservers for DNS infrastructure.<\/p>\n However, the actual hosting infrastructure concentrates within U.S. cloud services, particularly within autonomous system AS13335 on the 104.21.0.0\/16 subnet.<\/p>\n The campaign\u2019s delivery mechanisms have undergone significant transformation. Early attacks employed email-to-SMS features through iMessage, but threat actors have recently transitioned to direct phone number-based delivery.<\/p>\n Messages predominantly originate from Philippine international codes (+63) and U.S. numbers (+1), creating an illusion of legitimacy.<\/p>\n The phishing messages themselves employ sophisticated social engineering<\/a> tactics, incorporating targeted personal information and technical jargon to establish urgency and credibility.<\/p>\n Palo Alto Networks researchers noted<\/a> that the operation functions as a comprehensive Phishing-as-a-Service ecosystem operating through Telegram channels.<\/p>\n Analysis of the Smishing Triad\u2019s communication networks revealed a highly specialized supply chain with distinct roles.<\/p>\n Data brokers sell target phone numbers, domain sellers register disposable domains, and hosting providers maintain backend infrastructure.<\/p>\n Phishing kit developers create frontend interfaces and credential harvesting<\/a> dashboards, while SMS spammers deliver messages at scale.<\/p>\n Supporting roles include liveness scanners verifying active phone numbers and blocklist scanners monitoring domain reputation to trigger rapid asset rotation.<\/p>\n The campaign\u2019s infrastructure exhibits remarkable resilience through decentralization and rapid domain cycling.<\/p>\n Palo Alto Networks analysts observed that 29.19 percent of domains remain active for two days or less, with 71.3 percent lasting under one week.<\/p>\n Domain naming conventions typically follow hyphenated string patterns like gov-addpayment.info or com-posewxts.top, deliberately crafted to deceive casual inspection.<\/p>\n The Telegram chat records shows various underground service providers competing within the PhaaS<\/a> ecosystem.<\/p>\n While the interconnected infrastructure reveals how 90 different root domains route through concentrated IP address clusters within Cloudflare\u2019s network infrastructure.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Text Message Based Phishing Attack from China Targeting Users Around the Globe<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgVVx2dTdI5qmXrAVZlQj-lJ3XaZOv0DxnWK8OQEj1KM5_Du2auTvmwDX_SBBSeF1syNS9bOj-yNRpHxMQllKaAEiifQI16RfMdvkZGkoCecswy0HLE7vr85kmqQPhtJ0h6jYg_vdGhLOJ2sjKiWTLqIw2TBrMjD-jgDqqz11sRHeoJzazvLiifGDgTki8\/s16000\/The%2520PhaaS%2520ecosystem%2520of%2520the%2520Smishing%2520Triad%2520%28Source%2520-%2520Palo%2520Alto%2520Networks%29.webp?ssl=1\")
Underground Infrastructure and Domain Lifecycle<\/strong><\/h2>\n