New Findings on Ongoing Smishing Campaigns
Recent investigations by Palo Alto Networks’ Unit 42 have unveiled a significant and persistent smishing campaign, which has been tied to over 194,000 malicious domains since January 1, 2024. This alarming rise in smishing activity is targeting a diverse array of services worldwide, raising concerns about the security of personal information across multiple platforms.
The Infrastructure Behind the Attack
Research indicates that despite the domains being registered through a registrar based in Hong Kong and utilizing Chinese nameservers, the attack’s infrastructure is largely hosted on popular cloud services in the United States. Security experts, including Reethika Ramesh, Zhanhao Chen, and others, have underscored this paradoxical nature of the operation, which represents a sophisticated threat landscape.
Identifying the Smishing Triad
This series of smishing attacks has been linked to a group referred to as the Smishing Triad. This collective is notorious for bombarding mobile users with deceptive messages regarding toll violations and package deliveries. The aim is to provoke immediate reactions, encouraging victims to divulge sensitive personal information. The success of these campaigns has been staggering, with estimates suggesting the group has amassed more than $1 billion in profits over the last three years, highlighting the dangerous profitability of such cyber crimes.
Techniques and Targeted Accounts
Adding to the urgency, a recent Fortra report has revealed that phishing kits connected to the Smishing Triad are increasingly targeting brokerage accounts. These attacks have surged fivefold in the second quarter of 2025 compared to the same time last year. Security researcher Alexis Ober pointed out that once attackers compromise an account, they may manipulate stock prices using “ramp and dump” strategies—tactics that leave little to trace, increasing the financial threats posed by these operations.
The Ecosystem of Phishing-as-a-Service
The Smishing Triad’s evolution is notable; they have transformed from mere providers of phishing kits to a robust community engaging various threat actors. This ecosystem encompasses developers of phishing kits, data brokers selling target phone numbers, domain registrars registering temporary domains, hosting providers supplying servers, spammers distributing phishing messages, and even tools for validating and rotating these domains. Each element plays a critical role in the phishing-as-a-service (PhaaS) model that thrives in this landscape.
Analysis of Domain Usage and Registration
Unit 42’s examination revealed that approximately 93,200 of the 136,933 root domains registered under Dominet (HK) Limited, a Hong Kong-based registrar. Interestingly, domains prefixed with “com” dominate the registrations, although there has been a notable uptick in “gov” domains recently.
The data also shows that 39,964 domains were active for only two days or less, with 71.3% being operational for less than a week. Furthermore, an alarming 82.6% had been active for two weeks or less. This rapid turnover indicates a strategic focus on quickly registered domains, enabling the campaign to evade detection effectively.
Services Most Frequently Impersonated
The analysis highlighted that the U.S. Postal Service (USPS) is the most frequently impersonated service, with a staggering 28,045 registered domains. Phishing efforts leveraging toll service scams top the impersonation categories, accounting for about 90,000 dedicated phishing domains. These campaigns have been observed mimicking a variety of services, including banks, delivery systems, and e-commerce platforms across several countries.
Exploiting Government Services
Phishing schemes impersonating government services often redirect victims to phishing pages demanding payment for fictitious toll violations or service fees. In some instances, these scams utilize ClickFix tactics to fool users into executing harmful code under the guise of completing a verification step.
Unit 42 emphasized that the smishing campaigns impersonating U.S. toll services are not isolated incidents; instead, they represent a large-scale, decentralized operation that impersonates numerous services across different sectors. Attackers are registering and cycling through thousands of new domains daily, showcasing the extensive reach and evolving nature of these threats.
