A large-scale SMS phishing (smishing) campaign distributed via iMessage involving more than 10,000 domains registered by a threat actor was discovered recently.
These domains are designed to impersonate toll services and package delivery platforms across multiple U.S. states and one Canadian province, aiming to deceive victims into revealing sensitive personal and financial information.
Cyber Security News learned that the registered domains follow a consistent pattern, with root domain names beginning with the string “com-.” This naming convention is intended to mislead victims during casual inspections of URLs, making the domains appear legitimate. Examples of root domains include:
.png
)
- com-2h98[.]xin
- com-courtfees[.]xin
- com-securebill[.]xin
- com-ticketd[.]xin
Fully qualified domain names (FQDNs) associated with the campaign further bolster the impersonation by mimicking well-known toll and delivery services. Examples include:
- dhl.com-new[.]xin
- ezdrive.com-2h98[.]xin
- fedex.com-fedexl[.]xin
- sunpass.com-ticketap[.]xin
The campaign spans at least ten U.S. states California, Florida, Illinois, Kansas, Massachusetts, Pennsylvania, New Jersey, New York, Texas, and Virginia as well as Ontario in Canada. These domains imitate regional toll services and package delivery providers to enhance their credibility.
Smishing Techniques
The smishing messages originate from email addresses or phone numbers and entice users to click malicious links or reply with sensitive information. Apple iMessage users are specifically targeted through a bypass mechanism:
- iMessage blocks links from unknown senders by default.
- The smishing texts ask users to reply with “Y,” which reopens the message thread and enables links.
- This interaction allows attackers to circumvent iMessage’s protections.
Over 70% of these domains use the same two name servers and resolve to IP addresses hosted by popular providers. Notably:
- 93% of resolved IP addresses belong to AS13335 (Cloudflare).
This centralized infrastructure aids in the scalability of the campaign while complicating efforts to block malicious activities.
The campaign has been named com_smishing by researchers who are actively tracking and blocking these domains.
The threat actor’s tactics demonstrate a sophisticated understanding of user behavior and platform limitations, underscoring the importance of vigilance against phishing schemes.
This investigation highlights the growing sophistication of smishing campaigns and emphasizes the need for robust cybersecurity measures to protect users from such threats.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
