Chinese hackers pose as UAE authorities in latest Smishing wave

Smishing Attacks

The Chinese-speaking threat actors behind it Smishing Triad They have been observed posing as the United Arab Emirates Federal Authority for Identity and Citizenship to send malicious text messages with the ultimate goal of collecting sensitive information from residents and foreigners in the country.

“These criminals send malicious links to their victims’ mobile devices via SMS or iMessage and use URL shortening services like to randomize the links they send,” Resecurity says. said in a report published this week. “This helps them protect the domain and hosting location of the fake website.”

Smishing Triad was first documented by the cybersecurity firm in September 2023, highlighting the group’s use of compromised Apple iCloud accounts to send smishing messages for identity theft and financial fraud.

The threat actor is also known to offer ready-made smishing kits to other cybercriminals for $200 per month, in addition to Magecart-like attacks on e-commerce platforms to inject malicious code and steal customer data.

“This fraud-as-a-service (FaaS) model allows ‘Smishing Triad’ to scale their operations by enabling other cybercriminals to use their tools and conduct independent attacks,” Resecurity says. noted.

The latest wave of attacks aims to target individuals who have recently updated their residency visas with malicious messages. The smishing campaign applies to both Android and iOS devices, with the operators likely using SMS spoofing or spam services to perpetrate the scheme.

Recipients who click on the message’s embedded link will be taken to a fake lookalike website (“rpjpapc[.]top”) posing as the UAE Federal Authority for Identity, Citizenship, Customs and Port Security (ICP), asking them to enter their personal details such as names, passport numbers, mobile numbers, addresses and card details.

What makes the campaign notable is its use of a geofencing mechanism to load the phishing form only when visited from UAE IP addresses and mobile devices.

Smishing attacks

“The perpetrators of this act may have accessed a private channel where they obtained information about UAE residents and foreigners living in or visiting the country,” Resecurity said.

“This can be accomplished through third-party data breaches, corporate email compromises, databases purchased on the dark web, or other sources.”

Cybercriminals abuse the Predator Bot detection tool for phishing attacks

The revelation comes as Trellix revealed how threat actors are using this information Predatora tool designed to combat fraud and identify requests coming from automated systems, bots or web crawlers, as part of various phishing campaigns.

The starting point of the attack is a phishing email sent from a previously compromised account containing a malicious link that, when clicked, checks whether the incoming request comes from a bot or a crawler before responding redirected to the phishing page.

The cybersecurity firm said it has identified artifacts where the threat actors have repurposed the original tool by providing a list of hardcoded links, instead of dynamically generating random links when a visitor is detected to be a bot.

“Cybercriminals are always looking for new ways to evade detection by organizations’ security products,” said security researchers Vihar Shah and Rohan Shah said. “Open-source tools like these make their job easier, as they can easily use these tools to avoid detection and more easily achieve their malicious goals.”


#Chinese #hackers #pose #UAE #authorities #latest #Smishing #wave

Notify of
Inline Feedbacks
View all comments
Previous Post
Lazarus Group Exploits

Lazarus Group uses Log4j exploits to deploy remote access Trojans

Next Post

Playbook: Your First 100 Days as a vCISO

Related Posts