A security researcher investigating a series of scam text messages impersonating the United States Postal Service (USPS) has uncovered a large-scale “smishing” operation to hack into the systems of scammers who were attempting to trick the researchers with fake package delivery messages.
Wired Report Grant Smith, a red team engineer and founder of offensive cybersecurity firm Phantom Security, began his investigation after receiving a suspicious text message earlier this year about a USPS package delivery. The message, like those received by thousands of others, directed recipients to a website where they were asked to enter their credit card information and other personal information. This scam is often referred to as “smishing.”
When Smith became aware of the scam, he began tracking the group behind the mass Smishing attacks. Within weeks, he had penetrated the scammers’ systems, gathered evidence of their activities, and started collecting victim data to provide to USPS investigators and U.S. banks.
Smith’s findings revealed the staggering scale of the fraud: 1,133 fraudulent domains used by the scammers contained 438,669 credit card details, with many victims entering details for multiple cards; More than 50,000 email addresses were recorded, including hundreds from universities and 20 from military and government domains; In total, more than 1.2 million details were collected, with California having the most victims, with 141,000 details entered.
The group behind the smishing campaign, which cybersecurity firm Resecurity has dubbed the “Smishing Triad,” operates by selling customizable smishing kits on Telegram for $200 per month. The kits allow scammers to easily create fake websites impersonating various organizations, with the USPS being just one of many targets. Resecurity estimates that the smishing triad sends between 50,000 and 100,000 fraudulent messages every day, targeting online banking, e-commerce, and payment systems in multiple countries.
Smith’s research uncovered vulnerabilities in the scammers’ websites that allowed him to access files and databases containing victim information. By reverse engineering the Smishing Kit and automating the process of extracting data from the network of fraudulent websites, Smith was able to gather a large amount of evidence to provide to authorities.
The United States Postal Inspection Service (USPIS) confirmed that the information provided by Smith is being used as part of an ongoing investigation and that the service is actively working to protect the public, identify victims and punish perpetrators.
Learn more Wired here.
Lucas Nolan is a reporter for Breitbart News covering free speech and online censorship.
