Smishing Triad Stretches Its Tentacles into the United Arab Emirates

Smishing Triad Stretches Its Tentacles into the United Arab Emirates

Pierluigi Paganini
September 26, 2023

Resecurity research found that the ‘Smishing Triad’ cybercrime group has expanded its phishing campaign into the United Arab Emirates (UAE).

Resecurity research recently found that ‘Smishing Triad,’ a group specializing in phishing scams conducted via SMS (smishing attacks), has expanded its attack campaign into the United Arab Emirates (UAE). First identified by Resecurity in August, the group was initially observed targeting victims in the U.S., UK, Poland, Sweden, Italy, Indonesia, Japan, and other countries.

This month, “Smishing Triad” has broadened its horizons and migrated its attack campaign to the UAE. Resecurity, a leader in cybersecurity and threat intelligence, has identified domain names that closely resemble those used by the group in their previous campaigns. Threat actors registered the majority of these UAE-focused domains with Pte. Ltd., a Singapore-based web registrar.

“Smishing Triad” fraudsters also listed various Chinese entities as registrant organizations, or the owners of the fraudulent domains. Similarities in domain signatures noted by Resecurity indicate a calculated and ongoing threat to the Emirates. The assessment that “Smishing Triad” is hyper-targeting victims in the Emirates is further supported by the group’s geo-fencing of smishing page access to UAE citizens only.

Resecurity specifically observed this geo-fencing of IP addresses in smishing lures cast out to impersonate the Emirates Post, the UAE’s official parcel delivery service.

Smishing Triad

“Smishing Triad” is also leveraging compromised Apple iCloud accounts and illegally obtained databases that contain the personally identifying information (PII) of UAE citizens to stage their attacks.

Specifically, the threat actor acquires UAE resident databases from the Dark Web and launches their smishing attacks from iCloud accounts they have previously compromised. Resecurity has already alerted and shared relevant information with the National Computer Emergency Response Team for the United Arab Emirates (AeCERT).

“Smishing Triad’s” expansion into the UAE coincides with a broader trend of rapidly increasing cyberattacks targeting the country. In May, Mohammed Hamad Al Kuwaiti, Head of Cyber Security for the Government of the UAE, told the Emirates News Agency (WAM) that the UAE Cyber Security Council cooperates with its partners in deterring over 50,000 cyberattacks per day. The UAE Cyber Security Council’s defensive efforts are primarily concentrated on strategic national sectors, namely financial, health, and energy.

Regarding cyber-enabled frauds targeting individuals, the UAE experienced a 77% surge in phishing attacks in the second quarter of 2023 compared to the previous quarter, according to recent research. Common phishing lures include undelivered parcels, Know Your Customer verification scams, free money, and unusual email login alerts.

Last week, Resecurity’s HUNTER (HUMINT) unit blocked the majority of malicious “Smishing Triad” domains that they identified in UAE-linked campaigns. But the battle against “Smishing Triad” threat actors continues.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Smishing Triad)