-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2025-03-06-IOCs-for-smishing-activity.txt
56 lines (46 loc) · 2.45 KB
/
2025-03-06-IOCs-for-smishing-activity.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
2025-03-06 (THURSDAY): OVER 10K DOMAINS REGISTERED FOR SMISHING IMPERSONATING TOLL AND PACKAGE DELIVERY SERVICES
AUTHOR:
- Reethika Ramesh
REFERENCES:
- https://www.linkedin.com/posts/unit42_smishing-activity-7303805645617512448-i2lB/
- https://x.com/Unit42_Intel/status/1898040009229267275
NOTES:
- A Threat actor leveraging the same domain pattern has registered over 10k domains for various SMS phishing (smishing) scams.
- The root domain names all begin with the string: com-
- Since the root domain begins with "com-" next to a subdomain, the full domain might trick potential victims doing a casual inspection.
- The domain names indicate pages impersonate toll services and package delivery services in at least 10 US states and one Canadian province.
-- US states: California, Florida, Illinois, Kansas, Massachusetts, Pennsylvania, New Jersey, New York, Texas, Virginia
-- Canada province: Ontario
- The smishing entices users to reveal personal and/or financial information, including credit or debit card and account information.
- These smishing text messages originate from email addresses or phone numbers.
- Apple iMessage does not allow links in messages received from unknown senders.
-- To bypass this, these smishing texts ask users to reply with "Y" and reopen the text.
-- Such interaction from the user allows iMessage to enable links in the smishing texts.
-- More info: https://www.bleepingcomputer.com/news/security/phishing-texts-trick-apple-imessage-users-into-disabling-protection/
- Over 70% of these domains use the same two name servers and resolve to IP addresses from popular hosting providers.
-— 93% of the resolved IP addresses belong to AS13335 (Cloudflare).
- We will continue to track and block this campaign, which we have named: com_smishing
10 RANDOM EXAMPLES OF ROOT DOMAINS RELATED TO THIS CAMPAIGN:
- com-2h98[.]xin
- com-citations-etc[.]xin
- com-courtfees[.]xin
- com-fastrakeu[.]xin
- com-penalty[.]xin
- com-securebill[.]xin
- com-securetta[.]xin
- com-ticketd[.]xin
- com-tickeuz[.]xin
- com-ucla[.]xin
12 EXAMPLES OF FULLY QUALIFIED DOMAIN NAMES (FQDNs) FROM THIS CAMPAIGN:
- dhl.com-new[.]xin
- driveks.com-jds[.]xin
- ezdrive.com-2h98[.]xin
- ezdrivema.com-citations-etc[.]xin
- ezdrivema.com-securetta[.]xin
- e-zpassiag.com-courtfees[.]xin
- e-zpassny.com-ticketd[.]xin
- fedex.com-fedexl[.]xin
- getipass.com-tickeuz[.]xin
- sunpass.com-ticketap[.]xin
- thetollroads.com-fastrakeu[.]xin
- usps.com-tracking-helpsomg[.]xin