The Smishing Triad, a Chinese-speaking threat actor group, has recently been identified employing a new tactic by impersonating the United Arab Emirates Federal Authority for Identity and Citizenship. The group utilizes malicious SMS messages to target residents and foreigners in the UAE, aiming to extract sensitive information.

According to a report by Resecurity, the attackers send SMS or iMessage messages containing malicious links, often using URL-shortening services like Bit.ly to randomize the links, thus safeguarding the fake website’s domain and hosting location.

Previously documented for using compromised Apple iCloud accounts in smishing attacks for identity theft and financial fraud, the Smishing Triad has expanded its operations. The group offers smishing kits for sale, priced at $200 per month, and engages in Magecart-style attacks on e-commerce platforms.

In the latest campaign, the threat actors are specifically targeting individuals who have recently updated their residence visas. The smishing messages are designed to work on both Android and iOS devices. Clicking on the embedded link takes recipients to a deceptive website (“rpjpapc[.]top”) impersonating the UAE Federal Authority for Identity, Citizenship, Customs, and Port Security (ICP). Victims are prompted to enter personal information, including names, passport numbers, mobile numbers, addresses, and card information.

A notable aspect of the campaign is the use of geofencing, loading the phishing form only when accessed from UAE-based IP addresses and mobile devices. This suggests that the attackers may have access to information about UAE residents and foreigners, possibly obtained through various means, including data breaches, business email compromises, or dark web purchases.

The timing of the Smishing Triad’s latest campaign coincides with the launch of the OLVX Marketplace, a new underground market operating on the clear web, selling tools for online fraud, such as phish kits, web shells, and compromised credentials.

Additionally, cybersecurity firm Trellix has reported that threat actors are now exploiting the open-source Predator tool, designed to combat fraud, for phishing attacks. The tool is repurposed to check if incoming requests are from bots or crawlers before redirecting to a phishing page, making it more challenging for security products to detect and prevent these attacks.