iPhone Users Beware! Fake Postal Messages Stealing Your Login Credentials

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Cybercriminals have launched a smishing campaign targeting iPhone users in India, impersonating India Post. Malicious iMessages falsely claim a package awaits at an India Post warehouse, enticing victims to click on fraudulent links. 

It leverages the widespread trust in India Post and the popularity of iPhones to deceive users into compromising their devices and potentially revealing sensitive information. 

A security incident affecting iPhone users in India has the potential to result in financial loss.

Compromised user information poses a significant risk of unauthorized access to sensitive data, enabling malicious actors to perpetrate further attacks, potentially leading to additional financial damages and reputational harm. 

Smishing lures sent to users in India. Screenshots collected from social media posts.

A China-based threat actor, the Smishing Triad, is conducting a phishing campaign targeting multiple regions, including India, after previously targeting the US, UK, EU, UAE, KSA, and Pakistan.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

The group leverages Apple ID vulnerabilities by creating accounts using third-party email addresses, enabling iMessage-based phishing attacks, and containing shortened URLs that redirect users to fraudulent websites. 

An investigation uncovered the widespread use of newly registered domains for phishing attacks, delving into the tools and methods employed by threat actors to propagate these campaigns, quantifying the scale of the problem, outlines attacker tactics, and provides actionable insights into the evolving phishing landscape. 

Domain Registration Frequency: June to mid-July (Dates with 4+ Registrations)

Over 470 domain names resembling India Post’s official domain were registered between January and July 2024, indicative of a large-scale homograph phishing attack, while 296 were registered through a Chinese registrar, raising significant security concerns. 

A surge in domain registrations occurred in June and July 2024, with peak days witnessing up to 42 new registrations, emphasizing this campaign’s dynamic and potentially malicious nature. 

A large-scale homograph phishing attack targeting India Post is underway, as evidenced by over 470 domain registrations mimicking the official domain since January 2024. 

With 296 domains registered through a Chinese registrar, the threat has increased.

Attack activity surged in June and July 2024, with daily registration peaks of 42, indicating a dynamic and potentially malicious campaign targeting India Post users. 

Investments made on the domain purchase.

Analysis by FortiGuard Labs indicates a substantial concentration of domains hosted by Tencent, primarily in Hong Kong. The data reveals that 232 domains are Tencent-hosted, with 16 specifically registered in Santa Clara. 

 User information collection form.

The phishing domain ‘indiapost[.]top’ hosts a cloned India Post website on specific paths to evade detection.

Despite recent registration, the domain is used to deceive users into providing personal and financial information. 

The phishing attack leverages a delivery failure notification to entice victims, collect sensitive data, and ultimately request a fraudulent payment. It poses significant risks of identity theft, financial loss, and potential further malicious activities. 

Payment information collection.

The attacker leverages either a newly created or compromised Apple ID to send the message, disguising it as a legitimate iMessage communication. 

It exploits the trust associated with iMessage and bypasses traditional email security measures, increasing the likelihood of successful attacks on iMessage-enabled devices.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access