The FBI warns a threat moving across America “from state to state” targets citizens via malicious SMS (smishing) texts, teling iPhone, Android users to “delete any smishing texts received.” Now cybercriminals have registered “over 10,000 domains” to fuel a new wave of attacks. These new texts are easy to detect — delete them right away.
The new report comes via Palo Alto Networks’ Unit 42. The new campaign, it says, “entices users to reveal personal and/or financial information, including credit or debit card and account information.” The original threat focuses on toll scams, with state-specific payment links; the new set of domains adds delivery services into the mix.
The toll scam has been generating headlines in recent months, with rarely a week passing by without a new report from state or local media somewhere in America. The FTC warns that “not only is the scammer trying to steal your money, but if you click the link, they could get your personal info and even steal your identity.”
All the smishing texts follow a similar pattern. You have an unpaid bill and need to pay it urgently to avoid higher costs or worse. There is a link to the payment site — which is where the new domains come into play. Given iMessage blocks such links, the texts include instructions to either reply or copy the link into Safari to make payment.
The toll scam is franchised out to local operators, but it all seems to leverage a toolkit built by Chinese cybercrime groups. Little surprise maybe that the example root domains and fully qualified domain names shared by Unit 42 all share the Chinese .XIN TLD. You can easily see how these domain names are crafted to entice a click:
- dhl.com-new[.]xin
- driveks.com-jds[.]xin
- ezdrive.com-2h98[.]xin
- ezdrivema.com-citations-etc[.]xin
- ezdrivema.com-securetta[.]xin
- e-zpassiag.com-courtfees[.]xin
- e-zpassny.com-ticketd[.]xin
- fedex.com-fedexl[.]xin
- getipass.com-tickeuz[.]xin
- sunpass.com-ticketap[.]xin
- thetollroads.com-fastrakeu[.]xin
- usps.com-tracking-helpsomg[.]xin
This list is not exhaustive, but it will help you flag threats. It also goes without saying that any U.S. toll payment platform or major delivery service is not going to redirect you to a Chinese domain from a link within a text, even where there’s a “.COM” earlier in the string. But even if the link does not have a telltale Chinese TLD, you should not click through from a text. As the bureau says, “check your account using the toll service’s legitimate website [or] contact the toll service’s customer service phone number.”
Zimperium has just warned that cybercriminals are moving to a “mobile-first attack strategy,” because you are more vulnerable on small screen devices. It’s easy to see why that’s the case, and why you’re more likely to click on a text than an email — don’t.
