A security researcher’s mission to investigate a wave of fraudulent text messages impersonating the United States Postal Service (USPS) has uncovered a massive “smishing” operation, hacking into fraudsters’ systems after they tried to trick him with a bogus package delivery message.
Wired reports that Grant Smith, a red team engineer and founder of offensive cybersecurity firm Phantom Security, began his investigation after receiving a suspicious USPS package delivery text message earlier this year. The message, similar to those received by thousands of others, directed recipients to a website where they were prompted to enter their credit card information and other personal details. This scam is often referred to as “Smishing.”
Recognizing the scam, Smith set out to track down the group responsible for the mass-smishing campaign. Within a few weeks, he had hacked into the scammers’ systems, collected evidence of their activities, and began the process of gathering victim data to provide to USPS investigators and a US bank.
Smith’s findings revealed the staggering scale of the scam. Across 1,133 fraudulent domains used by the scammers, 438,669 unique credit cards were entered, with many victims entering multiple cards. Over 50,000 email addresses were logged, including hundreds from universities and 20 from military or government domains. In total, more than 1.2 million pieces of information were collected, with California being the state with the most victims at 141,000 entries.
The group behind the smishing campaign, identified as the “Smishing Triad” by cybersecurity company Resecurity, operates by selling a customizable smishing kit on Telegram for a monthly subscription of $200. The kit allows scammers to easily create fake websites impersonating various organizations, with USPS being just one of many targets. Resecurity estimates that the Smishing Triad sends between 50,000 and 100,000 scam messages daily, targeting online banking, ecommerce, and payment systems in multiple countries.
Smith’s investigation revealed vulnerabilities in the scammers’ websites, allowing him to access files and databases containing victim information. By reverse-engineering the smishing kit and automating the process of pulling data from the network of fraudulent websites, Smith was able to gather a significant amount of evidence to provide to authorities.
The United States Postal Inspection Service (USPIS) confirmed that the information provided by Smith is being used as part of an ongoing investigation, with the agency actively working to protect the public, identify victims, and bring the perpetrators to justice.
Read more at Wired here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship.