Image of a scam text message from Resecurity. Courtesy/Rebecca Rutherford
By REBECCA RUTHERFORD
Los Alamos
Got an iPhone? Got a text about a package tracking number? Don’t be so quick to click … it just might be a scam. “Smishing”, or text message (SMS), scams about package delivery have been growing in popularity.
“The Chinese-speaking threat actors behind this campaign are operating a package-tracking text scam sent via iMessage to collect personally identifying information (PII) and payment credentials from victims, in the furtherance of identity theft and credit card fraud,” said Resecurity, a cyber security research firm in a report published Aug. 30, 2023.
The cyber crime group behind this has been dubbed the “Smishing Triad” and appears to be in the business of “Fraud as a Service” FaaS; offering other actors their phishing kits as a monthly subscription service at about $200 a month, with higher prices for those wanting technical support included in their plan. The scams impersonate legitimate shipping services in order to steal users PII or financial information, or get them to download malware. As part of their last campaign, Smishing Triad registered several new .top domain names with deceptive “usps” and “usus” prefixes, such as “uspshhg[.]top.” and many others that look deceptively similar to legitimate domains.
These phishing kits help the bad actors to impersonate shipping companies like FedEx, USPS, UPS, etc. in the U.S, the U.K, Poland, Sweden, Italy, Indonesia, Malaysia, Japan, and other countries. They are known to have organized several successful smishing campaigns, and sell country and language specific phishing kits. 
Through investigation, Resecurity was able to determine the threat actors behind this were mostly Chinese speakers, as well as some Vietnamese. The roster also included graphic designers, who were responsible for creating high-quality fake web pages, web developers, and also salespeople who sold the kits mainly via Chinese-speaking dark web cybercriminal sites. One has to wonder if perhaps they also had an HR department, but probably not. Resecurity’s team was also able to observe conversations in online dark web forums between bad actors discussing how successful the phishing kits were.  
The USPS has released an educational video on YouTube with advice for victims on these “smishing” package scams.  
How can you deal with text message scams?
Resecurity offered some tips on how to report package themed text scams:
To report USPS related smishing, send an email to [email protected].
Complaints of non-USPS related smishing can also be sent to any of the following law enforcement partners of the U.S. Postal Inspection Service:
The dark depths of the web remain untamed, home to lawless cowpokes looking to lasso up your PII, so stay aware, and ignore those texts! Don’t click that link, and don’t fall for their phishy text messages.

Copyright © 2012-2023 The Los Alamos Daily Post is the Official Newspaper of Record in Los Alamos County. This Site and all information contained here including, but not limited to news stories, photographs, videos, charts, graphs and graphics is the property of the Los Alamos Daily Post, unless otherwise noted. Permission to reprint in whole or in part is hereby granted, provided that the Los Alamos Daily Post and the author/photographer are properly cited. Opinions expressed by readers, columnists and other contributors do not necessarily reflect the views of the Los Alamos Daily Post. The Los Alamos Daily Post newspaper was founded by Carol A. Clark on Feb. 7, 2012.

source