Impacted Users: iPhone users in India
Impact: Possible financial loss; stolen information can be used for future attacks
Severity Level: Medium

The FortiGuard Labs Threat Research team recently observed a number of social media posts commenting on a fraud campaign targeting India Post users. India Post is India’s government-operated postal system. It is part of the Ministry of Communications and has a vast network of over 150,000 post offices across the country, making it one of the largest postal systems in the world.

In this campaign, iPhone users are being targeted by smishing attacks claiming to be from India Post. This scam involves sending an iMessage to iPhone users that falsely claims that a package is waiting at an India Post warehouse.

Public reporting suggests this campaign is being attributed to a China-based threat actor known as the Smishing Triad. This group has previously targeted other regions, including the US, UK, EU, UAE, KSA, and, most recently, Pakistan.

We have observed third-party email addresses such as Hotmail, Gmail, or Yahoo being used in phishing emails on iMessage. Apple allows users to create an Apple ID using these third-party email addresses as the primary email associated with their Apple ID. Once the Apple ID is created and configured for iMessage, the sender can use that third-party email address to send messages through iMessage. The messages often contain a short URL, leading to a fraudulent website.

Figure 1. Smishing lures sent to users in India. Screenshots collected from social media posts.

Upon investigation, we discovered a significant number of newly registered domains being used for current and potential phishing scams. This blog highlights the tools and methods used to propagate such phishing campaigns and explores the scale of these operations, the tactics employed by threat actors, and other relevant insights.

Domain Names Impersonating India Post

Between January and July 2024, we found over 470 domain registrations mimicking India Post's official domain. Among these, 296 domains were registered via the Chinese registrar Beijing Lanhai Jiye Technology Co., Ltd., followed by 152 registrations through Namesilo, an American domain registrar. The notable concentration of registrations through a Chinese registrar certainly raises substantial concerns about the underlying intentions. This activity exemplifies a homograph phishing attack, where domain names are created to look visually similar to legitimate ones.

Figure 2. Domain Registration Frequency: June to mid-July (Dates with 4+ Registrations).

• There was a clear spike in registrations during June and July 2024. Notable dates include:
  • 26 June 2024: 42 domains
  • 09 June 2024: 33 domains
  • 13 June 2024: 32 domains
  • 06 July 2024: 36 domains
  • 04 July 2024: 26 domains
  • 08 July 2024: 25 domains

The most frequently used top-level domains (TLDs) include 'vip' (200 registrations), 'top' (81 registrations), and 'buzz' (40 registrations). 

Figure 3. Frequency of TLDs used to register these fraudulent domain names.

The registration cost per domain varies: 'vip' TLDs typically range from USD 4 to USD 5 per domain, whereas 'top' TLDs cost between USD 1 and USD 2 per domain.

To calculate the total investment:

Figure 4. Investments made on the domain purchase.

IP Address Analysis

Our analysis revealed that Tencent, a Chinese hosting service provider, hosts a significant number of these domains (232). Additionally, Tencent hosts 16 domains registered in Santa Clara.

Figure 5. Host distribution by country/region.

Figure 6. Host distribution by hosting provider.

Further analysis revealed that 262 domain names point to the IP address 119.28.68[.]187, also hosted on Tencent's servers.

Fraudulent Website Analysis

When investigating the phishing domain 'indiapost[.]top,' which impersonates India Post through a cloned copy of the original website, it was discovered that the domain does not host any content. Instead, specific paths on the domain are utilized to host the phishing website that impersonates India Post.

Figure 7. The cloned India Post website does not host any content.

While the domain name was registered on 28th November 2023, it is now actively being used in their operations. It is now likely to evade detection by antivirus engines as domains typically gain reputation over time.

The phishing site (on the left) is an identical copy of the original India Post website (on the right).

Figure 8. The phishing site (left) is compared to the original site.

Figure 9. Phishing message

Figure 10. User information collection form.

Figure 11. Payment information collection.

Modus-Operandi

The threat actors begin by sending a message via iMessage directly to the recipients' registered Apple ID email addresses. The sender ID could be a newly registered Apple ID or a compromised account. This method ensures that the message appears within the recipient's Messages app as an iMessage, distinct from traditional email communications, provided both parties use iMessage-enabled devices and have their Apple IDs configured for iMessage.

Recommendations to Mitigate Phishing Scams

1. Be Sceptical of Unexpected Emails: Do not open emails from unknown senders. Be cautious with unexpected emails, especially those requesting personal information or urging immediate action.
2. Verify URLs: Before clicking on links in emails or messages, hover over them to see the actual URL. Ensure the link points to a legitimate website by checking for common signs of phishing, such as misspelled domain names or unusual URLs.
3. Check for HTTPS: Ensure that websites where you enter personal information use HTTPS (look for the padlock icon in the browser's address bar). However, HTTPS alone does not guarantee a site's safety.
4. Do Not Share Personal Information: Avoid sharing sensitive information like passwords, social security or other identification numbers, and credit card or banking details via email or messaging apps.
5. Use Strong, Unique Passwords: Create strong, unique passwords for different accounts. Consider using a password manager to generate and store complex passwords securely.
6. Enable Multi-Factor Authentication (MFA): Enable MFA on your accounts whenever possible to add an extra layer of security.
7. Be Cautious with Attachments: Do not open attachments from unknown or suspicious sources, as they may contain malware.
8. Update Software Regularly: Keep your operating system, browser, and software up to date with the latest security patches.
9. Educate Yourself: Stay informed about common phishing tactics and scams. Familiarize yourself with the latest phishing techniques and how to recognize them.
10. Report Phishing Attempts: Report any phishing emails or messages to the relevant authorities or service providers. This can help prevent others from falling victim to the same scam.

Conclusion

The investment in registering these domain names alone exceeds USD 1500, not to mention additional costs for hosting and development. This significant investment highlights the threat actors' commitment, the phishing operation's scale, and its potential long-term impact. As a result, we feel that the likelihood of numerous victims falling prey to these scams is increased, leading to substantial financial losses, data breaches, and other security issues for individuals and organizations targeted by these domains.

This operation may also serve as a strategic initiative to raise funds to fuel operations in China. Because of this, awareness and proactive measures are crucial to mitigating the risks posed by these phishing activities.

Fortinet Protections

The suspicious domains used in the campaign described in this report are detected and blocked by FortiGuard URL Filtering Service, utilized by FortiGate, FortiClient, and FortiMail, as:

WebFilter:Phishing

WebFilter:Spam URLs

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

In addition to these protections, we suggest that organizations have their end users undergo our FREE NSE training: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

Sender Email Address

italenbabusik@hotmail[.]com
jessica467@qlq-online[.]de
marrotte436915@gmail[.]com
orozcoharryavw@hotmail[.]com
chermonahscales2980545@gmail[.]com

Domain Names