Keepnet Labs Logo
Keepnet Labs > blog > unmasking-the-smishing-triad-a-deep-dive-into-the-china-based-cyber-fraud-network

Unmasking the Smishing Triad: A Deep Dive into the China-Based Cyber Fraud Network

A China-based cyber-criminal group known as the Smishing Triad has emerged as a significant threat, orchestrating a large-scale smishing campaign with a global reach.

Unmasking the Smishing Triad: A Deep Dive into the China-Based Cyber Fraud Network


A China-based cyber-criminal group known as the Smishing Triad has emerged as a significant threat, orchestrating a large-scale smishing campaign with a global reach. The group’s activities have sent ripples across the international community, highlighting the ever-evolving nature of cyber threats and the imperative need for heightened vigilance and robust security measures.

The Smishing Triad has meticulously conducted its operations, primarily targeting US citizens and impersonating many international postal and delivery services. By doing so, they have been able to exploit consumers' trust in these reputable organizations, thereby facilitating their malicious activities and expanding their sphere of influence.

The group’s modus operandi involves smishing, a phishing that leverages SMS messages to deceive individuals into divulging sensitive personal information and payment credentials. This technique has proven particularly effective, exploiting users’ trust in a secure and reliable communication channel.

What sets the Smishing Triad apart from other cyber-criminal entities is their innovative and exclusive use of iMessage for disseminating scams. By compromising Apple iCloud accounts, they have bypassed traditional security barriers, reaching a wider audience and increasing the likelihood of successful attacks.

The Smishing Triad’s campaign has not been limited to US citizens alone; they have skillfully impersonated various renowned postal and delivery services, including Royal Mail, New Zealand Postal Service, Correos, PostNord, Poste Italiane, USPS, Poczta Polska, J&T Express, and New Zealand Post. This extensive list of targets underscores the group’s ambition and the global nature of its operations.

The revelation of the Smishing Triad’s activities has underscored the pressing need for consumer awareness and organizational safeguards. As cyber threats evolve and adapt, individuals and organizations must stay informed about the latest cybersecurity developments and implement best practices to protect against potential threats.

The emergence of the Smishing Triad and their sophisticated smishing campaign targeting US citizens and international postal and delivery services is a stark reminder of cyber threats' persistent and ever-evolving nature. It is a call to action for enhanced cybersecurity measures, increased consumer awareness, and collaborative efforts to safeguard the digital landscape against malicious actors seeking to exploit vulnerabilities for their gain.

Origin and Modus Operandi

Diving deeper into the origins and workings of the Smishing Triad, it becomes evident that this group has meticulously crafted a unique and effective approach to cybercrime. Originating from China, the group has carved a niche in cyber threats, leveraging innovative techniques and exploiting vulnerabilities to further its malicious agenda.

The Smishing Triad group’s primary attack vector is smishing, a deceptive practice that involves sending fraudulent SMS messages to trick individuals into revealing sensitive information. This method is insidious as it capitalizes on the trust people inherently place in text messages, making them more susceptible to falling prey to scams.

Smishing allows the group to cast a wide net, reaching many potential victims and increasing the chances of successful attacks. The messages often contain urgent calls to action, prompting recipients to click on malicious links or provide personal details, ultimately leading to identity theft and financial loss.

What distinguishes the Smishing Triad from other cyber-criminal entities is their exclusive utilization of iMessage as a medium for disseminating scams. This platform, associated with Apple devices, is generally perceived as secure, adding more credibility to the group’s deceptive messages.

The group’s ingenuity doesn’t stop there; they have managed to compromise Apple iCloud accounts, enabling them to send iMessages that appear legitimate and bypassing the usual security protocols. This compromise of iCloud accounts amplifies the reach of their smishing campaigns and poses a significant challenge for cybersecurity experts aiming to curb their activities.

The Smishing Triad’s adeptness at exploiting technological vulnerabilities and its innovative approach to smishing demonstrate high sophistication and adaptability. Their ability to infiltrate secure communication channels like iMessage and compromise iCloud accounts highlights the evolving nature of cyber threats and the necessity for continuous advancements in cybersecurity measures.

With its roots in China, the Smishing Triad has emerged as a formidable player in the cybercrime landscape. Their specialized use of smishing, coupled with their exploitation of iMessage and iCloud accounts, underscores the multifaceted nature of their operations and the pressing need for heightened awareness and robust security solutions to counteract such threats.

Impersonation and Targets

In their pursuit of illicit gains, the Smishing Triad has demonstrated a remarkable ability to impersonate a wide array of postal and delivery services across the globe. This impersonation tactic is a cornerstone of their strategy, enabling them to gain the trust of unsuspecting individuals and thereby facilitate their fraudulent activities.

The list of impersonated services is extensive, showcasing the group’s ambition and the international scope of its operations. Some of the notable services impersonated include Royal Mail (UK), New Zealand Postal Service, Correos (Spain), PostNord (Sweden), Poste Italiane, USPS, Poczta Polska (Poland), J&T Express (Indonesia), and New Zealand Post. By masquerading as these reputable entities, the Smishing Triad has instilled a false sense of security among recipients, making the scams more convincing.

Beyond targeting postal and delivery services, the group has also set its sights on online shopping platforms. This move is strategic in a world where e-commerce is thriving, allowing them to tap into a rich vein of potential victims. The Smishing Triad employs sophisticated techniques to infiltrate these platforms, seeking to compromise the integrity of online transactions and harvest valuable customer data.

One of the methods employed involves the injection of malicious code into the websites of online shopping platforms. This tactic allows them to intercept customer data during transactions, gaining unauthorized access to sensitive information such as login credentials, credit card details, and personal identification information. The intercepted data is a goldmine for the group, enabling them to conduct identity theft and financial fraud on a grand scale.

The Smishing Triad’s focus on impersonation and its targeting of diverse services and platforms underscores the adaptability and resourcefulness of the group. Their ability to inject malicious code and compromise online shopping platforms highlights the evolving challenges consumers and organizations face in safeguarding data and maintaining digital security.

The multifaceted impersonation tactics and targeting strategies employed by the Smishing Triad reveal the depth of their operations and the potential risks posed to individuals and businesses worldwide. The need for vigilance, enhanced security measures, and consumer awareness has never been more critical in the face of such sophisticated and evolving cyber threats.

Fraud-as-a-Service Network

Delving further into the intricate web woven by the Smishing Triad, we uncover a sophisticated Fraud-as-a-Service Network that is the backbone of their expansive operations. This network is a testament to the group’s entrepreneurial spirit in cybercrime and a glaring indication of the multifaceted nature of modern digital threats.

A pivotal aspect of the Smishing Triad’s fraud network is the sale of smishing kits within Telegram IM groups. These kits are toolsets that enable aspiring cyber-criminals to launch their smishing campaigns, complete with the necessary scripts and activation codes. The availability of such kits on a platform like Telegram, known for its encrypted messaging services, exemplifies the group’s strategic use of technology to propagate their illicit activities while remaining in the shadows.

The Smishing Triad doesn’t operate in isolation; it actively collaborates with other cyber-criminals, creating a synergistic ecosystem of digital malfeasance. This collaboration allows for the exchange of knowledge, resources, and tactics, thereby enhancing the capabilities of each participating entity and contributing to the overall sophistication of their cyber-attacks.

Central to this collaborative environment is the offering of cybercrime-as-a-service infrastructure. The Smishing Triad provides a platform for various cybercrime services, ranging from data breaches to ransomware attacks. This infrastructure facilitates the commodification of cybercrime, making it more accessible to a broader audience and amplifying digital threats' potential scale and impact.

Delving into the pricing and subscription details of the smishing kits reveals a tiered structure designed to cater to different levels of criminal ambition. Subscriptions start at $200 per month, providing customers a gateway into smishing and the opportunity to launch their fraudulent campaigns. The accessibility and affordability of these kits indicate the group’s aim to proliferate smishing as a widespread method of cyber-attack.

The Smishing Triad’s establishment of a Fraud-as-a-Service Network, their collaboration with other cyber entities, and the provision of cybercrime-as-a-service infrastructure underscore the depth and complexity of their operations. The sale of smishing kits and the detailed pricing structure further illuminate the group’s strategic approach to expanding its reach and influence in the cybercriminal landscape. The revelations about this network serve as a stark reminder of the evolving nature of cyber threats and the imperative for continuous advancements in cybersecurity measures.

Challenges in Combating Cybercrime

Addressing the challenges in combating cybercrime, particularly those posed by groups like the Smishing Triad, unveils a complex landscape marked by jurisdictional hurdles and the need for international cooperation. The transnational nature of such cyber threats necessitates a unified approach, where difficulties in disrupting activities by actors in foreign jurisdictions are addressed through regulatory harmonization and mutual legal assistance.

One of the primary challenges in combating the Smishing Triad activities stems from their origin in China. The geographical and jurisdictional boundaries present significant obstacles in pursuing and disrupting the operations of such foreign-based cyber-criminal entities. The differences in legal frameworks, enforcement mechanisms, and the availability of resources across countries can impede timely and effective responses to emerging threats.

The Smishing Triad’s ability to operate across borders, exploiting vulnerabilities and targeting victims worldwide, highlights the need for a cohesive and harmonized international approach to cybersecurity. Regulatory harmonization is pivotal in establishing common standards and protocols for addressing cybercrime, thereby facilitating cooperation and information sharing among nations. A harmonized regulatory environment can foster a more conducive atmosphere for joint efforts in investigating and combating cyber threats, regardless of their origin.

Equally important is the establishment of mutual legal assistance agreements abroad. Such agreements are instrumental in enabling cross-border collaboration and support in legal matters related to cybercrime. They provide a framework for extradition, evidence sharing, and joint investigations, thereby enhancing the capacity of nations to respond to and mitigate the impact of transnational cyber-criminal activities.

The challenges the Smishing Triad and similar entities pose underscore the urgency of addressing the gaps in international cybersecurity frameworks. The importance of overcoming jurisdictional barriers, fostering regulatory harmonization, and establishing mutual legal assistance cannot be overstated. These elements are foundational in building a resilient and united front against the ever-evolving and increasingly sophisticated landscape of cyber threats.

The journey to combatting cybercrime is fraught with challenges, but the path forward is clear. The international community must come together, transcending boundaries and differences, to forge a united and robust defense against the activities of groups like the Smishing Triad. Pursuing regulatory harmonization and mutual legal assistance abroad is a necessity and a cornerstone in safeguarding the digital realm against the multifaceted challenges of the modern cybercrime era.

Consumer Awareness and Protection

As we navigate through the intricate operations of the Smishing Triad, it becomes increasingly evident that the evolution of smishing attacks and the exploitation of trust in communication channels are central to the group's success. The sophistication and adaptability exhibited by such attacks necessitate a parallel evolution in consumer awareness and organizational safeguards to mitigate the risks associated with this burgeoning form of cybercrime.

Smishing attacks have undergone significant evolution, becoming more refined and deceptive. The Smishing Triad has mastered exploiting users’ trust in seemingly secure communication channels such as SMS and iMessage. By crafting convincing messages and impersonating reputable entities, they have been able to deceive individuals into divulging sensitive information, thereby facilitating identity theft and financial fraud.

In light of these evolving threats, there is a pressing need for increased consumer awareness. Individuals must be educated on the telltale signs of smishing attacks and know how to distinguish between legitimate communications and potential scams. Vigilance, critical thinking, and a healthy dose of skepticism are essential tools in the arsenal of the informed consumer.

Organizations, too, bear a significant responsibility in safeguarding their customers. Implementing robust organizational safeguards such as multi-factor authentication, secure communication protocols, and regular security audits can help fortify defenses against smishing attacks. Proactive communication and education initiatives can empower customers to protect themselves and promptly report suspicious activities.

The continuous evolution of smishing attacks and the tactics employed by the Smishing Triad underscore the critical importance of consumer awareness and protection. The insights and advice provided by Resecurity shine a light on the path forward, highlighting the need for collective vigilance, enhanced security measures, and international cooperation to secure the digital landscape against the ever-evolving cyber threats.

Next Steps

In the face of evolving cyber threats like the Smishing Triad, businesses must proactively fortify their defenses. Keepnet Labs offers a consolidated Human Risk Management Platform designed to address the multifaceted challenges posed by cybercriminal activities, particularly smishing attacks.

Keepnet Labs' Smishing Simulator

Keepnet Labs’ Smishing Simulator is a cloud-based solution to evaluate and strengthen your company's security against SMS phishing. The simulator uses over 600+ ready-to-use templates in 50+ languages, allowing businesses to quickly identify weaknesses within their organization and address them effectively.

Recent data reveals a startling 328% increase in smishing attacks in just one year, with 76% of businesses targeted, leading to significant financial damages. The Smishing Simulator aims to build resilience by fostering a security culture and minimizing human risk against such attacks.

Key Features and Benefits of SMS Phishing Simulator

  • Comprehensive Library: Access to over 600+ smishing scenarios to simulate real-world SMS attacks.
  • Continuous Updates: Regularly added new scenarios ensure training remains updated with the latest smishing techniques.
  • Scenario Customization: Tailor scenarios to meet your organization's needs.
  • Real-time Automated Reporting: Gain insights into employee behavior and performance, identifying areas for improvement.
  • Multilingual Support: Cater to global organizations with training materials in multiple languages.
  • Seamless Integration: API-driven for easy integration with other applications and systems.
  • Varied Difficulty Levels: Tailor the training experience based on employees' proficiency levels.

Building Cybersecurity Awareness

With targeted training, Keepnet Labs has observed an 87% increase in employees' ability to recognize and report SMS phishing incidents within three months. This proactive security awareness approach can save up to $5.4m annually, demonstrating a significant return on investment. Customers, including Information Security Managers, have attested to the transformative impact of Keepnet Labs' Smishing Simulator on their cybersecurity approach, achieving impressive ROI and improved phishing recognition.

Why Smishing Simulator is Essential Against Smishing Triad

The Smishing Simulator is particularly relevant in protecting businesses from threats like the Smishing Triad. Organizations can identify vulnerabilities, educate employees, and fortify their security culture by simulating real-world smishing attacks. The continuous updates and comprehensive training offered by the simulator ensure that businesses stay ahead of evolving threats and are well-equipped to respond to the sophisticated tactics of groups like the Smishing Triad.

Adopting Keepnet Labs’ Smishing Simulator is a strategic step for businesses seeking to enhance their cybersecurity posture. The comprehensive features, customizable scenarios, and emphasis on building awareness make it valuable in combating the growing menace of smishing attacks and protecting against cyber-criminal entities like the Smishing Triad.

Explore Smishing Simulator Further

Are you ready to fortify your organization’s defenses against smishing attacks? We invite you to explore the capabilities of our Smishing Simulator in more detail. Request a demo or sign up for a free trial on our website to experience how our solution can empower your business to stay ahead of evolving cyber threats. Don’t miss the opportunity to safeguard your organization and build a resilient cybersecurity culture with Keepnet Labs’ innovative solutions.



Schedule your 30-minute demo now

You'll learn how to:
tickAutomate behaviour-based security awareness training for employees to identify and report threats: phishing, vishing, smishing, quishing, MFA phishing, callback phishing!
tickAutomate phishing analysis by 187x and remove threats from inboxes 48x faster.
tickUse our AI-driven human-centric platform with Autopilot and Self-driving features to efficiently manage human cyber risks.

Frequently Asked Questions

Who is the Smishing Triad?

arrow down

The Smishing Triad is a cyber-criminal group from China known for orchestrating large-scale smishing campaigns. They primarily target US citizens and impersonate various international postal and delivery services to exploit trust and obtain sensitive information.

What is smishing?

arrow down

Smishing, or SMS phishing, is a type of cyberattack where attackers use deceptive SMS messages to trick recipients into providing sensitive information, such as passwords and credit card details, leading to identity theft and financial fraud.

How does the Smishing Triad use iMessage in their attacks?

arrow down

The Smishing Triad utilizes compromised Apple iCloud accounts to send fraudulent iMessages. This method allows them to bypass traditional security measures and reach a wider audience, making their attacks more effective and challenging to counter.

Which postal and delivery services have been impersonated by the Smishing Triad?

arrow down

The Smishing Triad has impersonated several renowned postal and delivery services worldwide, including Royal Mail, New Zealand Postal Service, Correos, PostNord, Poste Italiane, USPS, Poczta Polska, J&T Express, and New Zealand Post, to gain the trust of potential victims.

How does the Smishing Triad target online shopping platforms?

arrow down

The Smishing Triad targets online shopping platforms by injecting malicious code into their websites. This allows them to intercept and collect customer data during transactions, gaining unauthorized access to sensitive information and facilitating identity theft and financial fraud.

What is the Fraud-as-a-Service Network operated by the Smishing Triad?

arrow down

The Smishing Triad operates a Fraud-as-a-Service Network, where they sell smishing kits in Telegram IM groups, collaborate with other cyber-criminals, and offer a variety of cybercrime-as-a-service infrastructures. This network enables the proliferation of smishing and other cybercrimes, making them more accessible and widespread.

How can consumers protect themselves against smishing attacks?

arrow down

Consumers can protect themselves by staying vigilant, recognizing the signs of smishing attacks, avoiding clicking on suspicious links, using two-factor authentication, and promptly reporting any suspicious messages to the relevant authorities or their service providers.

What challenges are faced in combating the activities of the Smishing Triad?

arrow down

Combating the Smishing Triad presents challenges such as jurisdictional limitations, difficulties disrupting activities by actors in foreign jurisdictions like China, and the need for international cooperation, regulatory harmonization, and mutual legal assistance to address transnational cyber threats effectively.

What advice does Resecurity offer for protecting customers?

arrow down

Resecurity emphasizes the need for regulatory harmonization, mutual legal assistance abroad, information sharing, and raising awareness among organizations and the general public. These measures are essential for building a proactive security culture and safeguarding customers against evolving cyber threats like smishing attacks.

Why is international cooperation important in combating cybercrime?

arrow down

International cooperation is crucial for addressing the challenges transnational cyber-criminal entities like the Smishing Triad pose. It enables overcoming jurisdictional barriers, fosters regulatory harmonization, facilitates mutual legal assistance, and promotes the sharing of knowledge and resources, thereby strengthening the global response to cyber threats.

iso 27017 certificate
iso 27018 certificate
iso 27001 certificate
ukas 20382 certificate
Cylon certificate
Crown certificate
Gartner certificate
Tech Nation certificate