Chinese Phishing Gang "PostalFurious" Expands Campaign

Written by

A recently discovered Chinese phishing gang has expanded its campaigns to the Middle East with new scams designed to harvest personal and payment data from victims, according to Group-IB.

The Singapore-based threat intelligence firm reported the discovery of the “PostalFurious” group in April 2023, after it spotted a smishing campaign impersonating postal brands and toll operators in APAC.

It has now attributed a new flood of phishing texts and iMessages in the UAE to the same group.

Read more on SMS-based scams: IRS Warns of “Industrial Scale” Smishing Surge.

UAE residents received spoofed messages asking them to pay a vehicle toll to avoid additional fines, Group-IB explained. The text messages contained shortened URLs to obscure the true phishing domain and once a user clicked, they were directed to a fake branded payment page.

An almost identical campaign, which began two weeks after the first, impersonating a UAE postal operator. Both use the same servers, with phishing messages often sent from numbers in Malaysia and Thailand, as well as via email addresses through iMessage.

URLs in the texts asked individuals to enter personal and financial details including name, address and credit card information.

It is not clear how many people were targeted in this campaign, but customers of several UAE telcos have received the malicious SMS messages, Group-IB said.

The phishing websites themselves apparently use access-control techniques to avoid automated detection and blocking, and can only be accessed from UAE-based IP addresses.

Group-IB tied the campaigns to PostalFurious with some confidence, given they use the same infrastructure and code observed in previous activity from the group in APAC.

Laravel is used as an administration panel, while the source code of the phishing contains comments written in simplified Chinese, it said.

Group-IB senior cyber investigation specialist Anna Yurtaeva argued that phishing actors are becoming more prolific and sophisticated.

“They can no longer be detected and stopped by automated blocking. People should stay vigilant and aware of ongoing scams,” she added.

“PostalFurious operations demonstrate the transnational nature of organized cybercrime and emphasize the need for a coordinated joint response that involves the general public, private sector, and government.”

What’s hot on Infosecurity Magazine?