Hacking the hackers: After his wife fell victim to a smishing campaign, a security researcher initiated a personal investigation, uncovering a global operation. By hacking into the scammers' systems to gather evidence, he provided authorities with crucial information that helped end the widespread fraud campaign.
When security researcher Grant Smith received a text message claiming to be from the United States Postal Service, he initially dismissed it as another scam. However, the situation took a serious turn when his wife inadvertently entered her credit card details into the linked fraudulent website. This personal breach motivated Smith to embark on an in-depth investigation into the scam's origins.
Smith, the founder of cybersecurity firm Phantom Security, eventually uncovered a large-scale operation involving fake USPS messages designed to collect personal information, including credit card details, from unsuspecting victims. These scams directed recipients to fraudulent websites that prompted them to enter sensitive information.
Determined to trace the source of the scam, Smith identified a Chinese-language group responsible for the operation. He exploited vulnerabilities in their systems, using SQL injection and path traversal to gather evidence of their activities. The SQL injection attacks allowed him to manipulate database queries, while path traversal enabled access to files outside the web root folder.
"I started reverse engineering it, figured out how everything was being encrypted, how I could decrypt it, and figured out a more efficient way of grabbing the data," Smith told Wired.
Building on this, he managed to crack the website administrator passwords, noting that many still used default credentials like "admin" for the username and "123456" for the password. This rookie mistake enabled him to efficiently automate the extraction of victim data from the network of smishing websites. Ultimately, Smith assembled a massive data cache for authorities, including 438,669 unique credit card numbers and over 1.2 million pieces of information from 1,133 domains.
Smith's investigation revealed that the scammers used a smishing kit sold on Telegram, linked to a group known as the "Smishing Triad." The group was not unknown to security researchers, including Resecurity. The scammers operate a sophisticated cyber-criminal organization, primarily engaging in smishing campaigns targeting postal services and their customers worldwide.
The Smishing Triad sent fraudulent SMS and iMessage texts, usually impersonating reputable postal and delivery services like USPS and Royal Mail. These messages warned recipients of undeliverable packages and prompted them to provide personal details, credentials, and payment information.
They exploited the trust users place in SMS – specifically iMessage, making their scams more convincing. By using compromised Apple iCloud accounts, they bypassed traditional security measures to reach a broader audience.
Their operations also involved encrypting HTTP responses with RSA to complicate analysis and detection efforts. Other tactics included using URL-shortening services like Bit.ly to disguise malicious links and utilizing stolen databases from the dark web to enhance their targeting capabilities.
The group employed geo-filtering to target specific regions, such as the UAE and Pakistan, tailoring their attacks to local contexts and increasing their effectiveness. They had a broad operational scope that targeted postal services and their customers in multiple countries, including the US, UK, EU, UAE, and Pakistan.
An unnamed bank noticed Smith's blog posts and reached out. He shared his findings with the bank, reported the incidents to the FBI, and later provided information to the United States Postal Inspection Service (USPIS).
As it happens, Smith's actions fall into a legal gray area under the Computer Fraud and Abuse Act (CFAA) because hacking into the scammers' systems to gather evidence could be considered a violation of the CFAA. Although he won't face prosecution, authorities are concerned that the evidence collected might be inadmissible because Smith obtained it through technically illegal means.
Michael Martel, a national public information officer at USPIS, stated that postal service investigators are using the details Smith provided. However, Martel noted that he cannot comment on specific aspects of the investigation.
Image credit: Grant Smith
A husband's quest for justice unmasks a global smishing operation
