TLDR
The Smishing Triad has registered 194,000+ malicious domains since Jan 2024. It targets brokerage accounts and has earned >$1 billion in three years.
Infrastructure lives on US cloud services, but domains are bought through a Hong Kong registrar. Rapid domain turnover evades detection.
What happened
Palo Alto Networks Unit 42 published a detailed analysis of a smishing campaign. The campaign is attributed to a China‑linked group called the Smishing Triad. The group has registered more than 194,000 domains from January 2024 to the present.
Each domain points to a phishing kit that mimics a legitimate service. The kits request credentials, OTPs, or personal data. The messages arrive via SMS, often appearing to come from banks, brokers, or delivery services.
The campaign operates as a phishing‑as‑a‑service (PhaaS) ecosystem. Several roles are involved:
- Phishing‑kit developers who build and update the malicious pages.
- Domain‑registration services that acquire fresh names daily.
- Spam distributors who push the SMS payloads to target lists.
- Cash‑out operators who monetize the stolen data.
The infrastructure is primarily hosted on US cloud platforms. The group uses virtual machines, storage buckets, and CDN services to serve the pages. Despite the US hosting, the domain registrations are processed through a Hong Kong registrar. This split complicates attribution and takedown efforts.
Financial services have become a primary focus. In Q2 2025, attacks on brokerage accounts rose five‑fold compared to Q2 2024. The messages claim to be security alerts, trade confirmations, or account verification requests. Victims who click the link are taken to a replica of the broker’s login portal.
Once credentials are entered, the data is forwarded to the cash‑out team. The team uses the information to initiate unauthorized trades, transfer funds, or sell the credentials on underground markets. Unit 42 estimates that the Smishing Triad has generated more than $1 billion in profit over the past three years.
The group’s success relies on rapid domain turnover. New domains are registered every few hours. Older domains are abandoned once they are flagged by security tools. This churn defeats static blocklists and forces defenders to rely on behavioral detection.
Why it matters
The campaign demonstrates the maturity of smishing as a delivery vector. SMS is trusted more than email in many regions. Users often assume that a text from a bank is legitimate.
The financial impact is substantial. Over $1 billion in illicit revenue shows that the model is profitable and likely to persist. The fivefold rise in brokerage attacks signals a shift toward high‑value targets.
The use of US cloud services raises jurisdictional challenges. Law‑enforcement requests must navigate international data‑privacy rules. The Hong Kong registrar adds another layer of legal complexity.
Rapid domain registration undermines traditional blacklist approaches. Defenders must adopt real‑time threat‑intelligence feeds and machine‑learning classifiers to keep pace.
The PhaaS model lowers the barrier to entry for low‑skill actors. Anyone can purchase a ready‑made kit and launch a campaign. This democratization expands the threat surface.
Brokerage firms face reputational damage when customers lose funds. Trust erosion can lead to churn and regulatory scrutiny. The campaign therefore has indirect costs beyond the direct financial loss.
Regulators are likely to respond with stricter SMS‑authentication guidelines. Organizations that fail to adapt may face penalties.
Who is affected
- Retail investors: Individuals who receive smishing messages and enter credentials.
- Brokerage firms: Companies that see unauthorized trades and account takeovers.
- Financial institutions: Banks that issue SMS alerts and may be impersonated.
- Cloud providers: US platforms that host the malicious infrastructure.
- Domain registrars: The Hong Kong registrar that processes bulk registrations.
- Security teams: Analysts who must track and block the fast‑moving domains.
How to check exposure
Start with a message audit. Collect all SMS alerts received in the last 30 days. Look for the following indicators:
- Unusual sender numbers or short codes.
- Links that use unfamiliar top‑level domains (e.g., .xyz, .top, .club).
- Urgent language demanding immediate action.
- Requests for OTPs, passwords, or personal identifiers.
Next, verify the URLs. Use a sandbox or a safe‑browse service to resolve the domain. Check the WHOIS record for registration date and registrar. Domains created after January 2024 and listed under the Hong Kong registrar are suspicious.
Review DNS logs for outbound queries to newly registered domains. Flag any query that matches the known list of 194,000+ domains published by Unit 42.
Inspect authentication logs on brokerage platforms. Look for logins from IP ranges associated with US cloud providers that do not match known corporate VPNs.
Conduct a credential‑reuse scan. Test compromised credentials against internal systems to see if they have been reused elsewhere.
Finally, engage threat‑intel feeds that track fast‑flux domain activity. Correlate feed data with your own logs to surface hidden exposure.
Fast mitigation
Implement SMS filtering at the carrier level. Block short codes and numbers that are not part of your approved list.
Deploy a domain‑blocking solution that updates hourly. Use the Unit 42 domain list as a baseline and supplement it with real‑time feeds.
Enforce multi‑factor authentication (MFA) that does not rely on SMS. Prefer authenticator apps or hardware tokens for high‑value accounts.
Educate users with a concise briefing. Tell them to verify any text that asks for credentials by contacting the institution directly.
Restrict outbound traffic to known cloud regions. Apply egress filtering to limit connections to only authorized IP ranges.
Enable DMARC, DKIM, and SPF for all corporate email domains. While the attack vector is SMS, many phishing kits also send follow‑up emails.
Monitor for abnormal trade activity. Set thresholds that trigger alerts for large or unusual transactions.
Coordinate with your domain registrar. Request abuse takedowns for any malicious domains you discover.
Report incidents to law‑enforcement and to the relevant financial regulator. Provide full logs to aid attribution.
Review and rotate any credentials that may have been exposed. Force password changes for all affected users.
Finally, conduct a tabletop exercise. Simulate a smishing breach and test your response plan. Refine the plan based on lessons learned.
Leave a Reply