FortiGuard Labs threat research team has recently come across numerous social media posts containing comments about a scam campaign targeting India Post users. India Post is a postal system run by the Indian government. It comes under the Ministry of Communications and has a vast network of over 150,000 post offices across the country, making it one of the largest postal systems in the world.
In this campaign, iPhone users are being targeted with a smishing attack purporting to be from India Post. In this scam, iPhone users are sent an iMessage notifying them that a package has arrived at an India Post warehouse.
Published reports have attributed the attack to a China-based threat actor known as the Smithing Triad, a group that has previously targeted other regions including the US, UK, EU, UAE, Saudi Arabia, and most recently Pakistan.
Method
The threat actor first sends a message via iMessage directly to the recipient’s registered Apple ID email address. The sender ID could be a newly registered Apple ID or a compromised account. This way, as long as both parties are using an iMessage-enabled device and the Apple ID is configured for iMessage, the message will appear in the recipient’s Messages app as an iMessage, distinct from traditional email communication.
Figure 1. Smishing bait sent to users in India. Screenshots collected from social media posts.
Once users click on the link in the message, they are redirected to a fraudulent website that mimics the official India Post website, where they are asked to provide personal details such as name, address, email ID, phone number, etc. The site then asks for debit/credit card details and charges INR 25.02 as redelivery fee, which may lead to theft of money and further misuse of the collected data.
Fraudulent Domain Registration and Hosting
FortiGuard Labs discovered a phishing domain “indiapost(.)top” impersonating India Post through a cloned copy of the original website. The domain itself does not host any content, but certain paths on the domain are being used to host phishing websites.
Between January and July 2024, over 470 domains impersonating India Post were registered, with a significant number (296) of them registered through Chinese registrar Beijing Lanhaijie Technology Co., Ltd. The concentration of registrations through Chinese registrars raises concerns about the intent behind such activity. Frequently used top-level domains (TLDs) include “vip,” “top,” and “buzz,” with registration costs ranging from $1 to $5 USD per domain.
The investment in domain registration alone exceeds $1,500 USD, highlighting the scale and dedication of the phishing operation. This financial expenditure, combined with hosting and development costs, highlights the significant threat these scams pose. The scale of the campaigns suggests a large number of victims could be compromised, resulting in significant financial losses and data breaches.
Additional citations:
“Phishing scams are becoming increasingly sophisticated and it is imperative that everyone remains vigilant and takes proactive steps to protect themselves,” says Vishak Raman, VP Sales, India, SAARC, SEA and ANZ, Fortinet. “To stay safe, always check the authenticity of unexpected messages and avoid sharing personal information over emails and messaging apps. Use strong, unique passwords and enable multi-factor authentication on your accounts. It is also important to keep your software up to date and stay informed about the latest phishing techniques.”
“Businesses should also train their employees to recognize and respond to phishing threats. For organizations, the FortiPhish phishing simulation service uses real-world simulations to test user awareness and vigilance, and to train and reinforce appropriate responses if users encounter a targeted phishing attack. Following these high-level recommendations can significantly reduce the risk of falling victim to these malicious schemes.”
For more analysis and reports, blog.
