Smishing Triad Is Targeting Pakistan To Defraud Banking Customers At Scale

Pierluigi Paganini June 20, 2024

Resecurity researchers warn of a new activity of Smishing Triad, which has expanded its operations to Pakistan.

Resecurity a new activity of Smishing Triad, which has expanded its operations to Pakistan. The group’s latest tactic involves sending malicious messages on behalf of Pakistan Post to customers of mobile carriers via iMessage/SMS. The goal is to steal their personal and financial information.

The code and templates used by the attackers in this smishing kit are consistent with those observed in previous instances of Smishing Triad. Previously, Resecurity described multiple episodes of Smishing Triad activity targeting online banking, e-commerce and payment systems customers in other geographies including USA, EU, UAE and KSA.

Smishing Triad


Estimating the global scale of threat actors’ activities, our analysts believe they send between 50,000–100,000 messages daily. To achieve this, they leverage stolen databases acquired from the Dark Web, which contain sensitive personal data of citizens including phone numbers. Pakistan, with a population of over 235.8 million, has experienced multiple data breaches in the first half of 2024, compromising the personal identifiable information (PII) of citizens. These records are then processed at scale using automation tools to distribute SMS spam for malicious and fraudulent purposes.

Smishing Triad 3

Resecurity observed multiple hosts used by attackers operating smishing kits targeting Pakistan’s postal providers, along with Correos, a state-owned postal provider in Spain, in previous episodes of Smishing Triad activity from July 2023. There were identified multiple domain names mapped to the same IP address 23[.]231[.]48[.]129:

  • ep-gov-pkw[.]cfd
  • ep-gov-ppk[.]cyou
  • ep-gov-ppk[.]icu
  • correosytelegrafos-civ[.]icu
  • correos-es[.]cn

Smishing (SMS phishing) attacks can be deceptive and aim to trick individuals into revealing personal information or clicking on malicious links through text messages to compromise digital identity and steal payment data.

The full report is available here:

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Smishing Triad)




you might also like

leave a comment