The FortiGuard Labs Threat Research team recently uncovered a fraud campaign targeting India Post users, specifically iPhone owners, through smishing attacks. India Post, a branch of the Ministry of Communications, operates one of the largest postal systems globally, with over 150,000 post offices across the country.

In this particular campaign, scammers are using iMessage to deceive iPhone users, falsely claiming that a package is awaiting collection at an India Post warehouse. The messages appear credible, prompting users to engage with the fraudulent claim.

Public reports have linked the campaign to a China-based threat actor known as the Smishing Triad, which has previously targeted regions such as the US, UK, EU, UAE, Saudi Arabia, and most recently, Pakistan.

Modus Operandi

The attackers initiate the scam by sending an iMessage to the recipients’ Apple ID email addresses, either from a newly registered Apple ID or a compromised account. The message, designed to appear as a legitimate iMessage, lures the user into clicking a link.

Upon clicking, users are directed to a phishing website that mimics the official India Post site. There, they are asked to provide personal information, such as their name, address, email, and phone number, and are then prompted to pay a supposed redelivery fee of INR 25.02 using their debit or credit card. This leads to potential financial theft and misuse of the collected data.

Fraudulent Domain Registrations and Hosting

FortiGuard Labs identified the phishing domain 'indiapost[.]top,' which closely replicates the India Post website. The domain does not host visible content but uses specific paths to host the phishing site.

Between January and July 2024, over 470 domains were registered to impersonate India Post, with 296 of these registered through the Chinese registrar Beijing Lanhai Jiye Technology Co., Ltd. These domains, frequently using TLDs like ‘vip,’ ‘top,’ and ‘buzz,’ suggest a well-organized operation, with domain registration costs ranging from USD 1 to USD 5. The total investment in domain registrations surpasses USD 1,500, reflecting the scale and sophistication of the phishing campaign.

Expert Recommendations

Vishak Raman, Vice President of Sales at Fortinet, emphasized the growing sophistication of phishing scams and the need for heightened vigilance. "It’s crucial to verify the authenticity of any unexpected messages and refrain from sharing personal information through email or messaging apps," he advised. Raman also highlighted the importance of using strong passwords, enabling multi-factor authentication, and staying informed about new phishing tactics.

For businesses, he recommended employee training to recognize and respond to phishing threats. Fortinet’s FortiPhish Phishing Simulation Service offers real-world simulations to test user awareness and help organizations strengthen their defences against phishing attacks.

By following these security measures, individuals and businesses alike can reduce their risk of falling victim to such malicious schemes.