Global Smishing Campaign Targets 19 Nations Governments Postal Telecom Sectors

On 2026-05-27, AlienVault released a comprehensive threat report that exposed a coordinated smishing campaign targeting governments, postal services, and telecom operators across 19 countries. The operation, centered around fraudulent SMS messages that impersonated Romania’s official payment portal Ghișeul.ro, leveraged a sophisticated infrastructure and a two‑template phishing strategy to harvest sensitive credentials and payment card data.

The campaign spanned Europe, the Americas, and the Caucasus, with victims ranging from national tax authorities and traffic police departments to major postal carriers such as DPD and SEUR and telecom giants like T‑Mobile and Vodafone. In total, 1,628 malicious URLs were identified, all linked by a single 128‑character campaign identifier that tied the operation together across multiple stages.

Technical infrastructure analysis revealed 32 backend IP addresses distributed across major cloud providers including Tencent Cloud, Alibaba Cloud, Cloudflare CDN, and ALEXHOST Moldova. The attackers employed a distributed architecture to evade detection, rotating IPs and leveraging content delivery networks to mask the origin of phishing landing pages.

Two distinct phishing templates were used. The first is a Vue.js single‑page application that mimics the look and feel of the official portal, while the second is a Bootstrap‑based clone that replicates key elements of the Ghișeul.ro interface. Both templates include a four‑stage credential harvesting process that presents fabricated traffic fines, toll payments, and delivery notifications to trick recipients into entering full payment card details and personal data.

The four‑stage process begins with a convincing SMS alert, followed by a redirect to a malicious landing page, submission of personal and payment information, and finally a confirmation page that offers a “receipt” of the transaction. This staged approach increases the likelihood of credential capture and reduces the probability of user suspicion.

Impact assessment indicates that the compromised credentials could be used for a range of financial frauds, including direct card‑present and card‑not‑present transactions. Additionally, the harvested personal data can facilitate social engineering attacks targeting government officials and postal staff.

Indicators of compromise include the 128‑character campaign identifier, the domain hxxps://hunt[.]io/blog/massive-smishing-campaign-governments-postal-telecoms, and the fingerprinted Vue.js and Bootstrap templates. Security teams should monitor for these IOCs in SMS gateways and endpoint logs.

Further details can be found at hxxps://otx[.]alienvault[.]com/pulse/6a17527240dde65694eed30e.

Mitigation recommendations for security analysts are as follows: implement SMS filtering and gateway verification to block known malicious numbers; enforce domain reputation checks for incoming messages; deploy user awareness training focused on smishing tactics; and deploy multi‑factor authentication for all government portal access. Regularly update threat intelligence feeds with the latest IOCs from AlienVault and other reputable sources.

In conclusion, this smishing campaign demonstrates the evolving sophistication of threat actors targeting critical public infrastructure. By adopting layered defenses, continuous monitoring, and proactive user education, organizations can reduce the risk of credential compromise and protect vital services from financial exploitation.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading