Threat Overview

The Security Operations Center (SOC) has identified a significant and alarming threat report published by AlienVault on April 10, 2025. The report details the activities of the Chinese eCrime group known as Smishing Triad, which has launched an extensive global SMS phishing campaign targeting over 121 countries across various industries.

The campaign’s infrastructure is highly sophisticated and capable of generating over one million page visits in just 20 days, averaging approximately 50,000 daily visits. This level of activity underscores the scale and reach of the Smishing Triad’s operations.

One of the most concerning aspects of this threat report is the introduction of a new phishing kit named ‘Lighthouse.’ This kit is specifically designed to target banking and financial organizations, with a particular focus on institutions in Australia and the Asia-Pacific region. The Lighthouse phishing kit represents a significant evolution in the group’s tactics, techniques, and procedures (TTPs), making it more challenging for traditional security measures to detect and mitigate.

The Smishing Triad claims to have over 300 front desk staff worldwide supporting their operations, which highlights the extensive resources at their disposal. This global workforce enables them to conduct highly coordinated and synchronized attacks across multiple time zones and regions.

Domain Rotation

Another notable tactic employed by the Smishing Triad is frequent domain rotation. The group uses approximately 25,000 active domains during any 8-day period. This rapid rotation of domains makes it difficult for security teams to blacklist or block phishing sites effectively. The majority of these phishing sites are hosted by prominent Chinese companies Tencent and Alibaba, which further complicates efforts to disrupt their operations.

Targeted Sectors

The campaign primarily targets several critical sectors, including postal services, logistics, telecommunications, transportation, finance, retail, and public services. These industries are essential for the functioning of modern economies, making them high-value targets for cybercriminals seeking financial gain or disruption.

Recommendations for Mitigation

In light of this threat report, it is crucial for organizations to take proactive measures to protect themselves against SMS phishing attacks. The following recommendations can help enhance security posture and mitigate the risks associated with the Smishing Triad’s activities:

1. Employee Training: Conduct regular training sessions to educate employees about the dangers of SMS phishing and how to recognize suspicious messages. Emphasize the importance of verifying requests for sensitive information through alternative communication channels.

2. Multi-Factor Authentication (MFA): Implement MFA for all critical systems and accounts. This adds an extra layer of security, making it more difficult for attackers to gain unauthorized access even if they obtain login credentials through phishing.

3. Domain Monitoring: Use domain monitoring tools to detect and block newly registered domains associated with phishing campaigns. Regularly update blacklists and whitelists based on the latest threat intelligence.

4. Email and SMS Filtering: Deploy advanced email and SMS filtering solutions that can identify and quarantine suspicious messages before they reach end-users. These solutions should be regularly updated with the latest threat signatures and heuristics.

5. Incident Response Plan: Develop and maintain an incident response plan specifically tailored to handle phishing attacks. This plan should include steps for containment, eradication, and recovery, as well as communication protocols for notifying affected parties.

6. Collaboration with ISPs: Work closely with Internet Service Providers (ISPs) to block access to known phishing sites. Regularly share threat intelligence and collaborate on efforts to disrupt the infrastructure supporting these campaigns.

7. User Awareness Campaigns: Launch awareness campaigns to inform users about the risks of SMS phishing and best practices for staying safe online. Encourage users to report any suspicious messages or activities to the SOC for further investigation.

8. Regular Security Audits: Conduct regular security audits and penetration testing to identify vulnerabilities in the organization’s infrastructure. Address any identified issues promptly to reduce the attack surface available to cybercriminals.

By implementing these recommendations, organizations can significantly enhance their resilience against SMS phishing attacks and protect themselves from the evolving threats posed by groups like the Smishing Triad.