Residents of the United Arab Emirates have been targeted by SMS campaigns that aim to steal payment and personal details. Previously targeted at users in Asia-Pacific, the campaign has been named PostalFurious as it impersonates postal services.
Investigations by Group-IB attributed both campaigns to a Chinese-speaking phishing ring dubbed PostalFurious. This group has been active since at least 2021 and are able to rapidly set up large network infrastructures, which they also change quite frequently to avoid detection by security tools, and utilize access-control techniques to avoid automated detection and blocking. There's evidence that they operate globally, beyond the bounds of this one Middle Eastern initiative.
In this campaign, payment details are collected via scam SMS messages asking the recipient to pay fees for tolls and deliveries. The URLs from the texts lead to fake branded payment pages that ask for personal details, such as name, address, and credit-card information. The phishing pages also appropriate the official name and logo of the impersonated postal service provider, and can only be accessed from UAE-based IP addresses.
The text messages contain a shortened URL which features a fake branded payment page, and has been active since at least April 15 of this year; when it launched, the campaign impersonated a UAE toll operator, but a new version was launched on April 29, with UAE postal service spoofing.
The same servers were used for the phishing domains in both cases, while the SMS messages were sent from phone numbers registered in Malaysia and Thailand, as well as via email addresses through iMessage.
Who Is the Angry Postman?
When asked who the messages targeted, Anna Yurtaeva, senior cyber investigation specialist at Group-IB's Digital Crime Resistance Center in Dubai, confirms that PostalFurious' scam campaigns are all targeted at members of the public.
"They launch widespread SMS phishing campaigns, and we are aware of cases where messages have been sent to UAE residents who are not users of the services," she says. "From our analysis of the source code and infrastructure of PostalFurious website, we see that the gang aims to steal payment credentials and personal data from victims."
She confirms there was no malware downloads seen in the two detected campaigns, but the attacks against users in the UAE appear to be part of a broader, mass campaign that could have global implications. She says the operators of PostalFurious previously targeted users in Singapore and Australia, where they also produced fake sites impersonating postal services and toll operators.
The news comes on the heels of a similarly themed campaign that came to light earlier this week. Dubbed "Operation Red Deer," the effort saw Israeli engineering and telecommunications companies being targeted with a sustained phishing message campaign that is convincingly impersonating Israel's postal service.