Last month we uncovered a smishing campaign targeting users in the United States, that was actively harvesting the credentials of users of various US national and regional banks.

Our team has tracked what we believe to be the same threat group using HTTP header values and advanced adversary fingerprinting, which led to the discovery of multiple phishing campaigns impersonating not only US banks, but regional credit unions, email providers, and the Australian Taxation Office (ATO), with outcomes that range from credit card theft to credential harvesting.

Our investigation began during our research into phishing emails linked to the Greatness Phishing Kit. Our team used heuristic analysis methods based on header values and JARM hashes to traverse attacker infrastructure, which revealed a link to IOCs that we had already uncovered during the aforementioned smishing investigation.

Further scans revealed hundreds of domains engaged in previously unknown smishing campaigns impersonating prominent governmental and financial institutions, utilising the same infrastructure. We’ve passed our research onto the ATO, who are looking into the matter.

Read the full investigation here – https://www.silentpush.com/blog/atophishing/