The Criminal Enterprise Behind That Fake Toll Text
In a startling revelation about the rise of SMS phishing, or “smishing,” Grant Smith, a cybersecurity professional, found himself on an unexpected journey after his wife fell victim to a scam. She received a text that appeared to be from the United States Postal Service (USPS), prompting her to pay a fee for a delayed package. After realizing the message was fraudulent, she quickly canceled her credit card, but the incident led Smith to investigate further. Upon exploring the fake USPS website, he uncovered significant vulnerabilities and managed to access data for over 400,000 stolen credit cards, which he reported to USPS and various banks. This incident highlights the alarming scale of smishing, a cybercrime that has become increasingly sophisticated and widespread, affecting individuals across at least 121 countries.
The smishing operation is orchestrated by a criminal enterprise known as the “smishing triad,” primarily based in China. This syndicate operates by selling smishing kits, such as the notorious “Lighthouse,” which allow even those with minimal technical expertise to launch their own scams. For a subscription fee of around $200 a month, individuals can impersonate major brands or federal agencies and send fraudulent messages to unsuspecting victims. The effectiveness of these scams is underscored by staggering estimates, with one study suggesting that USPS-related smishing alone may have defrauded victims of between $3 billion and $28 billion over a 16-month period. As traditional email spam filters improve, these text-based scams have proliferated, taking advantage of the weaker defenses in SMS systems.
In response to the growing threat of smishing, tech giants like Google are taking action. Recently, Google filed a lawsuit against 25 individuals and entities linked to the smishing triad, aiming to dismantle their operations and prevent further victimization. Cybersecurity experts emphasize that while legal actions are crucial, a comprehensive, coordinated international effort is necessary to combat these sophisticated scams effectively. The battle against smishing is complicated by the triad’s ability to adapt and innovate, with new phishing kits emerging regularly. As companies enhance their defenses, the scammers continuously evolve their tactics, making it clear that the fight against digital fraud is far from over.
Early last year, Grant Smith received an alarmed message from his wife. She had gotten a text notification about a delayed package, clicked the link, and paid a fee. Then she realized that it was not, in fact, the United States Postal Service asking for her credit-card information—that she had no idea who had just collected her payment info. She quickly canceled the card.
The Smiths had been smished. Short for “SMS phishing”—cyberattacks that arrive via text message—
smishing
refers to a particular type of spam message that you’ve probably received once or twice, if not dozens of times. They impersonate brands or federal agencies, such as Citigroup or USPS, in the hopes of getting people to hand over their personal information.
Smith, it so happens, is a sort of hacker himself—he works in cybersecurity. He opened the fake USPS website that the scammers had sent and began rooting around in its code, ultimately landing on multiple vulnerabilities. It turns out that the criminals had pretty bad operating security, Smith told me. He was able to log in to the hackers’ system and download information for more than 400,000 different credit cards that they had collected, he told me, which he reported to USPS and several banks.
Smith had unwittingly hacked his way into a node of the “smishing triad”: an elaborate criminal enterprise built on these fraudulent texts that several cybersecurity experts told me is mainly based in China (hence the name—triads are notorious organized-crime syndicates in China). The smishing triad does not directly con everyday people. Instead, it sells software packages to anyone who’d like to do their own scamming. For some $200 a month, the triad’s customers can get a scam rolling, even if they have no technical savvy themselves. Think of it as Squarespace for scams.
[
Read: Scammers are coming for college students
]
Over the past few years, these texts have become a sort of background annoyance, white noise that accompanies smartphone ownership. They reach people in at least 121 countries. The messages themselves usually have some clear tells—strange phrasings, suspicious numbers or sender addresses, misspellings. Even so, they’re effective: The USPS scam alone, which typically requests a small fee to redeliver a package, may have been responsible for defrauding victims of anywhere from $3 billion to $28 billion during a recent 16-month stretch, according to one research group’s estimate. Calculating the total amount stolen is hard, because tracing who fell for these texts and how much they lost is hard by design. And smishing scams are only becoming more common, Zach Edwards, a senior threat analyst at the cybersecurity company Silent Push, told me.
The smishing triad has been so effective that some of the biggest companies in the world are taking notice. This morning, Google
announced
litigation against 25 individuals or entities it has identified as members of the smishing triad, all of which it alleges are in China. (Various Google logos, including those of Gmail and YouTube, have been imitated in these scams.) Prior to this announcement, Google had reached out to talk about the lawsuit with me. One of the company’s cybercrime investigators (whom I am keeping anonymous by request, so that they are not compromised in future investigations) told me that their team at Google was clued in to the smishing triad earlier this year by external researchers, whom I then began contacting. This led me to a much wider group of cybersecurity experts—a sort of anti-smishing league—that has been tracking this criminal syndicate for years.
Five independent cybersecurity researchers, including Smith, walked me through the smishing enterprise: the inner workings, both brilliant and shockingly obvious, through which these fraudulent messages are sent and monetized. That reporting left me with the impression that this problem may never be completely solved, that we may be forever doomed to receive sketchy DMV texts warning us to “pay now to avoid irreversible consequences.” Â
Smishing has become popular as email providers’ spam filters have improved. Text messages have far weaker filters and, in the case of services such as iMessage, are end-to-end encrypted and thus even harder for companies or authorities to track. Around 2023, both the scale and sophistication of these attacks increased dramatically: the relentless spam texts informing you about a supposed unpaid highway toll, late package, or unexpected tax rebate. By analyzing these fraudulent domains, as well as dark-web activity, cybersecurity experts have traced much of the smishing to services advertised on public Telegram groups and YouTube channels, almost all in Chinese.
The most popular and advanced smishing program sold on Telegram is “Lighthouse,” and this is the target of Google’s lawsuit. Lighthouse, the cybersecurity experts told me, is the key entry point through which someone who wants to devise a scam can set up a false operation. There are many ways to operationalize a smishing scam—SecAlliance, a part of CSIS Security Group, believes tens of thousands of Chinese-speaking individuals are using these smishing kits—but here are the contours. Inside the Lighthouse interface, a typical dashboard allows you to select the company you want to impersonate, perhaps Citi or PayPal, or even to spin up your own, entirely fraudulent e-commerce websites. Once the fake site is live, you can go to one of these Telegram group chats to find a data broker, from whom you purchase contact information of people to spam, and then you connect to a spammer, someone who will send texts to all those phone numbers. In some cases, spammers can operate as one-stop shops, procuring contact information and sending the messages. (One of the Telegram accounts that Google identified as part of the triad, “Kunlun,”
told
NPR, “What does this have to do with me? I’m not familiar with this.”)
Here, the scam gets low-tech. The spammer may have dozens of stolen iPhones and Android devices arranged in racks in a room overseas. A program can automatically compose a message (
Dear Jane, This is your bank …
), and each of those stolen phones can send it to perhaps hundreds or thousands of targets a day. Or, perhaps, they have an SMS blaster—a big box that acts as a fake cell tower; the spammer drives it around a neighborhood and the blaster sends texts to every phone in its radius. Some people will open the link—Silent Push has documented, on average, at least 50,000 page visits a day to these smishing websites—and some will type in their username and password or their credit-card number. One
study
found that nearly 17 percent of participants potentially fell for a simulated smishing attack.
[
Annie Lowrey: When the bitcoin scammers came for me
]
Without the victim even formally clicking “Submit” to send through their personal information, the Lighthouse software can pull their credit-card number or password from the text field and store it, Ford Merrill, a security researcher at SecAlliance, told me; if there is multifactor authentication, that passcode will be hoovered up and bypassed, too. The Lighthouse software can identify if the credit card is from a bank with sufficiently weak digital security, and if not, request the victim input another. Then comes the money laundering, which Merrill described to me as “ingenious.” The Lighthouse software helps load the stolen credit-card information onto digital wallets, he said; crates of smartphones loaded with stolen cards, as many as 10 per phone, can be sold and shipped
via air freight
. Then a laundering expert can help the scammers pay themselves by, for instance, setting up a fake merchant and buying nonexistent items or services from it.
A fraudster used to have to know how to do all of this on their own. “Now criminals just subscribe to the services that they need to conduct the attack,” Shawn Loveland, the chief operating officer at the cybersecurity firm Resecurity, told me. “They may not have any technical knowledge on how it actually works.” And as with any supply chain, specialization allows for sophistication: better spoofs of a wider range of websites, more languages, less-detectable money laundering, and so on. One recent development, Loveland said, has involved using generative AI to write more personalized and deceptive phishing texts. A growing number of data breaches provide a large amount of personal information linked to phone numbers and emails, which a chatbot can use to compose texts that impersonate, for instance, your bank or your boss. “The whole process is really heavily automated and industrialized,” Merrill said.
Despite the triad’s overall sophistication, the cybersecurity experts told me, the scammers have made a number of fumbles. “Their operational security is terrible,” Merrill said; instructions and photos from smishing-as-a-service providers are all over Telegram. When Smith was poking around the USPS smishing link, he found admin usernames including “admin0,” “admin1,” and “admin2,” and passwords also including “admin0, “admin1,” and “admin2.” Google was able to identify a YouTube channel (now suspended) with smishing tutorials, one of which included several Gmail addresses in a screenshare, an investigator with Google’s cybercrime group told me. Using those email accounts, the investigator said, Google was able to tie the criminal activity and online usernames to several people and entities, although it does not yet know the defendants’ true names or identities.
Google, Apple, Visa, and other companies have all been enhancing their anti-phishing protections. All the experts I spoke with told me that Google’s lawsuit is an important step: The hope would be for Google, or potentially other companies or government agencies with deep visibility into web activity, to eventually use a ruling on its lawsuit to request other actors take down the websites, accounts, IP addresses, and the like associated with these scams. But really stopping these smishing operations will require a broader, coordinated effort (and an unlikely international one, at that, given that the triad appears to be outside the U.S.). “There’s no magic bullet,” Loveland said. Google also announced today that it is supporting three bills that could enable further actions against digital scammers.
As ever, when companies and law enforcement ramp up their efforts, so do the scammers. Newer phishing kits, such as Lighthouse, are more robust and harder for cybersecurity experts to study or find ways into. The smishing triad has “too much resources and too much time to spend on it,” Smith told me. Physical arrests could require cooperation from the Chinese government. And new smishing kits are popping up all the time, Merill said, as apprentices develop and sell their own services. The battle against phishing is not just uphill—the terrain isn’t even fully mapped out.
