Group-IB, a Singapore-based cybersecurity firm, has attributed a recent wave of scams impersonating UAE public bodies to a Chinese-speaking phishing gang, codenamed PostalFurious. The threat actor, documented for the first time by Group-IB in April 2023, has been targeting users in the Asia-Pacific by impersonating postal brands and toll operators. Now, Group-IB can confirm that the group has extended its operations to the UAE.
In early May, UAE authorities warned the country’s residents about a scam campaign that saw threat actors impersonate a local road toll operator. Group-IB’s Digital Crime Resistance Center in Dubai was able to attribute this campaign to PostalFurious, along with a second scam scheme that targeted UAE residents under the guise of a postal service. As part of its commitment to fighting cybercrime, Group-IB has shared its findings on the group with the Dubai Police Force and issued notifications for the impersonated brands.
Read more: Businesses must brace for AI-powered attacks
In the aforementioned fake toll payment scheme, UAE residents receive fake messages asking them to urgently pay a vehicle trip fee to avoid additional fines. The text messages contain a shortened URL to obscure the true phishing address. Once a user clicks on the link, they are redirected to a fake branded payment page.
The scammers’ goal is to compromise users’ payment data. According to Group-IB’s cyber investigations team, the campaign has been active since at least April 15, 2023.
Upon closer examination of the phishing infrastructure, Group-IB investigators found an almost identical scam campaign launched on April 29, 2023. The scammers used the same servers to host another network of phishing websites. The only difference between the two scam campaigns, which commenced two weeks apart, is the impersonated brand. In the latter campaign, scammers mimicked a UAE postal operator.
The latest scam wave also relies on smishing (SMS phishing) to deliver phishing links. The text messages were sent from phone numbers registered in Malaysia and Thailand, as well as via email addresses through iMessage. While it is unknown how many individuals were targeted in this campaign, Group-IB experts found that customers of multiple UAE telecommunications companies received rogue SMS messages.
The URLs from the texts lead to fake branded payment pages that ask for personal details, such as name, address, and credit card information. The phishing pages appropriate the official name and logo of the impersonated postal service provider.
Group-IB experts note that the identified phishing websites utilize access-control techniques to avoid automated detection and blocking. The pages can only be accessed from UAE-based IP addresses.
Additionally, the Group’s cyber investigators, who regularly assist in INTERPOL-led operations in the MEA region, attributed both campaigns to a Chinese-speaking phishing ring dubbed PostalFurious.
For more tech-related news, click here.