iPhone Users in India Targeted by India Post Phishing Scam

A new phishing campaign is targeting iPhone users in India, posing as India Post to steal personal and financial information. The scam involves sending fraudulent iMessages claiming a package is awaiting delivery at an India Post warehouse.

According to FortiGuard Labs, the campaign is likely the work of the Smishing Triad, a China-based threat group known for similar attacks in other countries. The scammers lure victims to a fake India Post website where they are asked to provide personal details and credit card information for a supposed redelivery fee.

The phishing operation is extensive, with over 470 domains registered to impersonate India Post since January 2024. Many of these domains were registered through a Chinese registrar, further indicating the involvement of the Smishing Triad.

Fortinet warns users to be cautious of unexpected messages and to avoid sharing personal information through email or messaging apps. Strong passwords, multi-factor authentication, and keeping software updated are essential for protection against phishing attacks. Businesses are also advised to train employees to recognize phishing attempts.

Modus-Operandi

The threat actors begin by sending a message via iMessage directly to the recipients' registered Apple ID email addresses. The sender ID could be a newly registered Apple ID or a compromised account. This method ensures that the message appears within the recipient's Messages app as an iMessage, distinct from traditional email communications, provided both parties use iMessage-enabled devices and have their Apple IDs configured for iMessage.

False Hosting and Domain Registration 

The phishing domain 'indiapost[.]top,' which poses as India Post by using a duplicate of the real website, was found by FortiGuard Labs. The phishing website is hosted on certain paths on the domain; the domain itself does not hold any content.

Over 470 domains were established to mimic India Post between January and July 2024. Notably, 296 of these domains were registered through Beijing Lanhai Jiye Technology Co., Ltd., a Chinese registrar. Concerns concerning the motivations behind these actions are raised by the large concentration of registrations made through a Chinese registrar. Top-level domains (TLDs) that are commonly utilized are buzz, top, vip, and top; the cost of registering a TLD ranges from USD 1 to USD 5.

The magnitude and dedication of the phishing campaign are demonstrated by the expenditure of more than USD 1,500 on domain registrations alone. This financial investment highlights the serious threat that these scams provide, especially when combined with hosting and development expenses. Given the scope of the effort, many victims are probably going to become the target, which might lead to significant money losses and data breaches.

Vishak Raman, Vice President of Sales, India, SAARC, SEA & ANZ at Fortinet, said: "Phishing scams are becoming increasingly sophisticated, making it essential for everyone to stay vigilant and take proactive steps to protect themselves. To stay safe, always verify the authenticity of any unexpected messages and avoid sharing personal information through email or messaging apps. Use strong, unique passwords and enable multi-factor authentication on your accounts. Keeping your software updated and staying informed about the latest phishing tactics are also crucial.”

"Business also must train employees to recognize and respond to phishing threats. For organizations, our FortiPhish Phishing Simulation Service uses real-world simulations to help test user awareness and vigilance, training and reinforcing proper practices when users encounter targeted phishing attacks. By following these high-level recommendations, you can significantly reduce the risk of falling victim to these malicious schemes."- he adds.