Date: 03/10/2025
Severity: High
Summary
A threat actor has registered over 10,000 domains with the "com-" prefix for SMS phishing (smishing) scams. These domains impersonate toll and package delivery services across 10 U.S. states (CA, FL, IL, KS, MA, PA, NJ, NY, TX, VA) and Ontario, Canada. The smishing campaign aims to steal personal and financial information by tricking victims through cleverly crafted domain names. Over 70% of the domains use the same two name servers, with 93% of the IPs resolving to AS13335 (Cloudflare). We are actively tracking and blocking this campaign, dubbed "com_smishing."
Indicators of Compromise (IOC) List
Domains\URLs : | com-2h98.xin com-citations-etc.xin com-courtfees.xin com-fastrakeu.xin com-penalty.xin com-securebill.xin com-securetta.xin com-ticketd.xin com-tickeuz.xin com-ucla.xin dhl.com-new.xin driveks.com-jds.xin ezdrive.com-2h98.xin ezdrivema.com-citations-etc.xin ezdrivema.com-securetta.xin e-zpassiag.com-courtfees.xin e-zpassny.com-ticketd.xin fedex.com-fedexl.xin getipass.com-tickeuz.xin sunpass.com-ticketap.xin thetollroads.com-fastrakeu.xin usps.com-tracking-helpsomg.xin |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs : | userdomainname like "sunpass.com-ticketap.xin" or url like "sunpass.com-ticketap.xin" or userdomainname like "usps.com-tracking-helpsomg.xin" or url like "usps.com-tracking-helpsomg.xin" or userdomainname like "com-fastrakeu.xin" or url like "com-fastrakeu.xin" or userdomainname like "com-tickeuz.xin" or url like "com-tickeuz.xin" or userdomainname like "thetollroads.com-fastrakeu.xin" or url like "thetollroads.com-fastrakeu.xin" or userdomainname like "com-ucla.xin" or url like "com-ucla.xin" or userdomainname like "ezdrivema.com-securetta.xin" or url like "ezdrivema.com-securetta.xin" or userdomainname like "com-courtfees.xin" or url like "com-courtfees.xin" or userdomainname like "com-penalty.xin" or url like "com-penalty.xin" or userdomainname like "ezdrive.com-2h98.xin" or url like "ezdrive.com-2h98.xin" or userdomainname like "getipass.com-tickeuz.xin" or url like "getipass.com-tickeuz.xin" or userdomainname like "com-citations-etc.xin" or url like "com-citations-etc.xin" or userdomainname like "ezdrivema.com-citations-etc.xin" or url like "ezdrivema.com-citations-etc.xin" or userdomainname like "e-zpassiag.com-courtfees.xin" or url like "e-zpassiag.com-courtfees.xin" or userdomainname like "com-2h98.xin" or url like "com-2h98.xin" or userdomainname like "com-ticketd.xin" or url like "com-ticketd.xin" or userdomainname like "com-securebill.xin" or url like "com-securebill.xin" or userdomainname like "com-securetta.xin" or url like "com-securetta.xin" or userdomainname like "dhl.com-new.xin" or url like "dhl.com-new.xin" or userdomainname like "driveks.com-jds.xin" or url like "driveks.com-jds.xin" or userdomainname like "e-zpassny.com-ticketd.xin" or url like "e-zpassny.com-ticketd.xin" or userdomainname like "fedex.com-fedexl.xin" or url like "fedex.com-fedexl.xin" |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-06-IOCs-for-smishing-activity.txt