A recent wave of scams impersonating UAE public bodies is perpetuated by a Chinese-speaking phishing gang, codenamed PostalFurious, according to threat intelligence firm Group-IB.
Group-IB did not disclose the names of the organisations who were impersonated by the phishing ring, but messages shared by the group appear to match ongoing fraud attempts in the UAE associated with Emirates Post and Salik.
This relentless threat actor, known as PostalFurious, first caught Group-IB’s attention in April 2023 when they began targeting users in the Asia-Pacific region by masquerading as postal brands and toll operators. Now, it seems this group has expanded its operations to the UAE.
In early May, UAE authorities issued a warning to residents about a scam campaign that saw malicious actors posing as a local road toll operator. Group-IB’s Digital Crime Resistance Center in Dubai dug deep and uncovered the masterminds behind this scheme – none other than PostalFurious. But that’s not all; Group-IB also discovered a second scam scheme targeting UAE residents, this time posing as a postal service. In their commitment to combating cybercrime, Group-IB shared their findings with the Dubai Police Force and alerted the brands being impersonated.
How it works?
In the fake toll payment scheme, UAE residents receive urgent messages demanding payment for a vehicle trip fee to avoid additional fines. These texts cleverly include shortened URLs to conceal the true phishing address. Once the unsuspecting victim clicks on the link, they are whisked away to a fraudulent branded payment page.
Figure 1: Fake payment page impersonating a road-toll operator. Source: Group-IB
The scammers’ ultimate goal is to get their hands on users’ payment data. According to Group-IB’s cyber investigations team, this campaign has been in full swing since at least April 15, 2023.
Upon checking the phishing infrastructure, Group-IB investigators stumbled upon another identical scam campaign launched on April 29, 2023. Interestingly, the scammers utilised the same servers to host a different network of phishing websites. The only distinguishing factor between the two campaigns, which commenced two weeks apart, is the brand being impersonated. In the latter campaign, the scammers cunningly mimicked a UAE postal operator.
The latest wave of scams also incorporates smishing (SMS phishing) to deliver phishing links. These text messages originate from phone numbers registered in Malaysia and Thailand and are even sent via email addresses through iMessage. While the exact number of individuals targeted in this campaign remains unknown, Group-IB experts uncovered that customers of multiple UAE telecommunications companies fell victim to these rogue SMS messages.
Figure 2: Fake SMS impersonating one of the country’s postal service providers. Source: Group-IB.
The URLs included in the fraudulent texts direct unsuspecting victims to fake branded payment pages, cunningly asking for personal details such as name, address, and credit card information. These phishing pages shamelessly appropriate the official name and logo of the impersonated postal service provider.
Group-IB experts note that the identified phishing websites employ access-control techniques to evade automated detection and blocking. The pages can only be accessed from IP addresses based in the UAE.
Who’s behind the scams?
Group-IB’s cyber investigators, who regularly lend their expertise to INTERPOL-led operations in the MEA region, have attributed both campaigns to a Chinese-speaking phishing ring known as PostalFurious.
PostalFurious, the moniker bestowed upon this group by Group-IB’s cyber investigations unit earlier this year, has been operating since at least 2021. The name reflects their penchant for impersonating postal brands and their uncanny ability to swiftly establish expansive network infrastructures, which they change frequently to avoid detection by security tools.
The phishing resources for both campaigns targeting the UAE were hosted on identical web servers, and their fake payment pages bore the same design. Moreover, the infrastructure behind these two scam schemes shared many elements and code previously observed in PostalFurious campaigns targeting the APAC region. In both the UAE and APAC attacks, the group employed Laravel as an administration panel. The source code of the phishing sites targeting the affected UAE bodies contained comments written in simplified Chinese, a recurring characteristic identified by Group-IB researchers in their prior investigations into PostalFurious.
“Phishers are becoming more prolific and elaborate,” warns Anna Yurtaeva, Senior Cyber Investigation Specialist at Group-IB’s Digital Crime Resistance Center in Dubai. “They can no longer be detected and stopped by automated blocking. People should stay vigilant and aware of ongoing scams. PostalFurious operations demonstrate the transnational nature of organised cybercrime and emphasise the need for a coordinated joint response that involves the general public, private sector, and government.”
Here’s how to avoid getting scammed:
- Maintain strong digital hygiene practices and exercise caution online.
- Be wary of phishing emails and SMS messages that impersonate legitimate organisations.
- Take the time to verify the legitimacy of messages and websites before submitting personal information.
- Double-check URLs and page names to ensure they are genuine.
- Question websites that request excessive personal information, especially credit card details.
- Brand owners should proactively monitor and block scam and phishing websites.
- Leverage Digital Risk Protection solutions to detect and initiate takedown processes for fraudulent infrastructure.
