Attackers have refined their smishing operations by inserting a trusted brand name before the “@” symbol in malicious URLs.
Recipients see a familiar name, such as a major bank, shipping carrier, or streaming service, highlighted prominently on mobile screens, while the true domain following the “@” remains overlooked.
Upon tapping the link, victims are redirected through a series of HTTP 301/302 hops to conceal the real destination from basic URL filters.
To amplify their reach, adversaries exploit group-text features on popular messaging platforms, sending obfuscated URLs under subject lines such as “Account Alert” or “Security Verification.”
Because many messaging clients omit precise sender details for group messages, users fall prey to the illusion of legitimacy.
Strategically Aged Hostnames and Reputation Manipulation
A notable innovation in this campaign involves “aging” domains for six to twelve months before weaponization.
During this dormancy period, threat actors route benign content, ranging from placeholder pages to innocuous PDF downloads, through the domain, thereby accruing positive reputation scores in threat intelligence feeds. Search engine crawlers indexing these pages further bolsters credibility.
Once the reputation threshold is met, the domain is activated for a limited period of 72 to 96 hours, during which it rapidly serves malicious payloads before being abandoned.
This short-lived activation cycle hinders takedown efforts and frustrates retrospective threat hunting, as each new domain appears fresh in security logs.
Multi-Stage Malware Delivery and Evasion Techniques
On the final landing pages, victims encounter counterfeit login portals mirroring the targeted brand’s UI. A JavaScript-based credential harvester captures input and transmits it via AJAX POST requests to a command-and-control (C2) server embedded within a content delivery network (CDN) domain.
Victims prompted to install a “security update” receive an Android Package Kit (APK) or Windows executable signed with compromised certificates, allowing them to bypass operating system warnings.
The initial downloader establishes a TLS 1.3 session with the C2 server, leveraging a self-signed certificate that is chained to a legitimate root authority.
Early execution routines enumerate running processes to detect antivirus or sandbox environments by querying virtual hardware identifiers.
If no security tools are present, the loader fetches a secondary payload, a remote access trojan (RAT) that grants complete control over the infected device.
Enhanced Defenses and User Awareness
Organizations should upgrade URL filtering engines to parse the entire link string, including segments after the “@” symbol. Security teams must configure mobile threat defense solutions to flag domains exhibiting rapid activation cycles and uncommon redirect chains.
Employee training should emphasize long-press link inspections on mobile devices to reveal true destinations before tapping. Regularly updating blocklists with aged-but-activated domains and deploying browser isolation for mobile web sessions can further mitigate risk.
Ultimately, combining technology controls with user vigilance offers the strongest deterrence against this emerging smishing threat.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
