A persistent wave of SMS phishing commonly known as smishing campaigns has surged, with threat actors registering more than 91,500 root domains designed to deceive users into revealing sensitive information or clicking on malicious links.
According to new analysis from Unit 42 researchers Reethika Ramesh, Zhanhao Chen, Shehroze Farooqi, Chi-Wei Liu, Moe Ghasemisharif, and Daiping Liu, this illicit activity reached new heights in March 2025, with a record 26,328 brand-imitating domains entering the threat landscape in just one month.
Cloaking Techniques and Adaptive Targeting Driving Effectiveness
This trend follows an FBI alert from April 2024, but rather than slowing, adversaries have accelerated their efforts in 2025, leveraging increasingly sophisticated domain registration and traffic manipulation tricks.
Notably, attackers are adopting a small set of distinct naming patterns for their domains, often mimicking trusted entities such as government agencies or well-known payment and delivery services.
Patterns like “gov-[random]” or “com-[random]”, as well as terms such as “paytoll” and “delivery”, are interwoven with various top-level domains, including .xin, .top, .vip, .cc, .xyz, .icu, and more.
These naming conventions are calculated to maximize credibility and bypass casual suspicion on the part of potential victims.
Analysis of DNS telemetry paints a stark picture: more than 31 million queries have been logged for domains tied to these smishing campaigns in just the last three months.
In a telling sign of coordination, roughly 75% of these domains have been registered through a single domain registrar based in Hong Kong, Dominet (HK) Limited, underscoring the industrialized nature of the smishing ecosystem.
An important aspect of these attacks is their ephemeral nature. The majority of malicious domains are deployed in short bursts, with 70% receiving most of their traffic within seven days of registration.
The investigation further reveals that blocking newly registered domains (NRDs) for a month could mitigate as much as 85% of smishing traffic originating from these campaigns suggesting a highly effective window for security teams to focus their defenses.
Tailored Lures and the Rise of Geolocation Targeting
Attackers are not only relying on technical trickery; they are also evolving their social engineering strategies.
Researchers have observed widespread use of cloaking techniques, which cloak the true intent of malicious URLs and help evade conventional security filters.
Even more concerning, lures are now often customized based on the recipient’s phone number area code, enhancing the likelihood that unsuspecting users trust and click through the deceptive links.
Examples of recently identified smishing domains illustrate this approach.
One, “gov-mfc[.]com”, registered on April 23, 2025, mimics a government site and directs victims to a payment portal.
Others, such as “com-ikbf[.]win” and “com-ic1[.]top”, impersonate regional and national transportation or postal services, while domains like “paytollwec[.]vip” masquerade as toll payment sites each crafted to lure users into entering personal and financial data.
As smishing campaigns continue to adapt, organizations and individuals are urged to intensify their vigilance against suspicious SMS messages and to implement controls such as blocking access to NRDs, rapidly updating threat intelligence feeds, and raising user awareness about impersonation tactics.
The evolving tactics and scale of these operations highlight the enduring need for multi-layered defenses to counter an adversary that is not only persistent but also highly adaptive in exploiting digital trust.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
