An ongoing, sophisticated phishing campaign has been observed targeting individuals with text messages impersonating trusted brands like Amazon.
DomainTools researchers linked this activity to the threat actor Chenlun, who last year was known for exploiting USPS delivery alerts during the holiday season to lure recipients into providing sensitive information.
The new wave of phishing, observed on October 18, 2024, includes messages warning users about suspicious account activity, urging them to verify accounts through malicious links.
Evolution of Chenlun’s Tactics
The 2023 USPS Smishing Attacks report, published by DomainTools last December, outlined how these campaigns deceived USPS customers by mimicking official notifications, which directed them to fraudulent pages.
Now, Chenlun’s recent tactics show a marked evolution, leveraging increasingly complex methods to evade detection and expand the scale of phishing efforts. A crucial element of this strategy is the use of domain generation algorithms (DGAs), which continuously generate new domain names, making it more challenging for security tools to block suspicious domains.
A particularly notable aspect of the current campaign is Chenlun’s shift in domain infrastructure. Last year’s smishing attempts utilized specific domain patterns closely resembling those of USPS.
Recent research, however, shows these domains are now simpler in structure and use different registrars and name servers. Many new domains were observed originating from NameSilo and DNSOwl, highlighting a shift from Alibaba Cloud’s DNS service previously favored by the attackers. This shift not only helps disguise malicious activity but also makes it more difficult for security analysts to detect and track phishing links.
Read more on advanced phishing techniques: Hackers Exploit EU Agenda in Spear Phishing Campaigns
The researchers also found that Chenlun’s tactics now rely on aliases, including “Matt Kikabi” and “Mate Kika,” first identified in the 2023 study. These aliases, linked by the same phone number, lead to over 700 domains, many of which still show activity.
Importance of Collaboration in Combating Phishing
DomainTools emphasized the importance of collaboration across organizations to combat phishing attacks effectively. Recommendations include monitoring domain registration patterns, sharing threat intelligence and employing mitigation strategies to anticipate and counteract phishing trends.
“Chenlun has continued to be a serious phishing player and they don’t seem to indicate slowing down. The changes [...] seen here, however, indicate security practitioners and/or infrastructure providers are catching on, requiring Chenlun to use better obfuscation methods,” the company said.
“The obfuscation changes made to avoid detection emphasize the value of domain-related data to obtain context, identify patterns and discover other connected domains.”
Image credit: Tattoboo / Shutterstock.com