216.73.216.204

Error 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages

· Published 03/06/2026 15:18 · Modified 04/06/2026 09:08

Export JSON

Essential information

Published
03/06/2026 15:18
Modified
04/06/2026 09:08
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
brand impersonation credit card theft mobile targeting phishing-as-a-service smishing
Tags
2026-06-03 brand impersonation credit card theft mobile targeting phishing-as-a-service smishing
Related entities
7 indicators, 7 observables, 10 techniques (mitre), 11 others

Description

A sophisticated and phishing operation active since the second half of 2025 has impersonated over 267 brands across 72 countries, with particular concentration in Latin America. The campaign generated 4,389 phishing domain instances, with Mexico accounting for 1,851 cases. Telecommunications is the most targeted sector with 1,754 instances, followed by financial services and consumer rewards programs. The operation employs fake Cloudflare error pages as decoys, revealing malicious content only to victims matching specific geofencing and mobile device criteria. Data exfiltration occurs through encrypted WebSocket channels using binary encoded payloads. Approximately 30% of infrastructure is hosted on Tencent Cloud and Alibaba US servers, fronted by Cloudflare to mask hosting IPs. The attack chain progresses from SMS lures through progressive credential harvesting, ultimately capturing complete credit card details including CVV codes.

External references