216.73.216.75

Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted

· Published 27/05/2026 20:22 · Modified 28/05/2026 15:35

Export JSON

Essential information

Published
27/05/2026 20:22
Modified
28/05/2026 15:35
Tags
2026-05-27 credential harvesting government impersonation multi-country campaign payment card theft phishing postal service fraud smishing typosquatting
Related entities
27 observables, 21 techniques (mitre), 86 others

Description

A coordinated operation spanning 19 countries across Europe, the Americas, and the Caucasus has been exposed, originating from fraudulent SMS messages impersonating Romania's government payment portal Ghișeul.ro. Investigation revealed 1,628 malicious URLs linked by a single 128-character campaign identifier, targeting government portals, traffic police departments, postal services including DPD and SEUR, tax authorities, and telecommunications providers like T-Mobile and Vodafone. The infrastructure utilizes 32 backend IP addresses distributed across Tencent Cloud, Alibaba Cloud, Cloudflare CDN, and ALEXHOST Moldova. Threat actors employ two distinct templates: a Vue.js single-page application and a Bootstrap-based clone, executing a four-stage process that collects complete payment card details through fabricated traffic fines, toll payments, and delivery notifications.

External references