Dubai — Group-IB, a global cybersecurity leader headquartered in Singapore, has attributed a recent wave of scams impersonating UAE public bodies to a Chinese-speaking phishing gang, codenamed PostalFurious. The threat actor, documented for the first time by Group-IB in April 2023, has been targeting users in the Asia-Pacific by impersonating postal brands and toll operators. Now, Group-IB can confirm that the group has extended its operations to the UAE.

In early May, UAE authorities warned the country’s residents about a scam campaign that saw threat actors impersonate a local road toll operator. Group-IB’s Digital Crime Resistance Center in Dubai was able to attribute this campaign to PostalFurious, along with a second scam scheme that targeted UAE residents under the guise of a postal service. As part of its commitment to fighting cybercrime, Group-IB has shared its findings on the group with the Dubai Police Force and issued notifications for the impersonated brands.

Make it a double

  In the aforementioned fake toll payment scheme, UAE residents receive fake messages asking them to urgently pay a vehicle trip fee to avoid additional fines. The text messages contain a shortened URL to obscure the true phishing address. Once a user clicks on the link, they are redirected to a fake branded payment page.

The scammers’ goal is to compromise users’ payment data. According to Group-IB’s cyber investigations team, the campaign has been active since at least April 15, 2023.

Upon closer examination of the phishing infrastructure, Group-IB investigators found an almost identical scam campaign launched on April 29, 2023. The scammers used the same servers to host another network of phishing websites. The only difference between the two scam campaigns, which commenced two weeks apart, is the impersonated brand. In the latter campaign, scammers mimicked a UAE postal operator.

The latest scam wave also relies on smishing (SMS phishing) to deliver phishing links. The text messages were sent from phone numbers registered in Malaysia and Thailand, as well as via email addresses through iMessage. While it is unknown how many individuals were targeted in this campaign, Group-IB experts found that customers of multiple UAE telecommunications companies received rogue SMS messages.

  Figure 2: Fake SMS impersonating one of the country’s postal service providers. Source: Group-IB.

The URLs from the texts lead to fake branded payment pages that ask for personal details, such as name, address, and credit card information. The phishing pages appropriate the official name and logo of the impersonated postal service provider.

Group-IB experts note that the identified phishing websites utilize access-control techniques to avoid automated detection and blocking. The pages can only be accessed from UAE-based IP addresses.

Too Fast Too Furious

Group-IB’s cyber investigators, who regularly assist in INTERPOL-led operations in the MEA region, attributed both campaigns to a Chinese-speaking phishing ring dubbed PostalFurious.

PostalFurious, codenamed by Group-IB’s cyber investigations unit in early 2023, has been active since at least 2021. The name was drawn from the group’s decision to impersonate postal brands as well as their ability to quickly set up large network infrastructures, which they also change quite frequently to avoid detection by security tools.

The phishing resources for both UAE campaigns were hosted on identical web servers and their fake payment pages had the same design. The infrastructure behind these two scam schemes also shared many elements and code that were observed in previously analyzed PostalFurious campaigns targeting the APAC region. In attacks targeting both the UAE and APAC markets, Laravel is used as an administration panel. The source code of the phishing sites targeting the affected UAE bodies contained comments written in simplified Chinese, which has previously been seen by Group-IB researchers during their prior research into PostalFurious. 

Group-IB researchers underline that PostalFurious registers new phishing domains every day to rapidly expand their reach.

“Phishers are becoming more prolific and elaborate,” says Anna Yurtaeva, Senior Cyber Investigation Specialist at Group-IB’s Digital Crime Resistance Center in Dubai. “They can no longer be detected and stopped by automated blocking. People should stay vigilant and aware of ongoing scams. PostalFurious operations demonstrate the transnational nature of organized cybercrime and emphasize the need for a coordinated joint response that involves the general public, private sector, and government.”

How not to get scammed

Ensuring strong digital hygiene practices and exercising vigilance while online is crucial in preventing phishing and scams. Phishing emails or SMS messages often mimic legitimate messages from banks, credit card companies, or other organizations. It is essential not to rush into submitting your personal information. Find the company’s official website, look for reviews, and call customer support. An extra handful of seconds to double-check the URL or page name could make all the difference. If the website is demanding too much personal information, especially credit card information, be sure to ask yourself whether it is truly necessary.

Scammers usually impersonate legitimate brands. Brand owners should proactively monitor for and block scam and phishing websites upon detection. Group-IB’s Digital Risk Protection solution, part of the Unified Risk Platform, can reveal fraudulent infrastructure at early stages and initiate the takedown process.

The most effective way to stop cybercrime is to identify the perpetrators and bring them to justice. Group-IB’s Cyber Investigations team has conducted over 1,200 successful investigations all around the world helping private companies and international law enforcement organizations to combat advanced digital crimes.

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading solutions providers dedicated to detecting and preventing cyberattacks, investigating high-tech crimes, identifying online fraud, and protecting intellectual property. The company’s Digital Crime Resistance Centers are located in the Middle East (Dubai), Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat Intelligence, Managed XDR, Digital Risk Protection, Fraud Protection, Attack, Surface Management, Business Email Protection, Audit & Consulting, Education & Training, Digital Forensics & Incident Response, Managed Detection & Response, and Cyber Investigations.

Group-IB’s Threat Intelligence system has been named one of the best in its class by Gartner, Forrester, and IDC. Group-IB’s Managed XDR, intended for proactively searching for and protecting against complex and previously unknown cyber threats, has been recognized as one of the market leaders in the Network Detection and Response category by KuppingerCole Analysts AG, the leading European analyst agency, while Group-IB itself has been recognized as a Product Leader and an Innovation Leader.

Gartner has named Group-IB a Representative Vendor in Online Fraud Detection for its Fraud Protection. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks, with the company’s patented technologies at its core. Group-IB’s technological leadership and R&D capabilities are built on the company’s 20 years of hands-on experience in cybercrime investigations worldwide and over 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB's experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB's mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

For more information, please contact:
Krisha DoshiActive DMC