Security researchers have spotted a new extensive smishing campaign targeting US citizens with deceptive text messages aimed at stealing personal and payment data.

Dubbed ‘Smishing Triad’ by Resecurity researchers, the campaign stands out for its use of iMessages sent from hacked Apple iCloud accounts as the main fraud delivery method instead of traditional SMS or calls

“The Chinese-speaking threat actors behind this campaign are operating a package-tracking text scam sent via iMessage to collect personally identifying information (PII) and payment credentials from victims, in the furtherance of identity theft and credit card fraud,” the researchers wrote.

The campaign has impersonated various postal and delivery services, including Royal Mail (UK), New Zealand Postal Service, Correos (Spain), PostNord (Sweden), Poste Italiane, Italian Revenue Service, USPS, Poczta Polska (Poland), J&T Express (Indonesia) and New Zealand Post.

The group is also providing Cybercrime-as-a-Service (CaaS) infrastructure and offering customized phishing and smishing kits for a price starting at $200 per month.

“Once the payment has been arranged via cryptocurrency, threat actors provide customers with the smishing kit activation code and an archive with scripts to deploy. The scripts leverage ThinkPHP, Laravel, VueJS, React and the Uniapp frameworks,” Resecurity said.

Smishing Triad’s arsenal encompasses multiple smishing kits impersonating popular postal and delivery services in the US, the UK, Poland, Sweden, Italy, Indonesia, Malaysia, Japan, and other countries.

During the analysis of one of the group’s smishing kits, the researchers found an SQL injection vulnerability that allowed them to retrieve over 108,044 records of victims' data.

Smishing Triad has also been observed targeting online shopping platforms via malicious code injections that intercept customer data.

“The threat group’s tactics, techniques, and procedures combine two well-established methods: social engineering and the deployment of a phishing kit via iMessage. Since users tend to trust SMS and iMessage communication channels more than e-mail, this attack has successfully compromised numerous victims,” the researchers noted.