This week we talk about smishing, Huione, and scams.

We also discuss money laundering, the Cambodian government, and Tether.

Recommended Book: The Longevity Imperative by Andrew J. Scott

Transcript

The portmanteau ‘smishing’ combines SMS and phishing to refer to the practice of using text messages to trick the recipients of said messages into revealing information that allows scammers to access their victim’s accounts on various platforms.

One common variation of smishing, which I’ve seen a lot recently, personally, are messages purportedly from toll road operators that tell the recipient they’ve got an unpaid toll, and they need to follow a link that’s provided in order to pay it. If the person receiving that message follows the instructions, they’ll tend to land on a webpage that’s convincing enough, which looks like the sort of site you might go to if you’re paying that kind of toll, online, and you enter your payment information and are then either immediately charged for this fake toll, or that information is used in some more cohesive manner—maybe the card is stolen, maybe it’s added to a larger collection of data they have on you which is then leveraged for a larger payout.

This type of scam has become more common in recent years because of innovations deployed by what security researchers have called the Smishing Triad, which is a trio of mobile phishing groups operating out of China that seem to have refined their infrastructure and techniques so that messages they send via iMessage to iPhone users and RCS to Android users can bypass mobile phone networks and enjoy a nearly 100% delivery rate—which makes the name a little ironic, since these groups don’t use SMS to deliver these scam texts anymore, as those other methods of delivery are more reliable for such messages, these days.

The big innovation introduced by these groups, though, beyond that deliverability, is the productization of mobile phishing, which basically means they’ve packaged up applications that allow their customers, which are usually smaller-time phishing groups and individuals, to share links to convincing-looking copies of Paypal, Mastercard, Stripe, and CitiGroup payment sites, among others, including individual banks, and that makes knee-jerk payments from the victims receiving these texts more likely, and less likely to set of alarm bells in the minds those receiving them, because they look like just normal payment sites.

These pre-packaged scam assets also include regularly rotated web domains, which makes them less likely to trigger the recipient’s anti-scam software—their browser will be less likely to flag them as problematic, basically. And the Triad has hundreds of actual humans working desk jobs, worldwide, supporting their customer base, which again is a bunch of scammers that use this package of tools to try to steal money from their marks.

All of this is enabled, in part, by clever emulation software that allows Triad customers to leverage legit and legit-seeming phone numbers from a computer or phone, those devices then sending out around 100 messages per second, per device, to phone numbers in the targeted region. They’re able to do this on a budget because of the efficiency of the software acquired from the Smishing Triad, and the Triad stays just ahead of regulators and law enforcement by rapidly iterating their offerings, which in turn does the same for all of their customers—which grants the benefits of a larger institution to all these individual and smaller scam groups.

What I’d like to talk about today is another alleged backend for scammers, this one this more overt and public facing, and perhaps even more impactful because of its size and because of the nature of its offerings.

—

The Huione (hu-WAY-wahn) Group is a financial conglomerate primarily based i