The 2024 Global Smishing Deluge: China-Based SMS Phishing at Scale
Executive Summary
In early 2024, a China-based threat group orchestrated a massive global smishing campaign, flooding mobile devices across multiple continents with fraudulent SMS messages impersonating banks, government agencies, and delivery services. Leveraging a rapidly-evolving attack ecosystem, the actors utilized wide-scale automation and regional tailoring to bypass spam filters and trick users into revealing sensitive credentials or installing malware. The attack’s magnitude caught many organizations off guard, resulting in significant credential theft, unauthorized transactions, and growing operational strain as firms raced to block fast-moving SMS domains and educate affected users.
This campaign signals a sharp escalation in the sophistication and reach of smishing attacks, highlighting persistent gaps in mobile security awareness and detection. As similar TTPs gain traction among organized threat groups, critical infrastructure and commercial service providers face increased risks of large-scale credential exposure and downstream fraud.
Why This Matters Now
The volume and automation of global smishing attacks are accelerating, with threat actors abusing SMS channels to target both enterprise and consumer users at massive scale. Organizations must urgently revisit their mobile security postures, multi-factor authentication, and incident response playbooks as regulatory scrutiny intensifies and the cost of credential compromise rises.
Attack Path Analysis
Attackers leveraged large-scale smishing campaigns impersonating trusted services to entice victims into divulging credentials or clicking malicious links (Initial Compromise). After obtaining user credentials, adversaries attempted to escalate privileges by harvesting session tokens or manipulating cloud IAM roles (Privilege Escalation). With increased access, attackers moved laterally across cloud environments by exploiting weak internal segmentation or leveraging legitimate services (Lateral Movement). Once established, they maintained command and control by setting up remote access tools or using covert network channels (Command & Control). Sensitive data was then exfiltrated to external destinations through outbound channels (Exfiltration). Finally, attackers could inflict impact through data theft, service disruption, or deployment of ransomware (Impact).
Kill Chain Progression
Initial Compromise
Description
Adversaries sent phishing SMS messages (smishing) to victims, tricking them into visiting fake login pages or downloading malicious payloads, resulting in credential theft.
MITRE ATT&CK® Techniques
Phishing: Spearphishing via SMS
Spearphishing Link
User Execution: Malicious Link
Valid Accounts
Modify Authentication Process
Brute Force
Data Obfuscation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication for Users and Administrators
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – Risk Management Requirements
Control ID: Art. 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Phishing-Resistant Multi-Factor Authentication (MFA)
Control ID: Identity Pillar—Mature
NIS2 Directive – Security of Network and Information Systems—Awareness and Training
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Global smishing campaigns pose severe risk through phishing attacks targeting customer credentials, requiring enhanced encrypted traffic protection and egress security controls.
Financial Services
China-based smishing operations threaten customer trust and regulatory compliance, necessitating robust threat detection systems and zero trust network segmentation implementation.
Telecommunications
SMS infrastructure exploitation enables attackers to impersonate critical services at scale, demanding comprehensive east-west traffic security and anomaly detection capabilities.
Government Administration
Critical service impersonation attacks undermine public trust and security, requiring multicloud visibility controls and inline intrusion prevention system deployment.
Sources
- The Smishing Deluge: China-Based Campaign Flooding Global Text Messageshttps://unit42.paloaltonetworks.com/global-smishing-campaign/Verified
- Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kithttps://www.silentpush.com/blog/smishing-triad/Verified
- Smishing Triad Tied To Global Phishinghttps://cybermaterial.com/smishing-triad-tied-to-global-phishing/Verified
- Chinese eCrime Group Launches Global Attack to Steal Banking Credentials from Users in 120+ Countrieshttps://cyberpress.org/chinese-ecrime-group-launches-global-attack/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF-aligned Zero Trust controls, including microsegmentation, egress policy enforcement, encryption, and continuous anomaly detection, would have significantly constrained attacker movement, limited privilege escalation, and detected or blocked exfiltration attempts. Centralized visibility across multicloud environments enables earlier detection and coordinated response to complex, large-scale social engineering campaigns.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious login activity and anomalous credential use could be rapidly detected.
Control: Zero Trust Segmentation
Mitigation: Privilege escalation pathways are narrowed and unauthorized lateral access is blocked.
Control: East-West Traffic Security
Mitigation: Unusual internal traffic and unauthorized inter-workload communication are detected and contained.
Control: Cloud Firewall (ACF) with Inline IPS
Mitigation: Malicious outbound and C2 traffic is identified and blocked in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved data egress is detected and prevented at the cloud perimeter.
Comprehensive visibility enables coordinated incident response to limit organizational damage.
Impact at a Glance
Affected Business Functions
- Customer Service
- Financial Transactions
- Logistics and Delivery
Estimated downtime: 7 days
Estimated loss: $1,000,000
Potential exposure of sensitive customer information, including personal and financial data, due to phishing attacks.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation and identity-based microsegmentation to limit lateral movement from any compromised account.
- • Implement continuous egress filtering and application- or FQDN-based outbound controls to prevent unauthorized data exfiltration and C2 establishment.
- • Deploy inline threat detection and anomaly response solutions to monitor for credential abuse, remote access tool deployment, and suspicious internal activity.
- • Centralize multicloud traffic visibility and policy enforcement to enable rapid detection and coordinated incident response across regions and platforms.
- • Mandate least privilege policies and auditing for all IAM roles, while integrating high-performance encryption for all internal and external data flows.
