Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted

This report describes a coordinated, multi-country smishing and phishing campaign that deployed 1,628 malicious URLs across 19 countries to harvest credit card data and personal information by impersonating government payment portals, parcel delivery services, and telecoms. Investigators identified two phishing templates (a Vue.js SPA and a Bootstrap clone), a persistent 128-character metadata campaign hash used as the primary pivot for detection, and a distributed backend of 32 IPs across Tencent Cloud, Alibaba Cloud, Cloudflare anycast, and ALEXHOST, along with guidance for defenders to monitor the hash, typosquatted domains, and the shared JavaScript asset fingerprints.