iPhone and Android users across the U.S. and elsewhere are now under attack from organized networks of Chinese criminals. These attacks come at you by text, and while they may seem trivial — a few dollars for an undelivered package or unpaid toll, they will steal your credit card details, your passwords and even your identity…
New research into one such gang — Smishing Triad — warns that there has been a “massive fraud campaign expansion” since the beginning of 2025, using more than 60,000 different web domains, “making it difficult for platforms like Apple and Android to block fraudulent activity effectively.” This is why you will have seen so many news articles on the spate of toll fraud sweeping across America.
Zimperium’s Kern Smith told me that “the latest wave of mobile SMS scams is a stark reminder that mobile devices and apps are uniquely vulnerable — and often under protected — against attackers,” while the new reports “show the continued investment by cybercriminals in targeting mobile users.”
Each dangerous text includes a lure — the unpaid toll for example — and a link. The text will pretend to come from a brand or goverment agency and the link will be crafted to match the lure, likely a long URL with the right keywords contained within.
Even if the text itself seems plausible, the link is a telltale red flag. It will usually use a top level domain (TLD) from outside the U.S., and it will not match the core domain you would associate with the brand or agency.
To get around that problem, attackers are using dashes to trick users into thinking this is a legitimate link using that core domain. And the most dangerous dash follows a “.com”. That makes you think it links the normal .com domain to a subdomain, but that’s not the case. It’s a ruse to hide a full legitimate domain within a malicious link.
This trick is flying. The latest quarterly report from SpamHaus lists the top-2o phishing terms included in malicious links, warning that “com-track” is a new entry that has gone straight to number one on its list. This would allow an attacker to copy delivery or ecom brand followed by its usual .com, but with an added “-track” after the legitimate URL.
If you ever see “com-track” in a link, delete the text immediately per the FBI’s advice. It’s a scam. Similarly, “com-toll” is another new entry on the list and you can expect more of the same to be added quickly as these others take hold, The other telltale warning sign is a Chinese TLD — albeit you won’t realize it’s Chinese from the TLD itself. Look out for “.TOP” in particular as that’s the TLD favored by cybercriminals and again is cause on its own for you to delete a text.
