Structured phishing infrastructure targeted Verizon, T-Mobile, and AT&T users.
Tadeáš Hájek
Whalebone Threat Intelligence Analyst
Since early January, Whalebone Threat Intelligence team has been tracking a widespread smishing campaign targeting customers of major US carriers, namely Verizon, T-Mobile, and AT&T. Exploiting the lure of “expiring reward points,” the campaign directed victims to malicious domains designed to harvest inputted credentials, including payment information.
In just over a month, Whalebone has intercepted and blocked more than 7,000 unique malicious domains via our DNS security, neutralizing the threat for our protected users.
-2.png?width=294&height=605&name=Untitled%20design%20(1)-2.png)
How the Campaign Was Identified
Investigation into this campaign began on January 8th, after a member of our team flagged a T-Mobile-themed smishing lure, sent in a batch to multiple US numbers. The message attempted to create a sense of urgency, claiming the recipient's reward points were set to expire, and directed them to the suspicious URL t-mobile.mxuie[.]cc/pay.
Initial analysis uncovered dozens of additional domains targeting T-Mobile subscribers, alongside a mirroring pattern aimed at Verizon and AT&T users.
The fact that these domains shared a consistent naming convention pointed to a coordinated operation rather than a series of isolated incidents. This prompted us to pivot our investigation and map out the broader infrastructure supporting the campaign.
Anatomy of the Phishing Flow
Every domain we analyzed utilized an identical front-end template, mobile-optimized and lightly themed to match whichever carrier was being impersonated. The malicious actor incorporated genuine links leading to the respective carrier website.
Smishing messages observed contained URL identifier strings in the SMS link, suggesting the attackers are likely using a phishing kit that tracks individual campaign performance or click-through rates.
We performed a walkthrough of the attack flow using domain verizon.fobzj[.]cc, registered on January 7th.
Stage 1: Phone Number Collection
Upon landing, the victim is prompted for a phone number; once submitted, the site serves a page displaying a fabricated points balance.
Inputting fabricated US number still progressed to the next stage of the scam, pointing to the relatively unsophisticated backend logic of the campaign.
.png?width=377&height=512&name=unnamed%20(11).png)
Stage 2: Fabricated Reward Balance
In the second stage, the victim is presented with a fabricated points balance. Interestingly, we observed a hardcoded balance of 11,430 points across every domain we tested.
After clicking “Redeem Gifts,” the user is directed to a gift selection menu, which eventually leads to a PII (Personally Identifiable Information) collection form requesting a delivery address and contact information.
.png?width=377&height=512&name=unnamed%20(13).png)
Stage 3: PII Collection & Payment Card Harvesting
Naturally, the gift is free, but the delivery is not. The victim is directed to a final checkout page to cover shipping costs, which provides a convenient pretext for the collection of full payment details. Upon submission, the transaction "fails" and the attacker is left with a fresh set of financial credentials and PII that are ready to be misused.
By the conclusion of the attack flow, the victim has disclosed a comprehensive data set – including their full name, phone number, physical delivery address, and complete payment card information.
This combination of PII and financial data provides everything necessary for immediate monetization through identity theft or credit card fraud, pointing to the clear financial motivation of the operation.
.png?width=379&height=512&name=unnamed%20(14).png)
Infrastructure Pattern and Domain Naming Strategy
What made the phishing campaign identifiable and detectable to us was the recurring pattern observed. The domains intercepted all started with the impersonated carrier name, followed by a 5-letter DGA (domain generation algorithm) string, and ending with a low-trust TLD.
The pattern can be visualized as such:
carrier_name.5_letter_dga.tld
Or by regular expression:
(t-mobile|verizon|att)\.[a-z]{5}\.([a-z]{2,})
Moreover, the observed phishing domains were registered using almost exclusively two registrars – Singaporean-based Gname.com Pte. Ltd. and Hong Kong-based Dominet (HK) Limited. These platforms are frequently over-indexed in phishing telemetry, meaning they host a disproportionately high volume of malicious domains relative to their total market share.
Finally, the malicious actor attempted to avoid early detection by multiple methods, most notably:
- Bulk registration: Domain batches were registered daily, shortly after one another and mostly between 5AM and 11AM UTC. HTTPS certificates were typically assigned shortly after. By rotating different domains across different sets of target phone numbers, the attackers minimized the risk of a total block and ensured that if one domain was flagged, others remained operational.
- Cloudflare masking: The phishing domains were deliberately configured to hide behind Cloudflare IP addresses. This technique effectively concealed the originating server IP, therefore complicating efforts to map the entire phishing infrastructure.
- Registering DGAs, not brand names: By placing the brand name at the third level (the subdomain) and the random DGA string at the second level, they avoided detection by domain registry operators.
- Wildcard certificates: They registered wildcard certificates for the second-level DGA domain rather than the specific third-level phishing domain. This effectively hid the impersonated brands from certificate transparency logs.
The domains however remained discoverable and by adjusting our detection mechanisms to target these specific artifacts, Whalebone Threat Intelligence was able to intercept and block a large amount of newly created phishing domains daily, totaling over 7,000 by early February.
A snippet of malicious domains intercepted and blocked on January 14th, with the clearly observable recurring pattern typical for products of domain generation algorithms.
Final Assessment
This campaign demonstrates how relatively simple phishing infrastructure, when combined with bulk automation and disciplined domain rotation, can achieve significant scale. While the phishing kit itself was not technically advanced, its structured deployment enabled sustained activity across multiple carriers.
The recurring naming pattern ultimately became the campaign’s most significant weakness, enabling effective detection at scale through DNS-layer security controls.
Proactive Threat Detection
At Whalebone, we are proactively evaluating the most effective entry point for protecting our user base. As launching new campaigns has become easier, the threat landscape has shifted toward localized, rapidly emerging risks.
To address this, we began monitoring activity at the earliest stages, specifically during domain creation. This includes tracking newly registered domains as well as newly issued certificates for subdomains.
Even at this initial step, early indicators often suggest suspicious activity, allowing us to begin analyzing patterns and assessing the owner’s intent right away.
2025 Threat Landscape Report
Across the networks we protect, more than 30B threats were blocked last year. The way these threats evolved shows how quickly attackers are adapting.
Learn what shaped the cybersecurity landscape in 2025 and what lies ahead. Get a copy of our latest threat report.
