Tadeáš Hájek
Whalebone Threat Intelligence Analyst
Since early January, Whalebone Threat Intelligence team has been tracking a widespread smishing campaign targeting customers of major US carriers, namely Verizon, T-Mobile, and AT&T. Exploiting the lure of “expiring reward points,” the campaign directed victims to malicious domains designed to harvest inputted credentials, including payment information.
In just over a month, Whalebone has intercepted and blocked more than 7,000 unique malicious domains via our DNS security, neutralizing the threat for our protected users.
Investigation into this campaign began on January 8th, after a member of our team flagged a T-Mobile-themed smishing lure, sent in a batch to multiple US numbers. The message attempted to create a sense of urgency, claiming the recipient's reward points were set to expire, and directed them to the suspicious URL t-mobile.mxuie[.]cc/pay.
Initial analysis uncovered dozens of additional domains targeting T-Mobile subscribers, alongside a mirroring pattern aimed at Verizon and AT&T users.
The fact that these domains shared a consistent naming convention pointed to a coordinated operation rather than a series of isolated incidents. This prompted us to pivot our investigation and map out the broader infrastructure supporting the campaign.
Every domain we analyzed utilized an identical front-end template, mobile-optimized and lightly themed to match whichever carrier was being impersonated. The malicious actor incorporated genuine links leading to the respective carrier website.
Smishing messages observed contained URL identifier strings in the SMS link, suggesting the attackers are likely using a phishing kit that tracks individual campaign performance or click-through rates.
We performed a walkthrough of the attack flow using domain verizon.fobzj[.]cc, registered on January 7th.
Upon landing, the victim is prompted for a phone number; once submitted, the site serves a page displaying a fabricated points balance.
Inputting fabricated US number still progressed to the next stage of the scam, pointing to the relatively unsophisticated backend logic of the campaign.
In the second stage, the victim is presented with a fabricated points balance. Interestingly, we observed a hardcoded balance of 11,430 points across every domain we tested.
After clicking “Redeem Gifts,” the user is directed to a gift selection menu, which eventually leads to a PII (Personally Identifiable Information) collection form requesting a delivery address and contact information.
Naturally, the gift is free, but the delivery is not. The victim is directed to a final checkout page to cover shipping costs, which provides a convenient pretext for the collection of full payment details. Upon submission, the transaction "fails" and the attacker is left with a fresh set of financial credentials and PII that are ready to be misused.
By the conclusion of the attack flow, the victim has disclosed a comprehensive data set – including their full name, phone number, physical delivery address, and complete payment card information.
This combination of PII and financial data provides everything necessary for immediate monetization through identity theft or credit card fraud, pointing to the clear financial motivation of the operation.
What made the phishing campaign identifiable and detectable to us was the recurring pattern observed. The domains intercepted all started with the impersonated carrier name, followed by a 5-letter DGA (domain generation algorithm) string, and ending with a low-trust TLD.
The pattern can be visualized as such:
carrier_name.5_letter_dga.tld
Or by regular expression:
(t-mobile|verizon|att)\.[a-z]{5}\.([a-z]{2,})
Moreover, the observed phishing domains were registered using almost exclusively two registrars – Singaporean-based Gname.com Pte. Ltd. and Hong Kong-based Dominet (HK) Limited. These platforms are frequently over-indexed in phishing telemetry, meaning they host a disproportionately high volume of malicious domains relative to their total market share.
Finally, the malicious actor attempted to avoid early detection by multiple methods, most notably:
The domains however remained discoverable and by adjusting our detection mechanisms to target these specific artifacts, Whalebone Threat Intelligence was able to intercept and block a large amount of newly created phishing domains daily, totaling over 7,000 by early February.
A snippet of malicious domains intercepted and blocked on January 14th, with the clearly observable recurring pattern typical for products of domain generation algorithms.
This campaign demonstrates how relatively simple phishing infrastructure, when combined with bulk automation and disciplined domain rotation, can achieve significant scale. While the phishing kit itself was not technically advanced, its structured deployment enabled sustained activity across multiple carriers.
The recurring naming pattern ultimately became the campaign’s most significant weakness, enabling effective detection at scale through DNS-layer security controls.
At Whalebone, we are proactively evaluating the most effective entry point for protecting our user base. As launching new campaigns has become easier, the threat landscape has shifted toward localized, rapidly emerging risks.
To address this, we began monitoring activity at the earliest stages, specifically during domain creation. This includes tracking newly registered domains as well as newly issued certificates for subdomains.
Even at this initial step, early indicators often suggest suspicious activity, allowing us to begin analyzing patterns and assessing the owner’s intent right away.
Across the networks we protect, more than 30B threats were blocked last year. The way these threats evolved shows how quickly attackers are adapting.
Learn what shaped the cybersecurity landscape in 2025 and what lies ahead. Get a copy of our latest threat report.