Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

Chinese-speaking phishing ring behind latest fake fee scam targeting Middle East; another campaign exposed

Media Center Press Releases
June 1, 2023 · 6 min to read
Phishing
Scam
United Arab Emirates

Group-IB, a global cybersecurity leader headquartered in Singapore, has attributed a recent wave of scams impersonating public bodies in the Middle East region to a Chinese-speaking phishing gang, codenamed PostalFurious. The threat actor, documented for the first time by Group-IB in April 2023, has been targeting users in the Asia-Pacific by impersonating postal brands and toll operators. Now, Group-IB can confirm that the group has extended its operations to the Middle East.

In early May, local authorities issued a warning about a scam campaign that saw threat actors impersonate a road toll operator. Group-IB’s Digital Crime Resistance Center in Dubai was able to attribute this campaign to PostalFurious, along with a second scam scheme that targeted users in the Middle East region guise of a postal service. As part of its commitment to fighting cybercrime, Group-IB has shared its findings on the group with the local authorities and issued notifications for the impersonated brands.

Make it a double

In the aforementioned fake toll payment scheme, local residents receive fake messages asking them to urgently pay a vehicle trip fee to avoid additional fines. The text messages contain a shortened URL to obscure the true phishing address. Once a user clicks on the link, they are redirected to a fake branded payment page.

Fake payment page impersonating a road-toll operator

Figure 1: Fake payment page impersonating a road-toll operator. Source: Group-IB

The scammers’ goal is to compromise users’ payment data. According to Group-IB’s cyber investigations team, the campaign has been active since at least April 15, 2023.

Upon closer examination of the phishing infrastructure, Group-IB investigators found an almost identical scam campaign launched on April 29, 2023. The scammers used the same servers to host another network of phishing websites. The only difference between the two scam campaigns, which commenced two weeks apart, is the impersonated brand. In the latter campaign, scammers mimicked a Middle Eastern postal operator.

Scammers' network infrastructure

Figure 2: Scammers’ network infrastructure as shown by Group-IB’s Graph Network Analysis tool. Source: Group-IB.

The latest scam wave also relies on smishing (SMS phishing) to deliver phishing links. The text messages were sent from phone numbers registered in Malaysia and Thailand, as well as via email addresses through iMessage. While it is unknown how many individuals were targeted in this campaign, Group-IB experts found that customers of multiple Middle Eastern telecommunications companies received rogue SMS messages.

Fake SMS impersonating one of the country’s postal service providers

Figure 3: Fake SMS impersonating one of the country’s postal service providers. Source: Group-IB.

The URLs from the texts lead to fake branded payment pages that ask for personal details, such as name, address, and credit card information. The phishing pages appropriate the official name and logo of the impersonated postal service provider.

Phishing page impersonating one of the country’s postal service providers

Figure 4: Phishing page impersonating one of the country’s postal service providers. Source: Group-IB.

Group-IB experts note that the identified phishing websites utilize access-control techniques to avoid automated detection and blocking. The pages can only be accessed from local IP addresses.

Too Fast Too Furious

Group-IB’s cyber investigators, who regularly assist in INTERPOL-led operations in the MEA region, attributed both campaigns to a Chinese-speaking phishing ring dubbed PostalFurious.

PostalFurious, codenamed by Group-IB’s cyber investigations unit in early 2023, has been active since at least 2021. The name was drawn from the group’s decision to impersonate postal brands as well as their ability to quickly set up large network infrastructures, which they also change quite frequently to avoid detection by security tools.

PostalFurious threat actor profile

Figure 5: PostalFurious threat actor profile. Source: Group-IB.

The phishing resources for both identified campaigns were hosted on identical web servers and their fake payment pages had the same design. The infrastructure behind these two scam schemes also shared many elements and code that were observed in previously analyzed PostalFurious campaigns targeting the APAC region. In attacks targeting both the Middle East and APAC markets, Laravel is used as an administration panel. The source code of the phishing sites targeting the affected local bodies contained comments written in simplified Chinese, which has previously been seen by Group-IB researchers during their prior research into PostalFurious.

Comments in Simplified Chinese detected during the analysis of PostalFurious’ phishing pages

Figure 6: Comments in Simplified Chinese detected during the analysis of PostalFurious’ phishing pages. Source: Group-IB.

Group-IB researchers underline that PostalFurious registers new phishing domains every day to rapidly expand their reach.

“Phishers are becoming more prolific and elaborate. They can no longer be detected and stopped by automated blocking. People should stay vigilant and aware of ongoing scams. PostalFurious operations demonstrate the transnational nature of organized cybercrime and emphasize the need for a coordinated joint response that involves the general public, private sector, and government.”

andrey polovinkin
Anna Yurtaeva

Senior Cyber Investigation Specialist at Group-IB’s Digital Crime Resistance Center in Dubai

How not to get scammed

Ensuring strong digital hygiene practices and exercising vigilance while online is crucial in preventing phishing and scams. Phishing emails or SMS messages often mimic legitimate messages from banks, credit card companies, or other organizations. It is essential not to rush into submitting your personal information. Find the company’s official website, look for reviews, and call customer support. An extra handful of seconds to double-check the URL or page name could make all the difference. If the website is demanding too much personal information, especially credit card information, be sure to ask yourself whether it is truly necessary.

Scammers usually impersonate legitimate brands. Brand owners should proactively monitor for and block scam and phishing websites upon detection. Group-IB’s Digital Risk Protection solution, part of the Unified Risk Platform, can reveal fraudulent infrastructure at early stages and initiate the takedown process.

The most effective way to stop cybercrime is to identify the perpetrators and bring them to justice. Group-IB’s Cyber Investigations team has conducted over 1,300 successful investigations all around the world helping private companies and international law enforcement organizations to combat advanced digital crimes.

Global Investigations by Group-IB

Eliminate threats to your revenue, property and reputation with Group-IB High-Tech Crime Investigations.

Learn more

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Read next
Press release CFIP
December 2, 2025
Group-IB launches Cyber Fraud Intelligence Platform – a first-of-its-kind, GDPR compliant solution for real-time fraud intelligence sharing
November 27, 2025
Ukuk and Group-IB Strengthen Cooperation to Enhance the National Cyber Defense of the Kyrgyz Republic
Top Women in Security ASEAN Awards 2025
November 13, 2025
Group-IB’s High-Tech Crime Investigations team triumphs at Top Women in Security ASEAN Awards 2025
October 21, 2025
Group-IB launches Asia-Pacific’s first Cyber Fusion Center in Singapore
October 9, 2025
Group-IB Intelligence Powers Spanish Guardia Civil Operation to Dismantle the “GXC Team” Cybercrime Syndicate
September 30, 2025
Group-IB and Cyber Samurai join forces to enhance cyber resilience in the DACH region
Go to all Press Releases →