Full Report
Fraudsters in UAE posed as Dubai Police, targeting citizens with fake fines via calls, emails and SMS
Analysis Summary
# Incident Report: UAE Targeted Impersonation Scam Campaign
## Executive Summary
A large-scale, multi-vector social engineering campaign targeting UAE residents was uncovered, impersonating Dubai Police and other government entities to fraudulently solicit fine payments. The attacks utilized phishing, smishing, and vishing, leveraging personal data to build credibility. The primary impact is financial fraud, though the scope suggests massive ongoing phishing attempts orchestrated by a globally distributed group linked to the "Smishing Triad."
## Incident Details
- Discovery Date: December 11, 2024 (Reported by Resecurity)
- Incident Date: Ongoing, coinciding with festive periods (e.g., UAE National Day).
- Affected Organization: UAE Residents (Individuals).
- Sector: Financial Services / Public Sector Impersonation.
- Geography: United Arab Emirates (UAE).
## Timeline of Events
### Initial Access
- Date/Time: Ongoing/Pre-dating Discovery.
- Vector: Targeted phone calls, emails, and SMS messages (Smishing).
- Details: Fraudsters used dark web-sourced personal data (phone numbers) to craft highly contextualized messages regarding non-existent traffic violations, parking fines, or license renewals, demanding immediate payment.
### Lateral Movement
*This incident pertains to external social engineering/fraud, not internal network compromise; therefore, internal lateral movement is not applicable.*
### Data Exfiltration/Impact
- What was stolen or damaged: Financial assets (through fraudulent payments) and sensitive personal and financial data (through coercion during vishing calls).
### Detection & Response
- How it was discovered: Security researchers (Resecurity) detected the campaign, noting consistency with previous campaigns linked to the "Smishing Triad" tooling.
- Response actions taken: Authorities urged vigilance, reminding residents that official entities do not request sensitive data via phone. A public advisory was issued, directing victims to report attempts via official hotlines/emails.
## Attack Methodology
- Initial Access: Phishing (emails), Smishing (SMS with links to fake payment pages), Vishing (coerced phone calls).
- Persistence: Not applicable (campaign-based fraud).
- Privilege Escalation: Not applicable (social engineering focus).
- Defense Evasion: Messages mimicked legitimate branding (Dubai Police) and platforms (UAE PASS).
- Credential Access: Sensitive information (personal/financial data) was obtained via direct communication during vishing attacks.
- Discovery: Reconnaissance involved leveraging previously breached databases for contact information.
- Lateral Movement: Not applicable.
- Collection: Gathering victim financial details and personal identification data.
- Exfiltration: Fund transfers to attacker-controlled accounts.
- Impact: Financial loss for victims, aiding in potential money laundering activities.
## Impact Assessment
- Financial: UAEFIU reported AED 1.2bn ($326m) in fraud losses between 2021 and 2023; this campaign contributes to this ongoing figure. Estimated 50,000 to 100,000 scam messages sent daily.
- Data Breach: Personal and financial data obtained from duped victims.
- Operational: Minimal impact on government operational integrity, but significant burden on public reporting/awareness systems.
- Reputational: Damage to the perceived security of UAE government communication channels.
## Indicators of Compromise
- Network indicators: Over 144 domains linked to the scam, often utilizing inexpensive/poorly regulated generic TLDs (Details not provided to prevent misuse).
- File indicators: Not applicable (primarily communication-based).
- Behavioral indicators: Use of scripted dialogues in vishing calls, often featuring threats (e.g., vehicle seizure, license revocation) and utilizing actors with Indian accents.
## Response Actions
- Containment measures: Public awareness campaigns cautioning residents against providing data over unsolicited calls/texts.
- Eradication steps: Authorities directed victims to official reporting channels. (Domain takedowns likely ongoing but not specified).
- Recovery actions: Assisting victims who have already made payments (implied through general fraud reporting mechanisms).
## Lessons Learned
- The high level of social engineering sophistication, including use of consistent malicious scenarios observed in prior campaigns (linked to the Smishing Triad), indicates organized, multi-national criminal infrastructure.
- The reliance on breached personal data enhances the believability of the scams, especially during sensitive times like national holidays.
- Authorities must actively monitor and rapidly take down infrastructure (domains) used in these large-scale campaigns.
## Recommendations
- Mandate rigorous public awareness campaigns reiterating that official UAE entities (e.g., Dubai Police) never solicit personal or financial details via phone call.
- Increase monitoring on generic TLD registrations for patterns matching known scam infrastructure (e.g., high volume of newly registered domains used for financial requests).
- Enhance detection mechanisms for patterns associated with the global "Smishing Triad" tooling and infrastructure across email and SMS gateways.