China-Based SMS Phishing Triad Pivots to Banks
a year ago
- #phishing
- #mobile-fraud
- #cybersecurity
- China-based 'Smishing Triad' groups are successfully converting phished payment card data into Apple and Google mobile wallets.
- These groups initially impersonated toll road operators and shipping companies but now target customers of international financial institutions.
- Victims receive spoofed messages asking for payment card details, followed by a request for a one-time SMS code to 'verify' the transaction.
- The one-time code is actually used by fraudsters to enroll the victim's card into a mobile wallet controlled by the phishers.
- Phishing gangs load multiple stolen wallets onto a single device and sell these phones in bulk for fraudulent transactions.
- The 'Smishing Triad' operates via iMessage and RCS, bypassing traditional SMS and achieving near 100% delivery rates.
- Groups like Darcula, Lighthouse, and Xinxin Group are part of this loosely federated phishing-as-a-service operation.
- Chinese-speaking threat actors are introducing scalable, cost-effective systems to target larger user bases globally.
- The Smishing Triad now spoofs brands across 121 countries and various industries, using around 25,000 active phishing domains hosted mainly in China.
- SilentPush estimates over a million visits to these phishing pages within 20 days, with a 5% average success rate for some campaigns.
- The groups employ '300+ front desk staff' to support fraud operations and maintain Telegram channels showcasing their activities.
- Cash-out schemes include NFC apps like Z-NFC, which relay transactions from compromised wallets to payment terminals worldwide.
- Prodaft found backend panels indicating high victim interaction rates, with some domains capturing 30 credit cards in a week.
- Phishing messages are sent via Android emulators, exploiting gaps in sender ID validation on iMessage and RCS platforms.
- Financial institutions' reliance on SMS-based one-time codes for wallet enrollment remains a key vulnerability exploited by these groups.