China-based cybercriminals have found a lucrative niche in the world of SMS phishing, as they have been successfully turning stolen payment card data into mobile wallets on platforms like Apple and Google. The group, known as the “Smishing Triad,” previously focused on impersonating toll road operators and shipping companies, but they have now set their sights on customers of international financial institutions, expanding their operations and support staff along the way.
Over the past two years, many mobile device users have likely encountered phishing messages purporting to be about unpaid toll road fees or undelivered packages from entities like the U.S. Postal Service. Those who fall for the scam are directed to fake websites where they are asked to input their payment card information. Subsequently, the site requests a one-time code sent by the victim’s bank via SMS to verify the transaction. However, in reality, this code is used by the criminals to link the victim’s card details to a mobile wallet controlled by them on either an Apple or Google device.
The Smishing Triad utilizes multiple stolen cards on a single device, which are later sold in bulk to scammers for illicit online transactions. These cybercriminals have evolved their tactics, with messages being sent via iMessage to Apple users and via RCS on Google Android devices, bypassing traditional mobile phone networks for a near 100 percent delivery rate.
A recent report by Prodaft highlighted the innovative strategies employed by the Smishing Triad, comprising Chinese phishing groups such as Darcula, Lighthouse, and the Xinxin Group. These actors have significantly expanded their activities, targeting global financial institutions like CitiGroup, MasterCard, PayPal, Stripe, and Visa, as well as banks worldwide.
The Smishing Triad’s phishing domains, which rotate frequently, are primarily hosted by Chinese companies Tencent and Alibaba. They have spread their operations across 121 countries, targeting various industries such as postal services, logistics, telecommunications, transportation, finance, retail, and more.
One of their popular schemes involves using an Android app called Z-NFC, allowing users to conduct fraudulent transactions using compromised digital wallets. Chinese nationals have been arrested in different countries for using such apps to purchase high-value items fraudulently.
The success of the Smishing Triad lies in their ability to manipulate sender ID validation and exploit technical loopholes in messaging platforms like iMessage and RCS. By using VoIP numbers, compromised credentials, and automated platforms, they conduct high-volume campaigns at minimal costs.
Security experts emphasize the importance of financial institutions moving away from SMS-based one-time codes for card verification in mobile wallets, as this outdated practice leaves customers vulnerable to such phishing attacks. Banks are urged to adopt more secure authentication methods to combat this growing wave of cyber fraud.