A recently uncovered smishing campaign operated by Chinese cybercriminal syndicates may have compromised between 12.7 and 115 million U.S. payment cards from July 2023 to October 2024, according to a report by SecAlliance. The financial impact is estimated to be in the billions of dollars.

These attacks reflect a significant evolution in digital fraud tactics, leveraging mobile messaging, advanced phishing infrastructure, and real-time MFA bypass techniques to infiltrate victims’ financial data—particularly through Apple Pay and Google Wallet.

A Sophisticated Phishing-as-a-Service Ecosystem

The nearly two-year investigation revealed a transformation from simple scams into complex phishing-as-a-service (PaaS) operations. These services now integrate features to exploit digital wallet tokenization and avoid detection by fraud prevention systems.

Researchers identified a key actor, “Lao Wang,” believed to be the developer of one of the earliest and most effective PaaS tools for mobile wallet exploitation. His Telegram channel, “dy-tongbu,” launched in early 2023, has become a central hub for smishing services—growing from 2,800 to over 4,400 members.

Phishing kits sold via this channel include built-in protections such as geofencing, IP blocking, and mobile-user-only enforcement, ensuring that only real users on mobile devices are targeted. This setup also enables attackers to collect one-time passwords (OTPs) on the same device being phished—successfully bypassing MFA.

How These Smishing Attacks Work

The attacks typically begin with fraudulent messages sent via SMS, iMessage, or RCS, tricking victims with urgent topics like missed deliveries, toll fees, or tax issues. Victims are lured into mobile-optimized phishing pages, where they are prompted to enter sensitive information: names, addresses, emails, phone numbers—and ultimately, payment card data.

Once the card details are submitted, attackers initiate the provisioning of these cards to digital wallets on their own devices, often requesting an OTP for verification. This approach allows them to bypass authentication and use the tokenized cards without the need for physical possession.

A Paradigm Shift: Exploiting Digital Wallets

According to the report, this represents a fundamental shift in fraud methodology. Unlike traditional card-not-present fraud—which is often flagged by transaction monitoring—this new model uses digital wallets to carry out seamless contactless transactions at point-of-sale terminals, online platforms, and even tap-to-pay ATM withdrawals.

Additionally, attackers have been seen creating fake merchant accounts with legitimate payment processors like Stripe, PayPal, Flutterwave, and HitPay to cash out stolen funds.

Beyond Smishing: Expanding Criminal Tactics

The campaign has also evolved to include the sale of preloaded devices containing multiple compromised cards. This indicates a growing secondary market that enables criminals to monetize stolen data through physical devices.

A newer trend emerged in August 2024 with the rise of fake e-commerce websites. Unlike smishing messages, these fraudulent storefronts attract victims who are actively shopping via platforms like Meta, TikTok, and Google Ads.

Most recently, attackers have shifted some efforts toward the financial sector, launching phishing pages aimed at gaining control over brokerage accounts instead of just stealing payment card data.

🔒 Stay Ahead of Emerging Threats

As cybercriminal tactics evolve, organizations must stay alert and proactive. If you’re looking to strengthen your defenses against mobile-based phishing, social engineering, and digital wallet fraud, our team is here to help.

Source: https://www.infosecurity-magazine.com/news/chinese-smishing-us-payment-cards