Full Report
China-based purveyors of SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad” mainly impersonated toll road operators and shipping companies. But experts say these groups are now directly targeting customers of international financial institutions, while dramatically expanding their cybercrime infrastructure and support staff.
Analysis Summary
# Threat Actor: Smishing Triad
## Attribution & Identity
China-based, loosely federated group of cybercrime operators specializing in SMS phishing kits (Smishing).
**Known Aliases and Associated Groups:** Smishing Triad (moniker assigned by Resecurity). Individual groups often associated with infrastructure include Darcula, Lighthouse, and the Xinxin Group.
## Activity Summary
The Smishing Triad successfully converts phished payment card data into mobile wallets on Apple and Google devices.
Initially impersonated toll road operators and shipping companies (e.g., USPS).
Recently, they have shifted to directly targeting customers of international financial institutions, expanding globally.
They utilize innovative, cost-effective phishing-as-a-service models, leveraging iMessage and RCS for high-delivery-rate campaigns.
They sell mobile phishing kits capable of automating card enrollment into digital wallets.
## Tactics, Techniques & Procedures
- **Delivery Mechanism:** Utilizing iMessage (for Apple users) and RCS (for Google Android users) for message delivery, which bypasses traditional SMS filtering and incurs low operational cost.
- **Lures:** Spoofing established brands from various verticals (finance, logistics, retail, etc.) to solicit sensitive data.
- **Mobile Wallet Onboarding:** Phishing sites collect card details and then trick victims into supplying a One-Time Password (OTP) sent by the bank, which the phishers intercept to enroll the card into a mobile wallet already physically possessed by the actor.
- **Infrastructure Rotation:** Frequent rotation of hosting domains (approx. 25,000 active phishing domains in an 8-day period).
- **Evasion:** Use of time-limited, single-use URLs that may expire or redirect based on device fingerprinting to evade security analysis.
- **Scalability:** Use of automated platforms for message delivery via VoIP numbers or compromised credentials in multi-wave campaigns.
- **Physical Infrastructure:** Observed using device farms (e.g., iPhone device farms) to manage multiple stolen mobile wallets simultaneously.
- **SIM Card Sourcing:** Capability to source country-specific SIM cards in volume for account validation persistence.
- **Phishing Kit Features:** Kits can overlay supplied card data onto a simulated payment card image for seamless scanning/enrollment into Apple/Google Pay.
## Targeting
- **Sectors:** Postal/Logistics, Telecommunications, Transportation, Finance, Retail, Public Sector, and now Global Financial Institutions.
- **Geography:** Targeting at least 121 countries globally, essentially every country with modern infrastructure, excluding Iran, North Korea, and Russia (though some limited indicators exist for Russia). Specific targeting observed in Canada, Latin America, Australia, and the Asia-Pacific region, including Hong Kong and Macau.
- **Victims:** Customers of international financial institutions (e.g., CitiGroup, MasterCard, PayPal, Stripe, Visa), and users of USPS and local toll operators.
## Tools & Infrastructure
- **Malware Families Used:** Windows binary wrapping a Chrome executable capable of blasting messages via RCS, iMessage, Amazon, Instagram, Facebook, and WhatsApp.
- **Infrastructure:** Domains frequently hosted/registered through Chinese hosting companies, primarily **Tencent (AS132203)** and **Alibaba (AS45102)**.
## Implications
This represents a significant evolution in criminal operations led by Chinese-speaking actors, emphasizing scalability, efficiency, and low-cost global reach. The reliance on SMS-based OTPs for digital wallet enrollment presents a critical vulnerability across the global financial sector, enabling rapid conversion of stolen data into tradable assets (fraudulent e-commerce and tap-to-pay).
## Mitigations
- Financial institutions should immediately migrate away from SMS-based One-Time Passcodes (OTPs) for high-risk actions like mobile wallet enrollment.
- Implement stronger customer verification methods, such as requiring customers to log in via the official mobile banking app to validate card linking attempts.
- Implement more aggressive defense/suspension mechanisms against high-volume traffic originating from iMessage and RCS sources identified as malicious.