Phishing gangs are now defeating multi-factor authentication by provisioning payment credentials into digital wallets in real time. One-time passcodes alone no longer stop attackers who use phishing kits tuned for mobile devices.
Using everyday-looking messages — about tolls, deliveries, or account alerts — these campaigns have reached millions of potential victims. Security researchers at SecAlliance warn that a sophisticated wave of phishing activity, linked to Chinese-language criminal groups, may have exposed as many as 115 million U.S. payment cards over a little more than a year.
According to the investigators, this trend represents a fusion of social-engineering tactics, live authentication bypasses, and scalable phishing infrastructure. They trace the origin of a widely used mobile credential-harvesting platform to an individual nicknamed “Lao Wang.”
Mobile takeover drives identity theft at scale
Central to these operations are phishing kits spread through a Telegram channel called “dy-tongbu,” which has become popular among threat actors. The kits are engineered to evade analysis and platform scrutiny by employing geofencing, IP filtering, and strict targeting of mobile devices.
Those controls let scammers show their malicious pages only to intended targets while blocking traffic that might reveal the scheme. Attacks usually start with SMS, iMessage, or RCS messages that mimic routine notifications — toll invoices, shipping updates, or account verifications — steering recipients to bogus verification pages.
Victims are asked for personal details and payment card information. Because the fake sites are optimized for mobile, they capture the one-time codes sent to the device and immediately use them to bypass multi-factor checks.
Stolen card credentials are then provisioned into digital wallets on devices the criminals control, sidestepping extra fraud checks that normally protect card-not-present payments. Researchers call this move to abusing digital wallets a “fundamental” shift in how card fraud is carried out.
That change makes it possible for stolen payment methods to be used online, at point-of-sale terminals, and even at ATMs — all without the physical card.
Beyond smishing: deeper fraud ecosystems
The criminals aren’t limiting themselves to text-based scams. There’s growing evidence they’ve set up fake online stores and sham brokerage sites to harvest credentials from people making legitimate transactions. The overall operation now includes monetization tactics such as selling pre-loaded devices, fabricating merchant accounts, and buying ad placements on platforms like Google and Meta.
Because these smishing efforts are so precisely targeted and clandestine, traditional defenses — standard security suites, firewalls, and SMS filters — may only offer limited protection. There isn’t a public list of affected cards, but people can check their risk by taking a few steps:
• Review recent card and account transactions for anything unusual.
• Watch for unexpected changes or adds in your digital wallets.
• Be alert for verification prompts or OTPs you didn’t request.
• See whether your information shows up in breach-notification services.
• Turn on transaction alerts from your bank or card issuer.
Sadly, many victims likely don’t know their data has been repurposed for large-scale identity theft and financial fraud — theft that often happens without a conventional data breach.
(Reported via Infosecurity)