A powerful form of targeted phishing attack in which attackers target individuals in authoritarian or leadership positions within an organization.
884 
The article discusses how Chinese cybercriminals are using phishing attacks to obtain payment card details, add them to Apple and Google mobile wallets on their devices, and then make fraudulent transactions or sell these devices with pre-loaded wallets.
Carding – the illegal business of stealing, selling and using payment card data – has long been a domain of Russian hackers. However, the mass introduction of more secure chip cards in the US has significantly weakened this market. At the same time, Chinese cybercriminal groups are introducing new schemes that are bringing back interest in card fraud: they use phishing data to integrate stolen cards into mobile wallets. This allows them to make online purchases and pay for goods in physical stores using modern payment technologies.
If you use a mobile phone, there’s a good chance that in the past two years you’ve received at least one phishing message pretending to be the U.S. Postal Service, supposedly to collect unpaid shipping charges, or an SMS message masquerading as a local toll road operator, warning you of unpaid tolls.
These fraudulent messages are sent via sophisticated phishing kits sold by cybercriminals based in mainland China. However, this isn’t classic SMS phishing (also known as “smishing”), as it bypasses mobile carriers entirely. Instead, the attackers use Apple’s iMessage and RCS services—a similar technology for Google devices—to bypass traditional mobile networks.
When a user enters their payment card details on a fake website, they are told that the financial institution will send a one-time password (OTP) to their mobile phone to confirm the transaction. This code is actually generated by the victim’s bank to verify that the cardholder really wants to link it to the mobile wallet.
If the victim enters the one-time code on the fraudulent website, the cybercriminals successfully link their card to a new Apple or Google mobile wallet that is downloaded to the device under the fraudsters’ control.
Ford Merrill works in the field of security research in SecAlliance, companies CSIS Security Group. Merrill has investigated the development of several Chinese smishing groups and found that most of them use Telegram to sell their services, posting detailed video tutorials. In these videos, the scammers demonstrate how to load multiple stolen digital wallets onto a single mobile device, then sell the phones in bulk for hundreds of dollars apiece.
“Who said carding is dead?” Merrill said during his presentation at the M3AAWG security conference in Lisbon today. He explained that such devices essentially become a tool for cloning magnetic card stripes. One vendor even notes that the minimum order is 10 phones, and delivery is by air.
In one of the promotional videos, you can see large stacks of milk crates filled with mobile phones, ready to be sold. Upon closer inspection, it becomes clear that each device has a handwritten note attached. It usually contains information about the date the mobile wallets were downloaded, the number of them on the phone, and the initials of the seller.
Merrill said one common way criminal groups in China make money using stolen mobile wallets is by setting up fake e-commerce businesses on Stripe or Zelle and running transactions through those entities — often totaling $100 to $500.
Merrill said that when these phishing groups first started operating two years ago, they waited 60 to 90 days before selling phones or using them for fraud. But these days, that waiting period is more like seven to 10 days, he said.
“When they first set this up, the actors were very patient,” he said. “Now they only wait 10 days before [the wallets] hit hard and fast.”
Not only can attackers use mobile wallets to make purchases, but they can also withdraw cash from them by accessing physical POS terminals. They use a one-time payment feature, transferring the payment between devices. But fraudsters are also developing more sophisticated mobile fraud methods.
Merrill found that at least one of the Chinese phishing groups is selling a special Android app called “ZNFC” that allows NFC transactions to be made over any distance. The user simply holds their phone up to a local payment terminal that supports Apple or Google Pay, and the app instantly transmits the payment details over the Internet, completing the transaction from another device in China.
“The software allows you to work from anywhere in the world,” Merrill said. According to him, the developers offer access to this program for $500 per month, providing the ability to transfer payments via NFC or use any digital wallet. In addition, they provide 24/7 technical support.
The so-called “ghost” mobile payment software was first spotted by cybersecurity experts ThreatFabric in November 2024. Andy Chandler, the company’s chief commercial officer, said that since then they have identified several criminal groups in different parts of the world that have started using the technology.
Among them are organized crime groups in Europe that are using similar methods of attacking mobile wallets and NFC to withdraw cash through ATMs that support smartphone payments.
“Nobody is talking about it openly, but we are now seeing at least a dozen different methods of using this technology, and they all work according to the same scheme, although they differ in the details,” Chandler explained. According to him, the scale of the problem is much greater than what banks are willing to admit.
In November 2024, the Singaporean newspaper The Straits Times reported the arrest of three foreigners who were recruited through social media platforms to participate in a scheme using “ghost” software. They used it to make purchases at retail stores, buying mobile phones, jewelry and gold bars.
“Since November 4, at least 10 victims of the e-commerce fraud scheme have reported unauthorized transactions totaling more than US$100,000. The money from their credit cards was used to buy electronics, including iPhones, chargers and jewelry in Singapore,” The Straits Times reported. The newspaper also reported that on November 8, police arrested Malaysian citizens who were operating under a similar scheme.
According to Merrill, phishing sites that mimic the USPS and toll road payment systems incorporate a number of innovations designed to maximize the efficiency of data collection from victims.
For example, even if a user begins entering their personal and financial information but at some point decides not to complete the transaction, all of the information entered is still captured in real time. This happens regardless of whether the visitor clicks the “Submit” button or not.
Merrill said that people who submit payment card information to these phishing sites are often told that their card cannot be processed and urged to use a different card. This technique, he said, sometimes allows phishers to steal more than one mobile wallet per victim.
Unlike many other phishing sites that store stolen information directly on their domains, the Chinese scam services send all of the data to internal databases controlled by the phishing kit vendors. This ensures that even after the site is taken down, the attackers still have access to the stolen information.
Another important development has been the mass generation of Apple and Google accounts, which are used to send spam messages. One of the Chinese phishing groups has published images on its Telegram channels showing hundreds of Apple and Google bot accounts being downloaded onto devices and arranged in a large, multi-tiered rack. It is placed directly in front of the phishing network operator who controls the entire process.
In other words, the fraudulent websites operate in real time, with operators directly processing the data entered by victims as new phishing messages are sent out. According to Merrill, the criminals only send a few dozen of these messages at a time, probably because the entire scam requires manual intervention by operators in China. Since the one-time codes required to add a card to a mobile wallet only last a few minutes, the criminals have to act quickly.
Interestingly, none of the phishing sites that pretend to be toll road operators or postal services load in regular web browsers. They only open if the system recognizes that the visitor is visiting from a mobile device.
“One of the reasons scammers force you to use a mobile device is so that you can get a one-time code on the same device,” Merrill explains. “They also want to reduce the likelihood that you will change your mind. And if their goal is to access your mobile token and your OTP, they need an operator who can quickly verify everything.”
Merrill also discovered another interesting technological feature of Chinese phishing schemes: their tools make it easy to convert stolen payment card data into a digital wallet. The system automatically creates a card image that matches the design of the victim’s financial institution’s cards. This makes the process of adding a stolen card to Apple Pay or another mobile wallet extremely simple – just scan the fabricated card image with your iPhone.
“The phone isn’t smart enough to tell if it’s a real card or just an image,” Merrill said. “So it scans the card into Apple Pay, which says okay, we need to verify that you’re the cardholder by sending a one-time code.”
How profitable are these mobile phishing kits? The best guess so far comes from data collected by other security researchers who have been tracking these advanced Chinese phishing vendors.
In August 2024, security researcher Grant Smith gave a talk at the DEFCON security conference about tracking down the Smishing Triad after scammers impersonating the U.S. Postal Service scammed his wife. By identifying another vulnerability in the gang’s phishing kit, Smith said he was able to see that people had entered 438,669 unique credit cards into 1,133 phishing domains (387 cards per domain).
Based on his research, Merrill said it’s reasonable to expect a loss of $100 to $500 for each card that was converted into a mobile wallet. Merrill said they observed nearly 33,000 unique domains associated with these Chinese groups in play in the year between the publication of Resecurity’s research and Smith’s DEFCON talk.
If you factor in an average of 1935 cards per domain and a loss of $250 per card, that comes to about $15 billion in fraudulent charges per year.
Merrill would not say whether he had found additional security vulnerabilities in any of the phishing kits sold by the Chinese groups, noting that the phishers quickly patched the vulnerabilities that Resecurity and Smith had publicly described.
Contactless payments have been gaining traction in the United States since the coronavirus pandemic began. Many financial institutions have sought to make the process of linking payment cards to mobile wallets as easy as possible for customers. As a result, one-time codes sent via SMS have become the main authentication method.
Experts say that the widespread reliance on one-time codes has significantly contributed to the spread of the new wave of carding. KrebsOnSecurity interviewed the head of security at a large European financial institution, who wished to remain anonymous due to restrictions on communicating with the press.
According to the expert, the time gap between the phishing of the victim’s payment details and their subsequent use in fraudulent schemes has made it difficult for many banks to understand the sources of losses.
“That’s why this situation has caught the industry by surprise,” he explains. “Many people are wondering how this is possible if we have already tokenized the authentication process. We have never seen such a mass mailing of messages and such a large number of people responding to them as in the case of these phishing attacks.”
To strengthen the security of digital wallets, some banks in Europe and Asia now require customers to log in to the bank’s mobile app before they can link the wallet to their device.
To combat phishing schemes related to “ghost” NFC transactions, payment terminals may need to be updated to better identify payments transmitted from another device. However, experts doubt that retailers will be willing to massively replace existing equipment before its useful life ends.
In addition, Apple and Google play a significant role in the spread of fraudulent schemes, as their services allow the mass creation of accounts that are used to send phishing messages. Both companies have the ability to detect devices that suddenly have 7-10 mobile wallets added from different people around the world. They can also recommend that banks implement stronger authentication methods to protect mobile payments.
However, neither Apple nor Google has yet responded to requests for comment on this situation.
884 
194 
1179