The scale and complexity of a recent cybercrime operation have been revealed, with Chinese-speaking syndicates compromising an estimated 115 million US payment cards from July 2023 to October 2024. This campaign marks a significant escalation in payment card fraud, moving beyond traditional methods by exploiting the very systems designed to secure transactions. By leveraging advanced smishing, which includes malicious text messages, RCS, and iMessage, the attackers were able to trick victims into providing sensitive information, which was then used to provision fraudulent accounts on mobile digital wallets. This method, as noted by security researchers, represents a “paradigm shift” in the landscape of financial crime.
The attack strategy was meticulously designed to circumvent conventional security measures. The campaign used multi-layered smishing to obtain payment card details and one-time passwords (OTPs) from unsuspecting victims. The attackers’ infrastructure was technically sophisticated, featuring geofencing, mobile user-agent enforcement, and IP blocking to evade detection by security vendors and Tor networks. Once the stolen data was provisioned onto a digital wallet, the card details were converted into what appeared to be legitimate Apple Pay or Google Wallet accounts. This exploitation of mobile wallet tokenization allowed the criminals to bypass traditional fraud detection systems and conduct transactions as if they were the card’s legitimate owner.
A key figure in this operation was an individual known as “Lao Wang,” alias Wang Duo Yu. Lao Wang is credited with creating one of the initial phishing-as-a-service platforms on Telegram, which provided the tools and infrastructure for the smishing campaign. The platform’s community grew from 2,800 to over 4,400 members, showcasing the rapid expansion and collaborative nature of the criminal enterprise. The operation also included the sale of pre-loaded devices containing multiple stolen cards and the targeting of brokerage accounts, demonstrating a multi-faceted approach to monetization and fraud. This activity is consistent with a growing trend of sophisticated mobile malware campaigns, with recent research identifying more than 2,400 variants of mobile infostealer malware specifically targeting multi-factor authentication (MFA) systems.
The smishing campaigns began their significant escalation in August 2023, with continuous monitoring through October 2024 documenting the evolution and growing scale of the attacks. The financial impact of this operation is colossal, with damages estimated to be in the billions of dollars. This massive financial toll contributes to a broader trend where mobile fraud costs North American merchants an average of $4.61 for every dollar of fraud committed. The attacks highlight the immense financial and operational challenges businesses face in keeping pace with the evolving tactics of cybercriminals.
The success of this operation underscores a critical need for enhanced cybersecurity measures and increased consumer awareness. The combination of social engineering, advanced phishing infrastructure, and real-time MFA bypass techniques poses a formidable threat to both individuals and financial institutions. Security researchers from SecAlliance and other firms have noted that these operations require a more integrated and dynamic defense strategy that can address the new vulnerabilities created by the proliferation of mobile digital wallets and the increasing sophistication of cybercrime syndicates.
Reference:
