- Phishing attacks now bypass multi-factor authentication using real-time digital wallet provisioning tactics
- One-time passcodes are no longer enough to stop fraudsters with mobile-optimized phishing kits
- Millions of victims were targeted using everyday alerts like tolls, packages, and account notices
A wave of advanced phishing campaigns, traced to Chinese-speaking cybercriminal syndicates, may have compromised up to 115 million US payment cards in just over a year, experts have warned.
Researchers at SecAlliance revealed these operations represent a growing convergence of social engineering, real-time authentication bypasses, and phishing infrastructure designed to scale.
Investigators have identified a figure referred to as “Lao Wang” as the original creator of a now widely adopted platform that facilitates mobile-based credential harvesting.
Identity theft scaled through mobile compromise
At the center of the campaigns are phishing kits distributed through a Telegram channel known as “dy-tongbu,” which has rapidly gained traction among attackers.
These kits are designed to avoid detection by researchers and platforms alike, using geofencing, IP blocks, and mobile-device targeting.
This level of technical control allows phishing pages to reach intended targets while actively excluding traffic that might flag the operation.
The phishing attacks typically begin with SMS, iMessage, or RCS messages using everyday scenarios, such as toll payment alerts or package delivery updates, to drive victims toward fake verification pages.
There, users are prompted to enter sensitive personal information, followed by payment card data.
The sites are often mobile-optimized to align with the devices that will receive one-time password (OTP) codes, allowing for immediate multi-factor authentication bypass.
These credentials are provisioned into digital wallets on devices controlled by attackers, allowing them to bypass additional verification steps normally required for card-not-present transactions.
Researchers described this shift to digital wallet abuse as a “fundamental” change in card fraud methodology.
It enables unauthorized use at physical terminals, online shops, and even ATMs without requiring the physical card.
Researchers have observed criminal networks now moving beyond smishing campaigns.
There is growing evidence of fake ecommerce sites and even fake brokerage platforms being used to collect credentials from unsuspecting users engaged in real transactions.
The operation has grown to include monetization layers, including pre-loaded devices, fake merchant accounts, and paid ad placements on platforms like Google and Meta.
As card issuers and banks look for ways to defend against these evolving threats, standard security suites, firewall protection, and SMS filters may offer limited help given the precision targeting involved.
Given the covert nature of these smishing campaigns, there is no single public database listing affected cards. However, individuals can take the following steps to assess possible exposure:
- Review recent transactions
- Look for unexpected digital wallet activity
- Monitor for verification or OTP requests you didn’t initiate
- Check if your data appears in breach notification services
- Enable transaction alerts
Unfortunately, millions of users may remain unaware their data has been exploited for large-scale identity theft and financial fraud, facilitated not through traditional breaches.
Via Infosecurity
