CybserSecurity News

Tag: SecAlliance

  • Phishing Kits Steal Cards, Bind to Apple Pay/Google Wallet via Fake Stores

    Chinese phishing groups that inundate users with endless SMS alerts about a “delivery problem” or an “unpaid fine” have unveiled a new seasonal product: turnkey kits for mass-producing counterfeit online storefronts that steal bank-card data and bind those cards to mobile wallets such as Apple Pay and Google Wallet. At the same time, these groups have broadened their lure portfolio — they now distribute messages about fictitious tax rebates and nonexistent bonus points from mobile operators.

    Over the past week, thousands of domains have been registered that masquerade as T-Mobile customer portals and promise visitors a generous bonus balance. These links are disseminated through iMessage and RCS, inviting the user to “claim” thousands of points. The phishing site then requests the victim’s name, address, phone number, and card details. Once the card is entered, the site demands a one-time bank code under the pretext of “verifying” a transaction. In reality, the attackers are attempting to bind the card to their own device via Apple Pay or Google Wallet, and the supplied code grants them full control for future fraudulent charges. Similar domains target AT&T customers as well.

    According to SecAlliance, multiple China-based groups offering Phishing-as-a-Service have long deployed such schemes across Europe and Asia, but only now are they entering the U.S. market at scale. Domain analyses linked to these operators reveal imitations of state tax-authority websites, promising victims an “unclaimed refund” to extract yet again their card details and one-time authentication codes.

    An especially sophisticated vector involves fake online shops. Unlike smishing domains that quickly appear on blocklists, these fraudulent stores do not spam indiscriminately; instead, they lure buyers via Google and Facebook* ads — often by appearing in searches for specific products and “unbeatable prices.” Built using the same Chinese phishing kits, these shops look convincing on the surface but load malicious scripts at checkout. After the victim enters card details, the script attempts to bind the card to the attacker’s mobile wallet. Many victims realize they have been deceived only weeks later, when their order never arrives.

    Experts note that such sites can operate undetected for months: they are difficult to identify through bulk scanning and rarely surface in Safe Browsing systems. One of the most effective countermeasures remains promptly submitting received smishing messages and links to services such as smishreport[.]com. A simple screenshot is enough — the algorithm detects patterns and blocks entire series of related domains.

    Researchers warn that a year-end surge in smishing is inevitable: amid holiday chaos, people shop online more frequently and scrutinize details less carefully. The danger is amplified by how eagerly scammers exploit any manufactured “urgency” — delayed parcels, account lockouts, and other fictional issues.

    To avoid falling prey to such schemes, experts advise resisting the temptation of chasing the lowest price and verifying the reputation of unfamiliar retailers. Newly created domains are particularly risky — simply check their creation date via WHOIS. For suspicious delivery-related messages, it is safer to navigate to the courier’s website manually rather than clicking embedded links. And for any online purchase, carefully review shipping terms, hidden fees, and return policies. Finally, monitoring card statements is essential: the holiday flood of legitimate transactions creates perfect cover for criminals to conceal fraudulent charges among them.

  • Beyond the Email: How New Mobile Phishing Scams Are Causing a “Ramp-and-Dump” Stock Frenzy

    Groups of cybercriminals specializing in mobile phishing have discovered a new way to profit from stolen credentials. Whereas they once focused on transferring compromised cards into digital wallets and selling them for fraudulent transactions, their attention has now shifted to brokerage services.

    Researchers at SecAlliance report a surge in so-called “ramp and dump” schemes, in which hijacked investor accounts are used to artificially inflate stock prices before selling them off at a premium. The mechanics closely mirror traditional pump-and-dump manipulations, but without the need to generate hype through social media.

    The playbook is straightforward: criminals first purchase shares of a chosen company, then use large numbers of compromised brokerage accounts to sharply increase trading volume. This activity drives prices upward, allowing them to sell at the peak and secure profits. The account holders, however, are left with devalued stocks, while brokerage platforms are forced to manage both financial losses and customer outrage. In February 2025, the FBI had already announced its search for victims of such schemes.

    According to SecAlliance, much of the supporting infrastructure for these attacks emerges from the Chinese-speaking corners of Telegram, where pre-built mobile phishing kits are openly traded. These kits enable spoofing of SMS, iMessage, and RCS notifications, convincingly imitating alerts from well-known brokers. Victims are tricked into believing their account has been frozen due to suspicious activity and are urged to verify their credentials via a provided link. Once they land on a fraudulent page, they unknowingly surrender their login, password, and one-time code, granting attackers full access to their accounts.

    The roots of this evolution trace back to 2022–2024, when criminals widely distributed phishing SMS messages impersonating U.S. postal services and toll operators. The objective then was to use verification codes to add victims’ cards to a criminal’s mobile wallet. Such devices, often loaded with dozens of stolen cards, were sold in bulk and used for contactless purchases and online fraud.

    The weak point was SMS-based one-time authentication, which attackers intercepted with ease. Today, while many banks have strengthened the process by requiring confirmation through mobile apps, this shift has merely driven criminals toward new targets—brokerage platforms.

    One figure who has gained notoriety in this sphere is the phishing-kit developer Outsider (formerly known as Chenlun). Her products allow customized templates for a variety of trading platforms. Demonstration videos on her channels showcase tools that mimic the interfaces of Charles Schwab, though they can just as easily be adapted for other market players.

    The core vulnerability lies in the fact that many brokers still rely on SMS or voice codes for two-factor authentication, leaving them exposed to these kinds of attacks. Unlike Schwab or Fidelity, which offer multiple delivery channels for verification, only the deployment of hardware security keys under the U2F standard, as adopted by Vanguard, truly mitigates phishing risks.

    The danger is compounded by the fact that entire groups are dedicated to distributing and exploiting these tools, increasingly employing automation and artificial intelligence to accelerate phishing-kit development. According to researchers, such developers leverage large language models for translation, interface generation, and simplified coding—lowering the barrier for new entrants and fueling the emergence of ever more sophisticated attacks.

    The greatest peril of the “ramp and dump” scheme is its near invisibility: criminals can operate legitimate accounts on Asian exchanges, and the sudden surge in stock prices appears to be nothing more than a natural market fluctuation. In the end, the victims are investors whose accounts are compromised, along with the brokerage firms themselves—forced to confront a new wave of fraud that fuses social engineering, technical subterfuge, and weaknesses in multi-factor authentication systems.