A Chinese cybercrime group is running a massive SMS phishing campaign capable of reaching every American with Apple iMessages, Android RCS messages, and SMSes at least twice a year. A new automated toolkit is offered as a service to other criminals, stealing credit cards and other personal information.
Researchers at Resecurity have discovered a new SMS phishing (smishing) kit being offered on cybercrime forums with “no fear of the FBI.”
The toolkit is named “Panda Shop.” It already has multiple Telegram channels and interactive bots to automate crime-as-a-service delivery. It appears to overlap with Smishing Triand and is a rebranded version of the previous project.
“They have emphasized in their communications that they do not care about US law enforcement agencies. Residing in China, they enjoy complete freedom of action and engage in many illegal activities,” the researchers said in a report.
Resecurity researchers are impressed by the scale of global smishing activity generated by Chinese cybercriminals.
The gang on Telegram advertised the capabilities of sending up to 2 million SMS phishing messages every day, which translates into 60 million messages every month and 720 million per year.
“The damages they generate could be estimated at tens to hundreds of millions of dollars for consumers and businesses.”
For most of the messages, the gang doesn’t even need cellular connectivity – they leverage Google RCS and Apple iMessage as the primary phishing delivery methods. RCS and iMessage use internet-based communication and provide a rich set of tools and engagement features for creating convincing attacks.
“The bad actors buy compromised Apple and Gmail accounts in bulk to facilitate distribution. Multiple requests by their peers to acquire such large volumes of accounts were identified,” the report said.
The group also uses SMS gateways, specialized equipment for network operators to send lots of SMS messages. Resecurity observed cybercriminals looking for routes to reach subscribers of specific mobile carriers abroad.
Crime-as-a-service offerings are extremely popular in the Chinese underground ecosystem, and Telegram dominates as the main communication channel for cybercriminals there.
Multiple hacking groups that leverage the new Panda Shop to target Google Wallet and Apple Pay, harvest traditional credit card and personal data, and intercept transactions have already been identified. Cybercriminals also use other NFC tools to steal money.
“The actors behind smishing campaigns are tightly connected with those involved in merchant fraud and money laundering activity,” Resecurity observed.
The kit helps impersonate many legitimate brands
Panda Shop, like the SMishing Triad, offers a customized SMS phishing kit that can be deployed on any server and customized according to the buyer's needs. New clients receive access credentials by contacting the Panda Shop’s customer support via Telegram.
The kit supports many templates mimicking various brands in the US and other countries, including popular internet service providers, government websites, delivery companies, and others.
Panda Shop also misuses IP reputation services to check if the victims are legitimate, which helps to bypass anti-scam solutions or identification by security researchers.
The malicious templates are customized for popular mobile platforms and browsers.
“When a victim opens such a page, it looks like they are visiting a legitimate USPS website, which sent a mobile notification requesting additional information to receive a parcel,” the researchers describe.
However, malicious websites collect the requested information, such as credit card data, and send it to Chinese cybercriminals. The intercepted data then goes to underground carding shops, where it is sold to other cybercriminals.
The cybercriminals previously discussed attacks against Bank of America, Citibank, JP Morgan Chase, Capital One, and many others, as well as UK financial institutions.
Security misconfigurations allowed the researchers to identify Shanghai as the bad actors’ time zone. Their domain was registered via a Chinese company that had previously been accused of severely violating the Internet Corporation for Assigned Names and Numbers’ (ICANN’s) rules.
“Our investigators suspect the group includes Smishing Triad members who transitioned their operations under the new brand after being publicly shamed. The kit’s structure and scripting scenarios analyzed by Resecurity mimic the same product but include specific improvements and new supported template,” the researchers said.
The report underscores that the geopolitical situation between China and the US hinders the fight against this type of fraud. Most of the arrests have been related to money mules that facilitate second-stage operations at ATMs or POS merchants, and not to the main perpetrators behind the crime.
Your email address will not be published. Required fields are markedmarked