Advanced Phishing Campaigns Threaten Data of 115 Million US Payment Cards

Sophisticated phishing campaigns, believed to be run by Chinese criminal groups, have revealed a serious threat that may have affected over 115 million payment cards in the United States within a single year. Cybersecurity experts warned that these operations represent a worrying development combining social engineering, real-time multi-factor authentication bypass techniques, and phishing infrastructure designed for large-scale expansion.

Phishing-as-a-Service (PhaaS) Platforms

Researchers at SecAlliance revealed that a mysterious figure known as "Lao Wang" is the mastermind behind the creation of a platform now widely used to collect mobile credentials. These platforms, which are known as "Phishing-as-a-Service" (PhaaS), are criminal business models that allow attackers to rent ready-made phishing infrastructure and tools, making it easier for them to launch complex attacks without the need for advanced technical expertise. These phishing kits are distributed through Telegram channels such as "dy-tongbu," which has contributed to their rapid spread among attackers.

These tools are carefully designed to avoid detection by security researchers and technical platforms, using advanced techniques such as precise geo-targeting, blocking suspicious IP addresses, and exclusively targeting mobile devices. This precise control gives attackers the ability to display phishing pages only to targeted victims, while hiding them from any traffic that might reveal their criminal activity.

Attack Mechanism and Multi-Factor Authentication Bypass

Attacks typically begin with short message service (SMS) or via iMessage or RCS, relying on common and convincing scenarios such as payment fee alerts or parcel delivery updates, to prompt victims to click on links leading them to fake verification pages. There, users are asked to enter sensitive personal information, followed by their payment card details. These websites are often specifically designed for mobile devices, to align with the devices receiving one-time passcodes (OTP), allowing attackers to intercept these codes and bypass Multi-Factor Authentication (MFA) in real time.

After obtaining the card data and OTP, they are immediately entered into digital wallets like Apple Pay or Google Pay on devices controlled by the attackers. This step allows them to bypass additional verification procedures typically required for Card-Not-Present transactions. Researchers described this method as a "fundamental" shift in payment card fraud methodologies, enabling attackers to use the stolen data in physical stores, online, and even to withdraw money from ATMs without the need for the plastic card.

Evolution of Fraud Strategies and Monetization

It has been observed that criminal networks are no longer limited to phishing campaigns via text messages, but have expanded to include more deceptive methods. There is increasing evidence of the use of fake e-commerce sites and fraudulent intermediary platforms to collect credentials from unsuspecting users who believe they are participating in genuine transactions. These operations have evolved to include multiple layers for monetization, including the sale of pre-loaded devices with malware, the creation of fake merchant accounts, and the use of paid advertisements on major platforms such as Google and Meta to reach a larger number of victims.

While card issuers and banks seek effective ways to defend against these evolving threats, standard security solutions, such as firewall protection and text message filters, may only provide limited protection given the high precision and customized targeting that characterize these attacks.

How to Protect Yourself from These Attacks?

Given the secretive nature of these campaigns, there is no public, unified database that records all affected cards. However, individuals can take the following steps to assess whether they have been compromised and protect themselves:

• Review recent transactions: Regularly check your bank statements and credit card statements for any transactions you did not make.
• Look for unexpected activity in your digital wallet: Monitor for any additions of your cards in wallets such as Apple Pay or Google Pay that you did not initiate yourself.
• Monitor verification requests: Be wary of any messages asking for verification codes or one-time passwords (OTP) that you did not request.
• Check breach notification services: Use breach notification services, which are specialized websites that allow you to find out if your email or personal data has appeared in known data breaches.
• Activate instant transaction alerts: Enable instant notifications via text message or email for every transaction made using your cards.

Unfortunately, millions of users may remain unaware that their data has been exploited in large-scale identity theft and financial fraud, which no longer relies solely on traditional breaches but has evolved to include more deceptive and complex methods.