One of the most prominent of the smishing actors is often referred to as the Smishing Triad—although security researchers group Chinese-speaking threat actors and affiliates in different ways—which has impersonated organizations and brands in at least 121 countries, according to recent research by security company Silent Push.
Around 200,000 domains have been used by the group in recent years, the research says, with around 187 top-level domains—such as .top, .world, and .vip—being used. Across one recent 20-day period, there were more than 1 million page visits to scam websites used by the Smishing Triad, according to Silent Push.
Besides collecting names, emails, addresses, and bank card details, the websites also prompt people to enter one-time passwords or authentication codes that allow the criminals to add bank cards to Apple Pay or Google Wallet, allowing them to use the cards while on the other side of the world.
“They have effectively turned the modern digital wallet, like Apple Pay or Google Wallet, into the best card-cloning device we’ve ever invented,” Merrill says.
In Telegram groups linked to the cybercriminal organizations, some members share photos and videos of bank cards being added to digital wallets on iPhones and Androids. For instance, in one video, scammers allegedly show off dozens of virtual cards that they have added to phones they are using.
Merrill says the criminals may not make payments using the cards they’ve added to digital wallets straightaway, but it probably won’t take long.
“When we first started seeing this, they would wait between 60 and 90 days before actually stealing money from the cards,” he explains, adding that at first the criminals would let the cards “age” on a device in an attempt to look legitimate. “Nowadays you would be lucky if they wait seven days or even a couple days. Once they hit the card, they hit it hard and fast.”
“Security is core to the Google Wallet experience, and we work closely with card issuers to prevent fraud,” says Google communications manager Olivia O’Brien. “For example, banks notify customers when their card has been added to a new Wallet, and we provide signals to help issuers detect fraudulent behavior so they can decide whether to approve added cards.”
Apple did not respond to WIRED’s request for comment.
The giant scam ecosystem is powered in part by commercial underground scamming services. Findings from security firm Resecurity, which has tracked the Smishing Triad for more than two years, says the group has been using “bulk” SMS and message-sending services as it has expanded the number of messages it sends.
Meanwhile, as multiple security researchers have noted, the Smishing Triad group also uses its own software, called Lighthouse, to collect, manage, and store people’s personal information and card details. A video of the Lighthouse software originally shared on Telegram and republished by Silent Push shows how the system collects card details.
The latest version of the software, which was updated in March this year, “targets dozens of financial brands” including PayPal, Mastercard, Visa, and Stripe, Silent Push says. In addition, the research says, Australian banking brands appear to be impersonated, indicating a potential further expansion of targets.
