Fraudsters Tokenize Stolen Cards Into Attacker Wallets
That legitimate-looking website asking for a one-time authentication code might actually help Chinese phishers pay for the next luxury vacation they will brag about on Telegram.
See Also: AI Impersonation Is the New Arms Race-Is Your Workforce Ready?
Chinese-language phishing-as-a-service products now support digital wallet fraud by interacting with victims in real time to bypass multifactor authentication through encrypted channels like iMessage, Google Threat Intelligence Group warned Monday.
Russia had historically dominated phishing-as-a-service but offerings in Chinese have rapidly grown with the advent of artificial intelligence translation allowing Sino cybercriminals to easily generate bait in other languages. Scam text messages enabled by Chinese PhaaS providers flood phones globally. The most prominent of the bunch, tracked as Darcula or Magic Cat, accounted for 80% of all phishing texts in the United States, said Google’s Vice President of Litigation Cassandra Knight when Google filed a lawsuit against the group last year.
One PhaaS platform, YY Lai Yu, supports phishing across 119 countries and has offered more than 400 phishing templates adapted to local audiences over the past eight months. Mostly targeting Japan, the group lures victims with fake websites of Japanese lifestyle brands and expiring reward points that purportedly can be redeemed for cash or gifts.
AI is also allowing operators to clone legitimate websites by feeding URLs into automation tools like Puppeteer, which replicate the sites’ HTML, CSS, JavaScript and visual elements. Darcula has used this technique to scam hundreds of thousands of people worldwide.
Chinese cybercriminals aren’t shy about boasting about their ill-gotten gains, Google found. They operate with less regard for operational security than their Russian counterparts, regularly filling social media with photos of a crime-fueled luxury lifestyle. Telegram is their favorite social network, as opposed to regional alternatives such as WeChat or Tencent QQ. That preference “is consistent with the broader Chinese-language cybercrime ecosystem,” Google wrote.
Google says phishing services are also moving away from stealing static passwords in favor of real-time interception and tokenization.
Attackers begin by sending engaging texts, high-resolution images or videos via Android-native Rich Communication Services or Apple’s iMessage that support read receipts, typing animation and group chats. These communication channels use end-to-end encryption, making it difficult for server-side delivery infrastructure to inspect or filter malicious links. They also offer a sense of intimacy ideal for social engineering.
When a phishing victim enters credentials and triggers a one-time passcode, the attacker receives login data on an administrative panel and relays the authentication code seconds before the code expires.
“Attackers use captured credentials and OTPs to provision the victim’s card into a digital wallet on an attacker-controlled device. Once tokenized, the card can be used for high-value transactions, contactless payments and ATM withdrawals,” Google said.
“As these operators continue to refine their tooling, the goal for defenders must shift from simply ‘detecting’ a phish to making the victim’s credentials technically impossible to weaponized,” Google said. “For example, transitioning to FIDO2/WebAuthn infrastructure represents an effective countermeasure against the real-time interception of account authentication OTPs.”