Massive Smishing Campaign May Have Exposed 115M US Payment Cards — How the Attack Works and How to Protect Yourself

Massive Smishing Campaign May Have Exposed 115M US Payment Cards — How the Attack Works and How to Protect Yourself

2025-08-10
0 Comments Maya Thompson

5 Minutes

Overview: A large-scale mobile phishing campaign targets U.S. payment cards

Security researchers warn that a sophisticated wave of mobile-focused phishing — commonly called "smishing" — linked to Chinese-speaking cybercriminal groups may have led to the compromise of up to 115 million U.S. payment cards over just more than a year. The analysis from SecAlliance highlights how modern social engineering has merged with real-time authentication bypass techniques and scalable phishing infrastructure to create a new era of card fraud.

How the campaigns operate

Phishing kits and distribution

At the heart of the operations are reusable phishing toolkits spread via a Telegram channel known as "dy-tongbu." These kits are engineered for stealth: they employ geofencing to limit exposure to the intended region, IP and user-agent blocks to keep security researchers out, and mobile-device targeting so pages only display to likely victims.

Social engineering and delivery vectors

Attackers typically send SMS, iMessage or RCS messages that mimic legitimate notifications — package delivery alerts, toll charges, or account verification prompts — coaxing recipients to click links that lead to mobile-optimized fake verification pages. Victims are asked to enter personal data and payment card information; the pages are timed to coincide with one-time password (OTP) delivery to maximize success rates.

Technical evolution: OTP and digital wallet abuse

Once credentials and OTPs are harvested in real time, criminals provision cards into digital wallets on devices they control. That allows attackers to complete card-not-present transactions and, critically, to use the stolen credentials at physical terminals, online retailers, and ATMs — often without the physical plastic. Researchers describe the pivot to digital wallet provisioning as a fundamental shift in card fraud methodology.

Who is behind it?

Investigators have identified an individual known as "Lao Wang" as the originator of a widely used mobile-credential harvesting platform now adopted across a spectrum of criminal groups. The ecosystem has matured: it now includes fake ecommerce storefronts, sham brokerage sites, preloaded devices, fraudulent merchant accounts, and even paid ad placements on major platforms to drive traffic.

Product features, comparisons and advantages of anti-fraud solutions

Financial institutions and security vendors are adapting. Modern anti-fraud and mobile security products include features such as:

  • Behavioral biometrics to detect suspicious interactions that bypass OTPs
  • Device fingerprinting and cryptographic attestation for verifying wallet provisioning
  • Real-time transaction scoring and adaptive MFA challenges
  • Advanced SMS filtering with threat intelligence and URL rewriting

Compared to legacy antivirus suites and basic SMS filters, these next-gen solutions deliver stronger protection because they focus on fraud signals (behavior, device integrity, transaction context) rather than simple signature-based detection.

Use cases and market relevance

Use cases for enhanced fraud controls include card issuers preventing account takeover, digital wallet providers validating provisioning requests, merchants reducing chargebacks, and telcos protecting subscribers from smishing. As digital payments and mobile wallets grow globally, demand for sophisticated anti-fraud technology, tokenization services, and transaction monitoring has become a major market driver for fintech and cybersecurity vendors.

Practical steps: How to check if you may be affected

Because these campaigns are covert and there’s no single public registry of affected cards, individuals should take proactive steps to detect misuse:

  • Review recent bank and card transactions for unfamiliar charges.
  • Check digital wallet activity and remove unknown cards or devices.
  • Monitor for OTP or verification requests you didn’t initiate.
  • Use breach-notification services to see if your data appears in known leaks.
  • Enable real-time transaction alerts and set low thresholds for notifications.
  • Consider replacing cards if you see suspicious provisioning or transactions.

Conclusion

Smishing campaigns have evolved from low-skill SMS scams into highly targeted operations that combine social engineering, real-time credential harvesting, and digital wallet provisioning. Organizations must upgrade defenses beyond traditional firewalls and antivirus to include behavioral analytics, tokenization and device attestation. Consumers should remain vigilant: monitor accounts, enable alerts, and treat unexpected verification requests as potential compromise indicators.

"Hi, I’m Maya — a lifelong tech enthusiast and gadget geek. I love turning complex tech trends into bite-sized reads for everyone to enjoy."

Comments

Leave a Comment