{"id":2070,"date":"2025-02-19T03:00:20","date_gmt":"2025-02-19T03:00:20","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/02\/19\/how-phished-data-turns-into-apple-google-wallets\/"},"modified":"2025-02-19T03:00:20","modified_gmt":"2025-02-19T03:00:20","slug":"how-phished-data-turns-into-apple-google-wallets","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/02\/19\/how-phished-data-turns-into-apple-google-wallets\/","title":{"rendered":"How Phished Data Turns into Apple & Google Wallets"},"content":{"rendered":"\n
How Phished Data Turns into Apple & Google Wallets<\/div>\n

\t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Carding \u2014 the underground business of stealing, selling and swiping stolen payment card data \u2014 has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.<\/p>\n

\n\"\"<\/p>\n

An image from one Chinese phishing group\u2019s Telegram channel shows various toll road phish kits available.<\/p>\n<\/div>\n

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the U.S. Postal Service<\/strong> to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.<\/p>\n

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or \u201csmishing<\/strong>\u201d messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the Apple iMessage<\/strong> service and through RCS<\/a>, the functionally equivalent technology on Google<\/strong> phones.<\/p>\n

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer\u2019s mobile device. In reality, that code will be sent by the victim\u2019s financial institution to verify that the user indeed wishes to link their card information to a mobile wallet.<\/p>\n

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control.<\/p>\n

CARDING REINVENTED<\/h2>\n

Ford Merrill<\/strong>\u00a0works in security research at\u00a0SecAlliance<\/a>, a\u00a0CSIS Security Group<\/a> company. Merrill has been studying the evolution of several China-based smishing gangs, and found that most of them feature helpful and informative video tutorials in their sales accounts on Telegram. Those videos show the thieves are loading multiple stolen digital wallets on a single mobile device, and then selling those phones in bulk for hundreds of dollars apiece.<\/p>\n

\u201cWho says carding is dead?,\u201d said Merrill, who presented about his findings at the M3AAWG<\/a> security conference in Lisbon earlier today. \u201cThis is the best mag stripe cloning device ever. This threat actor is saying you need to buy at least 10 phones, and they\u2019ll air ship them to you.\u201d<\/p>\n

One promotional video shows stacks of milk crates stuffed full of phones for sale. A closer inspection reveals that each phone is affixed with a handwritten notation that typically references the date its mobile wallets were added, the number of wallets on the device, and the initials of the seller.<\/p>\n

\n\"\"<\/p>\n

An image from the Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 4-6 digital wallets from different UK financial institutions.<\/p>\n<\/div>\n

Merrill said one common way criminal groups in China are cashing out with these stolen mobile wallets involves setting up fake e-commerce businesses on Stripe<\/strong> or Zelle<\/strong> and running transactions through those entities \u2014 often for amounts totaling between $100 and $500.<\/p>\n

Merrill said that when these phishing groups first began operating in earnest two years ago, they would wait between 60 to 90 days before selling the phones or using them for fraud. But these days that waiting period is more like just seven to ten days, he said.<\/p>\n

\u201cWhen they first installed this, the actors were very patient,\u201d he said. \u201cNowadays, they only wait like 10 days before [the wallets] are hit hard and fast.\u201d<\/span><\/p>\n

GHOST TAP<\/h2>\n

Criminals also can cash out mobile wallets by obtaining real point-of-sale terminals and using tap-to-pay on phone after phone. But they also offer a more cutting-edge mobile fraud technology: Merrill found that at least one of the Chinese phishing groups sells an Android app called \u201cZNFC<\/strong>\u201d that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.<\/p>\n