Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/stockfall.png?resize=750%2C315&ssl=1\")
<\/p>\nImage: Shutterstock, WhataWin.<\/p>\n<\/div>\n
This so-called \u2018ramp and dump<\/strong>\u2018 scheme borrows its name from age-old \u201cpump and dump\u201d scams, wherein fraudsters purchase a large number of shares in some penny stock, and then promote the company in a frenzied social media blitz to build up interest from other investors. The fraudsters dump their shares after the price of the penny stock increases to some degree, which usually then causes a sharp drop in the value of the shares for legitimate investors.<\/p>\n With ramp and dump, the scammers do not need to rely on ginning up interest in the targeted stock on social media. Rather, they will preposition themselves in the stock that they wish to inflate, using compromised accounts to purchase large volumes of it and then dumping the shares after the stock price reaches a certain value. In February 2025, the FBI<\/strong> said it was seeking information from victims of this scheme<\/a>.<\/p>\n \u201cIn this variation, the price manipulation is primarily the result of controlled trading activity conducted by the bad actors behind the scam,\u201d reads an advisory<\/a> from the Financial Industry Regulatory Authority<\/strong> (FINRA), a private, non-profit organization that regulates member brokerage firms. \u201cUltimately, the outcome for unsuspecting investors is the same\u2014a catastrophic collapse in share price that leaves investors with unrecoverable losses.\u201d<\/p>\n Ford Merrill <\/strong>is\u00a0a security researcher at\u00a0SecAlliance<\/a>, a\u00a0CSIS Security Group<\/a> company. Merrill said he has tracked recent ramp-and-dump activity to a bustling Chinese-language community that is quite openly selling advanced mobile phishing kits on Telegram.<\/p>\n \u201cThey will often coordinate with other actors and will wait until a certain time to buy a particular Chinese IPO [initial public offering] stock or penny stock,\u201d said Merrill, who has been chronicling the rapid maturation and growth of the China-based phishing community over the past three years.<\/p>\n \u201cThey\u2019ll use all these victim brokerage accounts, and if needed they\u2019ll liquidate the account\u2019s current positions, and will preposition themselves in that instrument in some account they control, and then sell everything when the price goes up,\u201d he said. \u201cThe victim will be left with worthless shares of that equity in their account, and the brokerage may not be happy either.\u201d<\/p>\n Merrill said the early days of these phishing groups \u2014 between 2022 and 2024 \u2014 were typified by phishing kits that used text messages to spoof the U.S. Postal Service<\/strong> or some local toll road operator, warning about a delinquent shipping or toll fee that needed paying. Recipients who clicked the link and provided their payment information at a fake USPS or toll operator site were then asked to verify the transaction by sharing a one-time code sent via text message.<\/p>\n In reality, the victim\u2019s bank is sending that code to the mobile number on file for their customer because the fraudsters have just attempted to enroll that victim\u2019s card details into a mobile wallet. If the visitor supplies that one-time code, their payment card is then added to a new mobile wallet on an Apple or Google device that is physically controlled by the phishers.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/02\/phishingphones.png?resize=750%2C567&ssl=1\")
<\/p>\n