China Phishing Groups Target T-Mobile Customers with SMS Scams

Q: What are the phishing websites asking for?

The phishing websites ask for the visitor's name, address, phone number, and payment card data to claim the points.

Q: How are these phishing groups promoting their scam messages?

Scam messages are sent via Apple's iMessage service or the functionally equivalent RCS messaging service built into Google phones.

Thousands of phishing domains offering fake rewards points have been registered, targeting T-Mobile customers via iMessage and RCS messaging services. The scam websites ask for personal and payment card data.

China-based phishing groups have pivoted to new tactics, targeting consumers with SMS lures promising unclaimed tax refunds and mobile rewards points, as well as fake e-commerce websites that convert payment card data into mobile wallets from Apple and Google.

What Happened

Over the past week, thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points. The phishing domains are being promoted by scam messages sent via Apple's iMessage service or the functionally equivalent RCS messaging service built into Google phones.

The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone. The phishing websites will only load if the recipient visits with a mobile device, and they ask for the visitor's name, address, phone number, and payment card data to claim the points.

A phishing website registered this week that spoofs T-Mobile. If card data is submitted, the site will then prompt the user to share a one-time code sent via SMS by their financial institution. In reality, the bank is sending the code because the fraudsters have just attempted to enroll the victim's phished card details in a mobile wallet from Apple or Google.

Background and Context

Experts say these same phishing groups also are now using SMS lures that promise unclaimed tax refunds and mobile rewards points. Ford Merrill, who works in security research at SecAlliance, a CSIS Security Group company, said multiple China-based cybercriminal groups that sell phishing-as-a-service platforms have been using the mobile points lure for some time.

These points redemption schemes have not been very popular in the U.S., but have been in other geographies like EU and Asia for a while now. Merrill noted that these same Chinese phishing kits used to blast out package redelivery message scams are equipped with modules that make it simple to quickly deploy a fleet of fake but convincing e-commerce storefronts.

These phony stores are typically advertised on Google and Facebook, and consumers usually end up at them by searching online for deals on specific products. The customer is supplying their payment card and personal information as part of the normal check-out process, which is then punctuated by a request for a one-time code sent by your financial institution.

Why it Matters to the Industry

The rise of these phishing kits poses significant challenges to adult-industry platforms and operators. With the ability to quickly deploy fake e-commerce websites that convert payment card data into mobile wallets, scammers can bypass traditional security measures such as two-factor authentication.

This tactic also allows them to evade detection by safe browsing tools, making it difficult for platform operators to identify and block these malicious sites. Furthermore, the use of SMS lures promising unclaimed tax refunds and mobile rewards points adds an extra layer of complexity in identifying and mitigating phishing attacks.

What Comes Next

As the holiday shopping season approaches, adult-industry platforms and operators must be vigilant in monitoring for these types of phishing attacks. Reporting suspicious SMS messages and websites is crucial in getting them properly identified and shut down.

Raymond Dijkxhoorn, CEO and founding member of SURBL, a widely-used blocklist that flags domains and IP addresses known to be used in unsolicited messages, phishing, and malware distribution, emphasized the importance of user reporting. If a domain is unlisted, they can find and add the new pattern and kill the rest of the matching domains.

Key Facts

Thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points.
The phishing domains are being promoted by scam messages sent via Apple's iMessage service or the functionally equivalent RCS messaging service built into Google phones.
Experts say these same phishing groups also are now using SMS lures that promise unclaimed tax refunds and mobile rewards points.
Multiple China-based cybercriminal groups sell phishing-as-a-service platforms, which have been using the mobile points lure for some time.
The fake e-commerce websites can convert payment card data into mobile wallets from Apple and Google.