Think Positive Cyber

      Inside Smishing Triad: Global Phishing Operation Uncovered

      Introduction

      China-based cybercriminals known as the “Smishing Triad” have emerged as a major global phishing threat. These loosely federated groups run sophisticated phishing-as-a-service (PhaaS) operations to steal payment card data and enroll victims’ cards into mobile wallets like Apple Pay and Google Pay. They impersonate toll road agencies, postal services, and now financial institutions to execute large-scale SMS phishing campaigns.

      Operations and Tactics

      Instead of using traditional SMS, the Triad uses Apple iMessage and Android RCS to bypass spam filters and deliver phishing links directly to victims. These messages usually claim there are unpaid tolls or issues with package deliveries. Victims who click the links are taken to fake websites that impersonate legitimate services.

      After entering their credit card information, victims are tricked into entering a one-time passcode (OTP), supposedly to verify the transaction. In reality, the OTP is used by the attacker to enroll the stolen card into their own mobile wallet, enabling them to make fraudulent purchases almost instantly.

      Key Groups: Darcula, Lighthouse, Xinxin

      • Darcula: Specializes in global postal and delivery scams. Known for using thousands of domains and slick phishing templates.
      • Lighthouse: A newer platform targeting banking customers, with phishing kits that impersonate MasterCard, Visa, Stripe, and PayPal.
      • Xinxin Group (Black Technology): The backbone of the Triad’s infrastructure, responsible for developing platforms like Lucid and operating at global scale.

      Common Targets

      Smishing Triad operations have impersonated a wide range of brands, including:

      • CitiGroup
      • MasterCard
      • PayPal
      • Stripe
      • Visa

      They’ve shifted from postal agencies and toll services to banks and payment processors, increasing the potential damage to victims.

      Language and Infrastructure Clues

      Their phishing messages often contain grammatical errors and awkward phrasing—clues that suggest a lack of fluency in English. These issues, combined with Chinese-language admin panels, Chinese hosting services, and Telegram advertisements, point to the group’s origin.

      Conclusion

      The Smishing Triad represents a scalable, industrialized form of phishing. Their use of mobile wallet fraud and innovative distribution methods makes them a rising threat. Users must be cautious of urgent texts, unfamiliar URLs, and OTP requests tied to unsolicited messages.

      “Awareness is the first defense. Even the most convincing scams can often be undone by a single moment of skepticism.”

      Leave a comment