China-based groups selling phishing-as-a-service kits for mobile-points smishing
Threat Actor Meta
Summary
Hide ▲
Show ▼
Multiple China-based cybercriminal groups are selling phishing-as-a-service platforms that reuse the same scam infrastructure across mobile points, tax-refund, and fake e-commerce lures, expanding the fraud ecosystem now being aimed at U.S. consumers. The shift matters because it makes the scam supply chain easier to scale, harder to disrupt, and more profitable for operators who can rapidly spin up new storefronts and SMS lures. The same model also increases the chance that victims will hand over payment card data and one-time codes needed to enroll cards in mobile wallets.
Related Happenings
Shop fake receipt callback phishing campaign
Campaign
H score29
First: 25.06.2026 22:45
Last: 25.06.2026 22:45
Sources 1
About this happening:
Threat actors are **abusing Shop** by planting **fake purchase receipts** in order histories, turning a trusted shopping app into a **callback-phishing lure** that can expose **ac...
Shop fake receipt callback phishing campaign
CampaignAbout this happening: Threat actors are **abusing Shop** by planting **fake purchase receipts** in order histories, turning a trusted shopping app into a **callback-phishing lure** that can expose **ac...
FIFA-themed phishing-as-a-service market selling scam kits and ticket-buying bots
Threat Actor Meta
H score42
First: 05.06.2026 10:01
Last: 05.06.2026 10:01
Sources 1
About this happening:
A **FIFA-themed phishing-as-a-service market** is selling **ready-made scam kits** and **ticket-buying bots**, lowering the barrier for fraud operators and making takedowns less e...
FIFA-themed phishing-as-a-service market selling scam kits and ticket-buying bots
Threat Actor MetaAbout this happening: A **FIFA-themed phishing-as-a-service market** is selling **ready-made scam kits** and **ticket-buying bots**, lowering the barrier for fraud operators and making takedowns less e...
Magecart Stripe and Google Tag Manager card-skimming campaign
Campaign
H score36
First: 04.06.2026 23:47
Last: 04.06.2026 23:47
Sources 1
About this happening:
The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
Magecart Stripe and Google Tag Manager card-skimming campaign
CampaignAbout this happening: The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
Campaign
H score33
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
CampaignAbout this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Refund-fraud communities commoditize refund abuse into a service market
Threat Actor Meta
H score75
First: 18.03.2026 16:05
Last: 18.03.2026 16:05
Sources 1
About this happening:
Underground fraud communities have **commoditized refund abuse** into a service market, increasing losses for **retailers and payment platforms**. Sellers now package **methods, t...
Refund-fraud communities commoditize refund abuse into a service market
Threat Actor MetaAbout this happening: Underground fraud communities have **commoditized refund abuse** into a service market, increasing losses for **retailers and payment platforms**. Sellers now package **methods, t...
Timeline
-
05.12.2025 01:02 2 articles · 7mo ago
China-based phishing kits expand to mobile-wallet fraud
Initial DisclosureChina-based cybercriminal groups selling phishing-as-a-service platforms are expanding mobile-points smishing toward U.S. consumers, using thousands of T-Mobile-themed domains and similar AT&T lures to push victims toward fake e-commerce storefronts, unclaimed tax-refund pages, and mobile-only phishing sites delivered through iMessage and RCS. The scams seek payment card data and one-time codes that fraudsters use to enroll cards in Apple or Google mobile wallets.
Show sources
- SMS Phishers Pivot to Points, Taxes, Fake Retailers — krebsonsecurity.com — 05.12.2025 01:02
- SMS Phishers Pivot to Points, Taxes, Fake Retailers — krebsonsecurity.com — 05.12.2025 01:02