No AI Needed: How Old-School Smishing Still Steals Your Credit Card Info Worldwide
Image Credit: Jacky Lee
The Smishing Triad, a Mandarin-speaking Chinese cybercriminal group, is a major global threat, orchestrating SMS-based phishing (smishing) campaigns across 121 countries. Using sophisticated automation, they impersonate banks, postal services, and toll operators to steal financial data.
[Read More: O2 Launches "AI Granny" Daisy to Combat Scammers by Wasting Their Time]
Methods and Tools
Since 2023, the Smishing Triad has sent up to 100,000 fraudulent SMS and iMessage texts daily, mimicking USPS, Citi, or PayPal. Urgent messages about “unpaid tolls” or “failed deliveries” trick users into sharing credit card details for digital wallets like Apple Pay. Silent Push reports over one million visits to their phishing sites in 20 days, with 200,000 domains (e.g., .top, .world) evading detection. Their “Lighthouse” phishing kit, sold for US$200 monthly on Telegram since March 2025, creates convincing fake websites with real-time data syncing and verification (e.g., OTP, 3DS). Bulk SMS services like “Oak Tel” and Android emulators bypass spam filters. Mandarin-speaking Chinese syndicates, key players in scams like Myanmar’s KK Park, operate in Mandarin, not Cantonese, and generate billions annually, per the United States Institute of Peace (USIP). At KK Park, they collaborate with Myanmar’s Karen BGF, while many Chinese nationals are trafficked as forced workers.
[Read More: AI-Powered Netflix Email Scam Targets Users with Sophisticated Deception]
Impact on Victims and Institutions
Victims face financial ruin and identity theft, with one Triad site capturing 30 credit cards from 550 visits in a week. Institutions like HSBC and E-ZPass lose customer trust, especially in regions like Australia, where banking credential theft surges. The Triad’s global reach amplifies harm via digital payment systems.
Challenges in Mitigation
The Triad’s agility, hosted on platforms like Cloudflare, outpaces antivirus and spam filters. Operating from China, they exploit jurisdictional barriers. Public unawareness worsens vulnerabilities, though Keepnet Labs notes training can boost smishing recognition by 87% in three months. Stolen iCloud accounts and underground SMS gateways obscure their tracks.
[Read More: AI Scams Take Over 2024: Top 10 Threats and How to Stay Safe]
Implications and Recommendations
The Triad’s sophisticated automation highlights cybercrime’s global threat. AI-driven defenses, like machine learning-based anomaly detection (98.21% accurate, per Keepnet Labs), counter scams, despite a 1,265% surge in phishing, some tied to large language models (Recorded Future). Individuals should verify message sources, avoid unsolicited links, enable multifactor authentication (MFA), and report scams. Institutions must adopt SMS filters, phishing-resistant FIDO2, and share threat intelligence. Multilingual awareness campaigns, global cooperation, and regulatory alignment are vital to dismantle scam hubs like KK Park.
[Read More: AI Scams Target Hong Kong Legislators with Deepfake Images and Voice Phishing Tactics]
Source: Wired, The Hacker News, Cyber Security News
TheDayAfterAI News
We are your source for AI news and insights. Join us as we explore the future of AI and its impact on humanity, offering thoughtful analysis and fostering community dialogue.