Man
Professional
- Messages
- 3,106
- Reaction score
- 665
- Points
- 113
Carding — the dark craft of stealing, selling and pumping stolen payment cards — has been the domain of Russian hackers for years. The mass transition of the US to chip cards has cut this business off at the roots. But Chinese cybercriminals are not asleep: their new schemes are giving the industry a second wind. Now stolen card data is being transformed into mobile wallets, which can be used for shopping not only online, but also in regular stores.
Almost every American has received at least one phishing message over the past couple of years. Either the US Post Office urgently demands an extra charge for delivery, or a "local toll road operator" threatens a fine for unpaid travel.
These messages are sent using advanced phishing kits that cybercriminals from mainland China sell. But this is not just standard "smishing" via SMS - they bypass mobile networks altogether. Instead, the attacks are carried out via iMessage on iPhones and RCS on Android.
Phishing kits for sale If the victim enters card details on such a fake site, they will be convinced that the bank wants to check a tiny payment by sending a one-time code. In fact, this code does not come for no reason - the bank confirms the linking of the card to the mobile wallet. That is, the victim gives the scammers the keys to his safe with his own hands. If the victim is taken in and enters the code, the phishers instantly link the card to a new Apple or Google mobile wallet, which they immediately download to their device. Now they have a fully working digital copy of the card in their hands, ready for shopping.
“Who said that carding is dead?” asks Merrill. “This is the best magnetic strip cloner in history! Sellers require that the buyer take at least ten phones, and are ready to ship them by air delivery”.
In one of the promotional videos, you can see entire stacks of boxes filled with phones for sale. If you look closely, each device has a sticker with scribbles: the date the wallets were loaded, their number, and the seller’s initials. A real carding conveyor in action.
Phones with charged wallets Merrill says that Chinese carders cash out stolen mobile wallets through fake online stores registered on Stripe or Zelle. The scheme is simple: they run transactions for amounts from $100 to $500, and the money smoothly flows into their pockets. Merrill notes that when these phishing gangs were just starting to be active a couple of years ago, they waited 60-90 days before dumping phones or using them in fraud. Now the time frame has been compressed to a week or two — turnover is growing, and no one wants to wait. “At first, these guys were playing the long game”, Merrill says. “But now everything is different: a maximum of ten days pass, and wallets start to be pumped hard”.
“This software works from anywhere”, Merrill explains. “For $500 a month, they sell access to a program that can relay both NFC payments and any digital wallets. And yes, they even have 24/7 tech support!”
The emergence of mobile software for the so-called ghost tap was first recorded by ThreatFabric experts in November 2024. According to the company's chief commercial officer Andy Chandler, their analysts have since discovered that a number of criminal groups from different parts of the world have picked up on this scheme.
Chandler notes that among the new players are organized crime groups from Europe. They use similar attacks on mobile wallets and NFC, but their target is ATMs that support cash withdrawals from smartphones.
“Nobody talks about it, but we have already counted ten different schemes with the same operating principle, and each of them is unique in its own way,” Chandler says. “The scale is much larger than the banks are willing to admit”.
In November 2024, The Straits Times from Singapore reported the arrest of three foreign nationals who were recruited through social networks. They were given “ghost” tap apps and sent on a shopping spree to buy expensive goods.
Since November 4, at least ten victims of the scammers have reported unauthorized transactions worth more than $100,000. The money was spent on iPhones, chargers and jewelry in Singapore, The Straits Times reported. In another case involving a similar scheme, police detained a Malaysian couple on November 8.
For example, the victim may start entering their personal and financial data, but at the last moment suspect a trick and change their mind. However, this will not save them - everything they type in the form fields is leaked to the scammers in real time, even if they never click the coveted "Submit" button.
Merrill notes that after entering the card data, the victim is often shown a message that the payment did not go through, and is offered to try another card. This trick often allows scammers to steal not one, but several mobile wallets from one person.
Usually, phishing sites store the stolen data directly on their own, which is why it can be leaked along with the domain. But Chinese whales work differently: all the information immediately flies to the backend, which is controlled by the sellers of these phishing tools themselves. So, even if one of the sites is closed for fraud, the stolen data will remain safe and sound.
Another trick is the mass generation of Apple and Google accounts, through which the scammers send their spam messages. In one of the Telegram channels, Chinese phishers even posted a photo of their “farm” setup: dozens of phones filled with bot accounts are neatly arranged on a multi-tiered stand, and opposite is the operator of this entire phishing factory.
These phishing sites are run by real people who are busy while new messages are being sent out. According to Merrill, the scammers only send a few dozen SMS at a time, because then they have to manually bring each victim to the end. After all, one-time codes for linking cards to mobile wallets only work for a couple of minutes, so you need to act quickly.
An interesting detail: fake mail and toll road sites do not open in a regular browser at all. They load only if it is determined that the victim is visiting from a mobile device.
“It is important for them that the victim visits from a phone,” Merrill explains. “This way they guarantee that the one-time code will be sent to the same device, and not to some other gadget. Plus, there is less chance that the person will change their mind and leave. And in order to quickly pick up this code and activate the mobile wallet, you need a live operator”.
Merrill found another insidious upgrade in Chinese phishing kits — they automatically turn stolen card data into digital copies of real ones. The system generates an image of the card with the correct design, corresponding to the victim's bank. As a result, linking a stolen card to Apple Pay becomes elementary — just scan the fake with an iPhone camera.
In the Telegram channel of one of the Chinese phishing groups, you can find an advertisement for their service, which clearly shows how stolen card data is turned into realistic images of the cards themselves.
The advertisement for the phishing kit demonstrates how data is turned into a card “The phone does not distinguish between a real card and an image”, Merrill explains. "It just scans the image into Apple Pay, which then says, 'Okay, now confirm that the card is yours', and sends a one-time code".
In August 2023, Resecurity uncovered a vulnerability in the platform of a popular Chinese phishing service that accidentally exposed victims’ personal and financial data. The researchers named the group Smishing Triad and found that over the course of its operation, it collected 108,044 payment cards through 31 phishing domains — an average of 3,485 cards per site.
In August 2024, security researcher Grant Smith spoke at DEFCON about how he came across the Smishing Triad after scammers posing as the US Post Office scammed his wife. By finding another vulnerability in their phishing kit, Smith was able to see that 438,669 unique credit cards passed through 1,133 fake sites — an average of 387 cards per domain.
Merrill estimates that each card turned into a mobile wallet costs the victim between $100 and $500 in damages. In the year between the Resecurity report and Smith’s DEFCON talk, the researchers identified nearly 33,000 unique domains associated with Chinese smishers.
If we take the average of 1,935 cards per domain and the minimum loss of $250 per card, it turns out that this scheme brought in about $15 billion in fake transactions per year.
Merrill is slow to reveal whether he has found any new vulnerabilities in the phishing kits sold by Chinese groups. He noted that after the article was published, the scammers quickly patched all the exposed holes.
Experts are sure that banks' dependence on one-time codes when linking cards to mobile wallets is fueling a new wave of carding. Krebs on Security spoke with a top manager of a large European bank (the employee agreed to speak only on condition of anonymity - he was officially prohibited from commenting on the topic).
According to this expert, the delay between the theft of card data and its use in fraudulent schemes makes it very difficult for banks to find the root cause of leaks. Many simply cannot connect phishing attacks with subsequent losses.
“This is why the industry was caught off guard”, the expert says. “Many are perplexed: how is this even possible if we have already tokenized a process that was previously open?” We have never seen the scale of attacks and complaints from victims that we are seeing with these phishers”.
To improve the security of linking cards to digital wallets, some banks in Europe and Asia require customers to sign in to their banking app before adding a card to a device.
Combating the threat of “ghost tapping” may require updating POS terminals so that they can detect when an NFC transaction is coming from a fake device. But experts doubt that retailers will rush to replace their equipment before it reaches its end of life.
Of course, Apple and Google will also have to take responsibility — after all, their platforms are used for the mass registration of bots that send out phishing spam. The companies can easily track devices that are suddenly linked to 7-10 mobile wallets of people from all over the world. In addition, they could recommend that banks switch to more reliable authentication methods when adding cards to wallets.
From the carders
We decided to start introducing readers to the best global research as an experiment. Below is a close-to-text retelling of a post from Brian Krebs' blog. This publication is available without a paid subscription.Almost every American has received at least one phishing message over the past couple of years. Either the US Post Office urgently demands an extra charge for delivery, or a "local toll road operator" threatens a fine for unpaid travel.
These messages are sent using advanced phishing kits that cybercriminals from mainland China sell. But this is not just standard "smishing" via SMS - they bypass mobile networks altogether. Instead, the attacks are carried out via iMessage on iPhones and RCS on Android.
Phishing kits for sale If the victim enters card details on such a fake site, they will be convinced that the bank wants to check a tiny payment by sending a one-time code. In fact, this code does not come for no reason - the bank confirms the linking of the card to the mobile wallet. That is, the victim gives the scammers the keys to his safe with his own hands. If the victim is taken in and enters the code, the phishers instantly link the card to a new Apple or Google mobile wallet, which they immediately download to their device. Now they have a fully working digital copy of the card in their hands, ready for shopping.
Carding 2.0
Ford Merrill, a security specialist at SecAlliance (a subsidiary of CSIS Security Group), has been digging into the topic of Chinese “smichers” for a long time and watching their evolution. Fun fact: most of these groups post training videos on their Telegram channels, where they show in detail how to load a bunch of stolen digital wallets onto one phone. Then, these “charged” smartphones are sold wholesale for several hundred bucks each.“Who said that carding is dead?” asks Merrill. “This is the best magnetic strip cloner in history! Sellers require that the buyer take at least ten phones, and are ready to ship them by air delivery”.
In one of the promotional videos, you can see entire stacks of boxes filled with phones for sale. If you look closely, each device has a sticker with scribbles: the date the wallets were loaded, their number, and the seller’s initials. A real carding conveyor in action.
Phones with charged wallets Merrill says that Chinese carders cash out stolen mobile wallets through fake online stores registered on Stripe or Zelle. The scheme is simple: they run transactions for amounts from $100 to $500, and the money smoothly flows into their pockets. Merrill notes that when these phishing gangs were just starting to be active a couple of years ago, they waited 60-90 days before dumping phones or using them in fraud. Now the time frame has been compressed to a week or two — turnover is growing, and no one wants to wait. “At first, these guys were playing the long game”, Merrill says. “But now everything is different: a maximum of ten days pass, and wallets start to be pumped hard”.
Ghost Tap
Another way to cash out is through real POS terminals. Fraudsters simply swipe stolen mobile wallets through Tap to Pay, one after another. But there’s something even more interesting: Merrill found out that one of the Chinese phishing gangs is pushing an Android app called ZNFC. This thing can send legitimate NFC transactions anywhere in the world. All you need to do is hold your phone up to a local terminal that accepts Apple Pay or Google Pay, and then the app will send the payment over the Internet from the device, for example, in China (there’s a video demonstrating it).“This software works from anywhere”, Merrill explains. “For $500 a month, they sell access to a program that can relay both NFC payments and any digital wallets. And yes, they even have 24/7 tech support!”
The emergence of mobile software for the so-called ghost tap was first recorded by ThreatFabric experts in November 2024. According to the company's chief commercial officer Andy Chandler, their analysts have since discovered that a number of criminal groups from different parts of the world have picked up on this scheme.
Chandler notes that among the new players are organized crime groups from Europe. They use similar attacks on mobile wallets and NFC, but their target is ATMs that support cash withdrawals from smartphones.
“Nobody talks about it, but we have already counted ten different schemes with the same operating principle, and each of them is unique in its own way,” Chandler says. “The scale is much larger than the banks are willing to admit”.
In November 2024, The Straits Times from Singapore reported the arrest of three foreign nationals who were recruited through social networks. They were given “ghost” tap apps and sent on a shopping spree to buy expensive goods.
Since November 4, at least ten victims of the scammers have reported unauthorized transactions worth more than $100,000. The money was spent on iPhones, chargers and jewelry in Singapore, The Straits Times reported. In another case involving a similar scheme, police detained a Malaysian couple on November 8.
Advanced Phishing Techniques
According to Merrill, fake US Post Office and toll road operator pages are equipped with a number of clever innovations designed to squeeze the maximum amount of data out of the victim.For example, the victim may start entering their personal and financial data, but at the last moment suspect a trick and change their mind. However, this will not save them - everything they type in the form fields is leaked to the scammers in real time, even if they never click the coveted "Submit" button.
Merrill notes that after entering the card data, the victim is often shown a message that the payment did not go through, and is offered to try another card. This trick often allows scammers to steal not one, but several mobile wallets from one person.
Usually, phishing sites store the stolen data directly on their own, which is why it can be leaked along with the domain. But Chinese whales work differently: all the information immediately flies to the backend, which is controlled by the sellers of these phishing tools themselves. So, even if one of the sites is closed for fraud, the stolen data will remain safe and sound.
Another trick is the mass generation of Apple and Google accounts, through which the scammers send their spam messages. In one of the Telegram channels, Chinese phishers even posted a photo of their “farm” setup: dozens of phones filled with bot accounts are neatly arranged on a multi-tiered stand, and opposite is the operator of this entire phishing factory.
These phishing sites are run by real people who are busy while new messages are being sent out. According to Merrill, the scammers only send a few dozen SMS at a time, because then they have to manually bring each victim to the end. After all, one-time codes for linking cards to mobile wallets only work for a couple of minutes, so you need to act quickly.
An interesting detail: fake mail and toll road sites do not open in a regular browser at all. They load only if it is determined that the victim is visiting from a mobile device.
“It is important for them that the victim visits from a phone,” Merrill explains. “This way they guarantee that the one-time code will be sent to the same device, and not to some other gadget. Plus, there is less chance that the person will change their mind and leave. And in order to quickly pick up this code and activate the mobile wallet, you need a live operator”.
Merrill found another insidious upgrade in Chinese phishing kits — they automatically turn stolen card data into digital copies of real ones. The system generates an image of the card with the correct design, corresponding to the victim's bank. As a result, linking a stolen card to Apple Pay becomes elementary — just scan the fake with an iPhone camera.
In the Telegram channel of one of the Chinese phishing groups, you can find an advertisement for their service, which clearly shows how stolen card data is turned into realistic images of the cards themselves.
The advertisement for the phishing kit demonstrates how data is turned into a card “The phone does not distinguish between a real card and an image”, Merrill explains. "It just scans the image into Apple Pay, which then says, 'Okay, now confirm that the card is yours', and sends a one-time code".
Profit
How profitable are these mobile phishing whales? The best guesses so far come from other cybersecurity researchers who have been tracking Chinese phishers and their advanced schemes for a long time.In August 2023, Resecurity uncovered a vulnerability in the platform of a popular Chinese phishing service that accidentally exposed victims’ personal and financial data. The researchers named the group Smishing Triad and found that over the course of its operation, it collected 108,044 payment cards through 31 phishing domains — an average of 3,485 cards per site.
In August 2024, security researcher Grant Smith spoke at DEFCON about how he came across the Smishing Triad after scammers posing as the US Post Office scammed his wife. By finding another vulnerability in their phishing kit, Smith was able to see that 438,669 unique credit cards passed through 1,133 fake sites — an average of 387 cards per domain.
Merrill estimates that each card turned into a mobile wallet costs the victim between $100 and $500 in damages. In the year between the Resecurity report and Smith’s DEFCON talk, the researchers identified nearly 33,000 unique domains associated with Chinese smishers.
If we take the average of 1,935 cards per domain and the minimum loss of $250 per card, it turns out that this scheme brought in about $15 billion in fake transactions per year.
Merrill is slow to reveal whether he has found any new vulnerabilities in the phishing kits sold by Chinese groups. He noted that after the article was published, the scammers quickly patched all the exposed holes.
Counterattack
Contactless payments in the US took off after the pandemic, and banks rushed to simplify the process of linking cards to mobile wallets. As a result, a one-time code via SMS became the main method of identity verification - which, as it is now clear, played into the hands of fraudsters.Experts are sure that banks' dependence on one-time codes when linking cards to mobile wallets is fueling a new wave of carding. Krebs on Security spoke with a top manager of a large European bank (the employee agreed to speak only on condition of anonymity - he was officially prohibited from commenting on the topic).
According to this expert, the delay between the theft of card data and its use in fraudulent schemes makes it very difficult for banks to find the root cause of leaks. Many simply cannot connect phishing attacks with subsequent losses.
“This is why the industry was caught off guard”, the expert says. “Many are perplexed: how is this even possible if we have already tokenized a process that was previously open?” We have never seen the scale of attacks and complaints from victims that we are seeing with these phishers”.
To improve the security of linking cards to digital wallets, some banks in Europe and Asia require customers to sign in to their banking app before adding a card to a device.
Combating the threat of “ghost tapping” may require updating POS terminals so that they can detect when an NFC transaction is coming from a fake device. But experts doubt that retailers will rush to replace their equipment before it reaches its end of life.
Of course, Apple and Google will also have to take responsibility — after all, their platforms are used for the mass registration of bots that send out phishing spam. The companies can easily track devices that are suddenly linked to 7-10 mobile wallets of people from all over the world. In addition, they could recommend that banks switch to more reliable authentication methods when adding cards to wallets.
