A new wave of phishing operations is quietly changing the way cybercriminals steal financial data from everyday people.
Rather than relying on traditional SMS messages that carriers can easily flag and block, threat actors are now using encrypted messaging channels like Rich Communication Services (RCS) and Apple iMessage to deliver malicious links directly to victims’ phones.
This shift marks a significant step forward in the sophistication of phishing attacks. Cybercriminals are no longer just after usernames and passwords.
Their goal has evolved to gaining full, real-time control over victims’ financial accounts, including the ability to drain funds, make contactless payments, and conduct ATM withdrawals, all from a device the victim never touches.
The Google Threat Intelligence Group (GTIG) said in a report shared with Cyber Security News (CSN) that it analyzed a dozen active phishing-as-a-service (PhaaS) platforms operating within the Chinese-language underground.
Researchers found these platforms to be mature, well-organized services that are lowering the barrier to entry for cybercriminals and revealing broader shifts in how credential theft is carried out at scale.
While Russian-speaking actors have historically led the PhaaS space, a distinct and fast-growing Chinese-language ecosystem has emerged to rival it. These services do not simply mirror what their Russian counterparts have built.
They operate with their own structure, their own targets, and their own culture, including threat actors who openly post about their criminal earnings on Telegram.
Late last year, Google took legal action against one PhaaS provider tied to this ecosystem. Since then, the company has continued pushing for legislation and working to implement technical safeguards against these scams.
The findings released today show that despite these efforts, the ecosystem continues to grow and refine its methods.
Phishing Services Use RCS and iMessage
Traditional SMS phishing, also known as smishing, is increasingly being blocked by carrier-level filters that scan messages for suspicious links.
Chinese-language PhaaS operators recognized this limitation and moved their delivery infrastructure to RCS and iMessage instead. Because both protocols use end-to-end encryption, it becomes much harder for network-level tools to inspect or block the malicious content being sent.
These messaging platforms also look and feel far more polished than a basic text message. They support read receipts, typing indicators, high-resolution images, and group chats.
Phishing site chain (Source – Google Cloud)
When a phishing message arrives through one of these channels, it looks convincingly real, which makes the average user far more likely to interact with it. The combination of technical evasion and visual legitimacy makes these campaigns particularly dangerous.
Once a victim clicks a link and enters their credentials, the data appears instantly on the attacker’s live administration panel.
The attacker then triggers an OTP request on their own device at the same moment the victim is prompted for one. The victim types in the code, and the attacker captures it in seconds, bypassing multifactor authentication entirely.
From Stolen Credentials to Tokenized Financial Control
What separates this generation of phishing operations from older ones is what happens after credentials are stolen. These platforms focus heavily on digital wallet provisioning, a process that lets attackers load a victim’s payment card onto an attacker-controlled device.
Once the card is tokenized inside a digital wallet, it can be used for high-value purchases, tap-to-pay transactions, and cash withdrawals without ever needing the physical card.
One prominent example highlighted in the research is a platform called YY Lai Yu, which has been active since August 2024 and offers over 400 phishing templates targeting users across 119 countries.
Defenders are advised to adopt FIDO2/WebAuthn authentication as a countermeasure against real-time OTP interception.
Banks should also pair stronger authentication with risk-based verification and device fingerprinting during the digital wallet provisioning process to make stolen credentials much harder to weaponize.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Phishing Services Use RCS and iMessage to Bypass Traditional SMS Security Filters appeared first on Cyber Security News.
