- IBM wrangles AI agents to work across complex enterprise environments
- Enabling AI with real-time data integration
- You can still buy a 4-pack of Apple AirTags for 20% off at these retailers
- Roku clarifies that it's not rolling out new pause ads after all
- Amazon will give you a $100 gift card when you buy a Samsung Galaxy Ring
Smishing Triad Upgrades Tools and Tactics for Global Attacks
A wave of global smishing campaigns linked to Chinese cybercriminals has escalated as the Smishing Triad, first identified in 2023, deploys new tools and tactics.
A recent investigation by Resecurity has revealed that the group and its affiliates have upgraded their infrastructure, expanding their reach through a sophisticated “Crime-as-a-Service” ecosystem.
What’s new is the emergence of “Panda Shop,” a rebranded smishing kit bearing hallmarks of the original Smishing Triad.
According to Resecurity, this kit allows cybercriminals to mimic global brands like AT&T, DHL and Vodafone and send deceptive messages through Apple iMessage, Android RCS and SMS gateways.
These campaigns aim to harvest personal and financial data from unsuspecting victims, often using compromised Apple and Gmail accounts to distribute malicious content at scale.
The volume of activity is substantial. One actor reportedly sends 2 million smishing messages daily, placing the estimated reach at 60 million victims per month.
New Tech, Same Goals
The Panda Shop kit, likely named after China’s national symbol, includes interactive Telegram bots for smishing automation, multiple templates tailored to international brands and platforms, and web-based dashboards to manage stolen data.
These capabilities make it easier than ever for cybercriminals to target consumers across geographies and platforms.
According to Resecurity, the kit’s distribution through Telegram – rather than domestic Chinese messaging apps like WeChat or QQ – further illustrates the underground network’s preference for platforms that offer more anonymity.
Templates identified include fake pages impersonating UPS, USPS, the UK government and various telecoms.
Read more on impersonation-based crime: Impersonation Scams Net Fraudsters $1.1bn in a Year
Misused Infrastructure and Evolving Tactics
Cybercriminals have also been observed using IP reputation services like IP Registry Co. to bypass detection by filtering out bots and security researchers.
Devices originally meant for telemarketing are being exploited to push smishing messages to international mobile carriers, particularly where enforcement mechanisms are weak.
Panda Shop also supports OTP interception and has links to advanced tools used in NFC-enabled fraud, such as Z-NFC and UFO NFC. Data harvested via these attacks often ends up in carding shops or laundered through merchant fraud.
Global Impact and Enforcement Challenges
Smishing-related fraud is rapidly scaling, with losses to consumers and financial institutions likely to reach hundreds of millions of dollars.
However, few arrests have been made, limited primarily to money mules operating ATMs or point-of-sale systems. With NFC tools, even these intermediaries are becoming obsolete.
Efforts like DHS HIS’s Project Red Hook aim to disrupt smishing operations, but cybercriminals operating from China remain largely out of reach.
The ongoing geopolitical divide limits cross-border enforcement, allowing smishing to thrive as a profitable and growing cyber-threat.
