China-based phishing groups, notorious for bombarding users with SMS scams about undelivered packages or unpaid tolls, are now aggressively promoting a new tactic just as the holiday shopping season kicks into high gear: sophisticated phishing kits designed to mass-create convincing fake e-commerce websites. These fraudulent sites are engineered to capture customer payment card data, with the ultimate goal of converting it into mobile wallets from Apple and Google. Security experts warn that these same malicious actors are also leveraging SMS lures promising unclaimed tax refunds and tempting mobile rewards points to ensnare unsuspecting consumers.

In the past week alone, a surge of thousands of domain names has been registered for scam websites masquerading as legitimate offers, specifically targeting T-Mobile customers with promises of substantial rewards points. These deceptive domains are being promoted through scam messages sent via Apple’s iMessage service and Google’s RCS messaging service, which functions similarly. The website scanning service urlscan.io has identified a dramatic increase in the deployment of these phishing domains in just a few days. Crucially, these phishing websites are designed to load only when accessed from a mobile device, further enhancing their deceptive appearance. Upon visiting, users are prompted to provide personal information, including their name, address, phone number, and crucially, their payment card details, under the guise of claiming these supposed rewards.

Once a victim submits their payment card information, the phishing website then prompts them to share a one-time code sent via SMS by their financial institution. In reality, this code is being sent because the fraudsters have just attempted to enroll the victim’s compromised card details into a mobile wallet service like Apple Pay or Google Pay. If the victim, believing this is a legitimate verification step, provides this one-time code, the phishers gain the ability to link the victim’s card to a mobile device that they physically control, opening the door to fraudulent transactions.

A deeper dive into the phishing domains identified by urlscan.io reveals a similar scam campaign specifically targeting AT&T customers, employing the same tactics of enticing users with rewards points. Ford Merrill, a security researcher at SecAlliance, a CSIS Security Group company, explains that while these points redemption schemes have been prevalent in other regions like the EU and Asia for some time, they have only recently been aggressively deployed against consumers in the United States. He notes that these scams have not historically been as popular in the U.S. but are now being amplified.

Further analysis of domains linked to this syndicate of China-based SMS phishers shows a broader array of lures. These include spoofing U.S. state tax authorities with messages claiming recipients are eligible for unclaimed tax refunds. The underlying objective remains the same: to pilfer payment card information and the critical one-time verification codes.

Caveat Emptor: The Evolving Threat of Fake E-Commerce

While many SMS phishing domains are quickly flagged as malicious by browser makers, a burgeoning area of concern for these phishing kits is the creation of fake e-commerce shops. These fraudulent online stores are particularly insidious because they often avoid broad-scale spamming, making them harder to detect. The same Chinese phishing kits responsible for the package redelivery scams are equipped with modules that allow for the rapid deployment of numerous fake, yet convincing, e-commerce storefronts. These phony stores are frequently advertised on platforms like Google and Facebook, luring consumers who are searching for deals on specific products.

In these fake e-commerce scenarios, customers willingly provide their payment card and personal information during the checkout process. The scam culminates with a request for a one-time code from their financial institution, purportedly to verify the transaction. However, this code is actually sent because the scammers are attempting to immediately enroll the supplied card data into a mobile wallet. According to Merrill, the malicious code that exposes these sites as fraudulent is often only fetched during the checkout process, making it challenging to identify them through mass web scanning. Furthermore, many customers only realize they’ve been defrauded weeks later when their purchased items fail to arrive.

"The fake e-commerce sites are tough because a lot of them can fly under the radar," Merrill states. "They can go months without being shut down, they’re hard to discover, and they generally don’t get flagged by safe browsing tools."

Fortunately, reporting these SMS phishing lures and websites is a crucial step in their takedown. Raymond Dijkxhoorn, CEO and founding member of SURBL, a widely-used blocklist for malicious domains and IP addresses, has launched smishreport.com. This platform allows users to report smishing messages by forwarding a screenshot, enabling SURBL to identify and block new patterns and related domains. "If [a domain is] unlisted, we can find and add the new pattern and kill the rest of the matching domains," Dijkxhoorn explains. "Just make a screenshot and upload. The tool does the rest."

Merrill highlights that the final weeks of the calendar year typically witness a significant increase in smishing activity, particularly scams impersonating the U.S. Postal Service or commercial shipping companies. "Every holiday season there is an explosion in smishing activity," he notes. "Everyone is in a bigger hurry, frantically shopping online, paying less attention than they should, and they’re just in a better mindset to get phished."

Shop Online Like a Security Pro

Adopting a shopping strategy solely focused on the lowest advertised prices can be akin to playing Russian Roulette with one’s finances. Even shoppers who frequent major online retailers can fall victim to scams if they are not vigilant about overly attractive offers, especially from third-party sellers.

For unfamiliar online merchants, taking a few minutes to investigate their reputation is paramount. New e-commerce sites carry a significantly higher risk of being fraudulent. A quick WHOIS search on the site’s domain name can provide an indication of its lifespan; a more recent "created" date suggests a higher likelihood of it being a phantom store.

When encountering messages about order or shipment issues, it is essential to navigate directly to the e-commerce or shipping company’s website, bypassing any provided links or attachments. Phishers frequently exploit urgent or alarming messages to create a false sense of emergency, prompting users to let down their guard. Beyond outright scams, inflated shipping and handling charges can offset seemingly attractive product discounts. Consumers should carefully review shipping times, return policies, and be wary of hidden surcharges and the automatic acceptance of terms during checkout.

Most importantly, diligent monitoring of monthly financial statements is critical. Fraudsters often exploit the holiday season’s flurry of transactions to hide unauthorized charges. Promptly reviewing credit card bills and disputing any unrecognised charges is the most effective defense against this tactic.