Scams & Phishing News Chinese Threat Actors Ditch Static Phishing Pages for Live Credential Interception

[HarborFront]

Content source

https://www.infosecurity-magazine.com/news/chinese-phishing-live-credential/

Cyber threat actors operating mature phishing services, many of whom are likely tied to the broader Asian criminal ecosystem, have largely shifted from static password harvesting to real-time interception and tokenization.

First, rather than relying on traditional SMS, Chinese phishing operators have shifted to encrypted messaging protocols like Rich Communication Services (RCS) and Apple iMessage to deliver phishing lures. The end-to-end encryption used by these protocols makes it significantly harder for infrastructure-level filters to detect and block malicious links, while their rich feature sets (e.g. read receipts, high-resolution media, typing indicators) make phishing messages appear far more convincing to potential victims.

“By utilizing live administration panels, attackers can interact with victims in real-time to capture one-time passcodes (OTPs), allowing them to bypass multifactor authentication (MFA) instantly,” noted the GTIG researchers.

Operators are also exploiting digital wallet provisioning to monetize stolen payment details. Using captured credentials and OTPs, attackers provision victims' payment cards into digital wallets on attacker-controlled devices, enabling high-value transactions, contactless payments and ATM withdrawals.

For instance, the Darcula PhaaS platform, linked by GTIG to threat actor UNC5814, has abandoned static phishing templates in favor of AI-powered page generators and browser automation tools that can clone legitimate websites by replicating their HTML, CSS, JavaScript and visual elements. Because each generated phishing page is unique, traditional signature-based detection methods are rendered increasingly ineffective.

Read more in the link

 

[Bot]

Cyber threat actors operating mature phishing services, many of whom are likely tied to the broader Asian criminal ecosystem, have largely shifted from static password harvesting to real-time interception and tokenization.

First, rather than relying on traditional SMS, Chinese phishing operators have shifted to encrypted messaging protocols like Rich Communication Services (RCS) and Apple iMessage to deliver phishing lures. The end-to-end encryption used by these protocols makes it significantly harder for infrastructure-level filters to detect and block malicious links, while their rich feature sets (e.g. read receipts, high-resolution media, typing indicators) make phishing messages appear far more convincing to potential victims.

“By utilizing live administration panels, attackers can interact with victims in real-time to capture one-time passcodes (OTPs), allowing them to bypass multifactor authentication (MFA) instantly,” noted the GTIG researchers.

Operators are also exploiting digital wallet provisioning to monetize stolen payment details. Using captured credentials and OTPs, attackers provision victims' payment cards into digital wallets on attacker-controlled devices, enabling high-value transactions, contactless payments and ATM withdrawals.

For instance, the Darcula PhaaS platform, linked by GTIG to threat actor UNC5814, has abandoned static phishing templates in favor of AI-powered page generators and browser automation tools that can clone legitimate websites by replicating their HTML, CSS, JavaScript and visual elements. Because each generated phishing page is unique, traditional signature-based detection methods are rendered increasingly ineffective.

Read more in the link

This reflects a broader shift toward more adaptive and harder-to-disrupt phishing operations.

What you described is consistent with a few important trends:

• Attackers are moving from simple credential theft to session and transaction hijacking
• Real-time phishing kits are designed to defeat MFA by capturing OTPs as they are entered
• Encrypted messaging channels such as RCS and iMessage reduce visibility for network-level filtering
• AI-assisted kit generation makes phishing pages more disposable and less dependent on reusable templates
• Digital wallet abuse increases the speed of monetization after compromise

Why this matters

Traditional phishing often aimed to collect a username and password for later use. Mature phishing services now try to complete the fraud flow immediately:

• Deliver the lure through a trusted-looking channel
• Capture credentials in real time
• Prompt for the OTP without delay
• Provision a card or hijack a session before the victim notices

That changes the defensive picture. A password reset alone may not be enough if a valid session cookie, wallet token, or payment instrument has already been created.

On the RCS and iMessage point

The main issue is not that encryption makes phishing impossible to detect in every case, but that it reduces the effectiveness of some upstream scanning and carrier-side content inspection. It also gives attackers a more convincing social engineering surface.

So the advantage is really a mix of:

• Less infrastructure visibility
• More believable presentation
• Faster victim interaction

On MFA bypass

This is an important distinction for readers: MFA is still valuable, but phishing-resistant MFA is much stronger than OTP-based MFA against this kind of attack.

In general:

• SMS and app-based OTP codes can be intercepted or socially engineered in real time
• Push approvals can be abused through prompt bombing or social engineering
• FIDO2/WebAuthn security keys and passkeys with proper origin binding are much more resistant to phishing

That does not make all MFA equal, and this type of reporting is a good example of why that distinction matters.

On AI-generated phishing pages

AI and browser automation can help attackers generate fresh pages quickly, but that does not automatically mean defenders are blind. Detection can still come from:

• Domain and hosting analysis
• Behavioral signals
• Reputation systems
• Browser protections
• Email and messaging abuse reporting
• Payment and fraud monitoring

So it is more accurate to say these techniques pressure traditional signature-only detection, not that they make detection impossible.

Practical takeaway

For users and organizations, the more effective responses are:

• Prefer passkeys or hardware-backed phishing-resistant MFA where possible
• Treat links delivered by messaging apps with the same suspicion as email
• Avoid entering OTPs after following unsolicited links
• Use bank alerts and wallet notifications to catch unauthorized provisioning quickly
• Report phishing messages to the platform provider and relevant service

Bottom line

The notable change is that phishing is increasingly becoming a live fraud operation rather than a delayed credential collection exercise. That makes speed, phishing-resistant authentication, and rapid detection far more important than they were in older phishing models.

 

[HarborFront]

Quote

For users and organizations, the more effective responses are:

• Prefer passkeys or hardware-backed phishing-resistant MFA where possible
• Treat links delivered by messaging apps with the same suspicion as email
• Avoid entering OTPs after following unsolicited links
• Use bank alerts and wallet notifications to catch unauthorized provisioning quickly
• Report phishing messages to the platform provider and relevant service

Unquote

I can tell you by the time one, especially elderly, realized and took some of the mentioned steps you'll see their bank savings already partially or completely gone.

What we need is proactive actions by user, banks etc to beat the phishing starting from education of user, preventive and protection measures etc incorporated into their phone. The latter can be done but needs knowledge in using and operating the software..................something which the general elderly may have difficulty in.