2 PhaaS 2 Furious: The Evolution of Chinese-language Phishing Services
Chinese-language Phishing-as-a-Service (PhaaS) platforms are evolving to utilize real-time interception and AI-driven automation to bypass MFA and tokenize stolen payment data into digital wallets. Threat actors leverage encrypted messaging protocols like RCS and iMessage for delivery, while platforms like YY Lai Yu provide highly localized, dynamic phishing infrastructure to target global consumers.
Authors: Jamie Collier
Source:
Mandiant
Detection / HunterGoogle
What Happened
Cybercriminals are increasingly using Chinese-language 'Phishing-as-a-Service' platforms to steal login and payment information. These services target the general public globally, with a recent heavy focus on Japan, by sending fake messages through secure apps like iMessage and RCS. The attackers use real-time tricks to steal one-time passwords (OTPs) and add victims' credit cards to digital wallets for immediate fraudulent spending. To protect against these advanced scams, organizations should adopt stronger authentication methods like physical security keys (FIDO2) and banks should improve verification when adding cards to digital wallets.
Key Takeaways
- Chinese-language PhaaS platforms are shifting from static credential harvesting to real-time interception to capture OTPs and bypass MFA.
- Attackers are heavily focused on monetizing stolen credentials by provisioning victims' payment cards into attacker-controlled digital wallets.
- Delivery methods increasingly rely on encrypted channels like RCS and iMessage to evade traditional carrier-level SMS filtering.
- Platforms like YY Lai Yu offer 'Localization-as-a-Service', providing highly tailored, region-specific lures (e.g., targeting Japanese consumers with local transit and payment app themes).
- Threat actors are utilizing AI and browser automation (e.g., Puppeteer) to dynamically clone legitimate sites, rendering signature-based detection ineffective.
Affected Systems
- Mobile Devices (iOS/Android)
- Digital Wallets
- Consumer Financial Accounts
- MFA/OTP Systems
Attack Chain
The attack begins with the delivery of a malicious link via encrypted messaging channels like RCS or iMessage. When the victim clicks the link, they are presented with a dynamically generated, localized phishing page that often includes a human verification anti-bot screen. As the victim enters their credentials and triggers an OTP, the attacker intercepts this data in real-time via an administration panel. The attacker then uses the intercepted OTP to provision the victim's payment card into an attacker-controlled digital wallet for fraudulent transactions.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules or queries, focusing instead on behavioral trends and strategic mitigations.
Detection Engineering Assessment
EDR Visibility: Low — The attack primarily occurs on mobile devices via RCS/iMessage and interacts with external phishing infrastructure, limiting traditional endpoint EDR visibility. Network Visibility: Medium — Network controls can potentially identify traffic to newly registered or known malicious domains, though the use of dynamic AI-generated pages and anti-bot screens complicates automated scanning. Detection Difficulty: Hard — The use of encrypted messaging for delivery, real-time OTP interception, and dynamic AI-generated pages makes signature-based detection and automated analysis highly ineffective.
Required Log Sources
- Authentication Logs
- Identity Provider (IdP) Logs
- Web Proxy Logs
- DNS Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for anomalous MFA requests where the geographic location or device fingerprint of the authentication attempt differs significantly from the user's typical baseline, indicating potential real-time interception. | Authentication Logs, Identity Provider (IdP) Logs | Credential Access | Medium (Users traveling or using new devices/VPNs may trigger similar alerts) |
Control Gaps
- SMS/OTP-based MFA
- Traditional static phishing detection
- Carrier-level SMS filtering (bypassed by RCS/iMessage)
Key Behavioral Indicators
- Rapid sequence of login and OTP submission from disparate IP addresses
- Unexpected digital wallet provisioning alerts
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Evaluate whether current MFA implementations rely heavily on SMS or standard OTPs, and identify high-risk users for immediate upgrade.
Infrastructure Hardening
- Consider transitioning to FIDO2/WebAuthn infrastructure (e.g., physical security keys or passkeys) to prevent real-time interception of authentication tokens.
- If applicable, work with issuing banks or payment processors to enforce strict risk-based verification and device fingerprinting during digital wallet provisioning.
User Protection
- Evaluate whether mobile device management (MDM) policies can restrict or monitor the provisioning of corporate cards to unmanaged digital wallets.
- Consider implementing advanced mobile threat defense (MTD) solutions to detect malicious links delivered via RCS or iMessage.
Security Awareness
- Update security awareness training to educate users on the risks of phishing links delivered via RCS and iMessage, not just traditional SMS or email.
- Instruct users to be highly suspicious of unexpected prompts to provision payment cards to digital wallets or requests for OTPs related to rewards programs.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1111 - Two-Factor Authentication Interception
- T1589.001 - Gather Victim Identity Information: Credentials
- T1586.002 - Compromise Accounts: Email Accounts