Smishing on a Massive Scale: ‘Panda Shop’ Chinese Carding Syndicate

In a shocking revelation, Resecurity, a renowned cybersecurity firm, has identified a new smishing kit called 'Panda Shop' that is being used by a Chinese carding syndicate known as the Smishing Triad. This group has been targeting consumers across the globe with improved features and new templates, taking their cybercrime tactics to a whole new level.

The Smishing Triad was first identified by Resecurity in August 2023, when our team successfully exploited a vulnerability that exposed the threat actors and their infrastructure. Since then, the group has become stealthier and upgraded its tooling, tactics, and procedures (TTPs). What's more alarming is that this group operates on a "Crime-as-a-Service" model, allowing other cybercriminals to use their smishing kit and scale operations targeting consumers in different countries.

Resecurity's investigation has revealed that the Panda Shop smishing kit is based on the same principles used by the Smishing Triad. However, this new kit includes specific improvements and new supported templates. The group uses this kit to target Google Wallet and Apple Pay users, harvesting traditional credit card and PII data, as well as intercepting transactions.

The investigators have noted that besides using Google RCS and Apple iMessage as the primary smishing delivery methods, the group also employs SMS gateways, specialized equipment for network operators, and even telemarketing companies to send messages to mobile subscribers. This combination of methods makes it increasingly difficult for consumers to distinguish between legitimate and malicious messages.

One identified threat actor can now send up to 2,000,000 smishing messages daily, which is a staggering number that raises serious concerns about the scale of global smishing activity generated by Chinese cybercriminals. This means that the Smishing Triad and similar groups could potentially target up to 60,000,000 victims per month or 720,000,000 per year - enough to target every person in the US at least twice every year.

The consequences of this smishing activity are far-reaching, with financial losses running into millions annually. Resecurity's engagements with financial institutions globally have shown that these crimes generate significant revenue for cybercriminals. The spectrum of crimes conducted due to smishing ranges from traditional carding and NFC-enabled fraud to money laundering chains.

As we move forward in this digital age, it's crucial that consumers are aware of the risks associated with smishing and take necessary precautions to protect themselves. Resecurity urges everyone to be vigilant and report any suspicious activity to the relevant authorities.

Stay informed about the latest cybersecurity threats by following us on Twitter: @securityaffairs, Facebook, and Mastodon.