Google Threat Intelligence Group (GTIG) analyzed a dozen Chinese-language phishing-as-a-service (PhaaS) platforms, revealing a rapidly maturing ecosystem distinct from Russian-speaking counterparts. Key trends include real-time OTP interception to bypass MFA, exploitation of digital wallet provisioning to tokenize stolen payment cards, and delivery via RCS/iMessage to evade carrier-level SMS filters. AI-powered tools like Darcula (linked to UNC5814) enable dynamic cloning of legitimate websites, defeating signature-based detection. A case study of YY Lai Yu shows how these services offer localized templates across 119 countries — including 400+ Japan-specific lures targeting brands like PayPay, Nintendo, and Rakuten. Defenders are advised to adopt FIDO2/WebAuthn authentication and risk-based device fingerprinting during digital wallet provisioning to reduce the weaponizability of stolen credentials.
Sort: