Skip to content

China-based SMS Phishing Triad Pivots to Banks

We’ve posted details on many Smishing (SMS phishing) attack reports on VirusTotal.com that were related to fake toll road payment demands. See on VirusTotal.com.

Most of these SMS phishing campaigns targeted drivers across the United States, impersonating state toll agencies and tricking victims into clicking links to malicious sites designed to steal personal and financial information.

But as Brian Krebs recently reported in his April 2025 article, China-Based SMS Phishing Triad Pivots to Banks, one of the largest organized SMS phishing groups operating out of China is now shifting their focus.

We Identified Bank-Based Smishing Years Ago

Interestingly, this shift isn’t new to us.

We actually reported bank-based smishing attacks two years ago — long before this latest wave hit the mainstream news. Many of our earlier VirusTotal uploads included fake bank alert SMS samples alongside the toll road phishing kits.

This recent pivot confirms what we’ve been observing: organized smishing crews are highly adaptable and quick to re-use infrastructure for whatever scam is most profitable at the time.

The New Target: Your Bank Account

Instead of impersonating toll road agencies, this triad has pivoted to spoofing U.S. banks directly. Victims now receive fake fraud alerts claiming suspicious activity on their bank account, urging them to click a link to "verify" their information.

The Phishing Flow Usually Looks Like This:

  1. SMS claims suspicious activity on your bank account.
  2. Victim clicks link → Fake bank login page.
  3. Victim enters:
  4. Online banking username/password.
  5. Debit/credit card information.
  6. Security questions.
  7. SMS 2FA code if prompted.

Once entered, the attackers can:

  • Drain bank accounts.
  • Steal personal identity data.
  • Commit fraud at scale.

Infrastructure Recycling at Scale

One thing that stands out about this China-based operation is how efficiently they re-use and recycle their phishing infrastructure.

What They Re-Use:

  • Domain names → Reskinned from toll scams to bank scams.
  • SMS delivery systems → Already tuned for U.S. carriers.
  • Phishing kits → Modular and fast to deploy new themes.

This is industrial-scale phishing — designed for speed, scale, and maximum profit.

Even More Bad News: Astaroth + 'Fast Flux'

These new Smishing campaigns will likely take advantage of the new Astaroth phishing variant combined with 'Fast Flux.' This combination can effectively bypass today's DNS and IP blacklisting and steal 2FA credentials and session tokens.

  • Astaroth is a new variant of an old phishing attack, but is completely internet-based.
  • Fast Flux is a cybercriminal technique characterized by rapidly changing the DNS names or IP addresses associated with hacker infrastructure.

Because DNS and IP blacklisting technologies rely on a needle-in-a-haystack search approach, they can't proactively identify the rapidly changing DNS names and IP addresses used in 'Fast Flux'-based attacks. And because Astaroth's phishing sites are hosted on the Internet, smishing victims are directed to hacking infrastructure to steal user credentials, 2FA codes, and session cookies before the malicious sites are identified and reactively blocked or taken down.

Why the Shift?

Bank-themed phishing is nothing new — but what makes this pivot notable is the size, scale, and automation used by these actors.

Likely Reasons for the Pivot:

  • Increased awareness of toll road scams.
  • Faster domain takedowns for toll agencies.
  • Banks offer a higher financial reward.
  • Smishing SMS delivery infrastructure already in place.

The return-on-investment is simply higher for bank fraud than chasing unpaid toll fines.

Protecting Against SMS Phishing

White Cloud Security’s Zero-Trust approach is built on the idea that trust must be earned — not assumed.

That applies equally to apps on your endpoints and to any message that arrives on your phone.

The Good News: We Defeat 'Fast Flux' by Default

Our Trust Lockdown automatically interdicts and blocks Fast Flux DNS-based attacks.

User Tips:

  • Never click links from unexpected text messages.
  • Don't trust messages claiming to be from your bank — go directly to their official website or app.
  • Enable strong authentication — ideally app-based (not SMS-based) 2FA.

Enterprise Tips:

  • Monitor for smishing domains impersonating your brand.
  • Report phishing SMS numbers to your carrier.
  • Train your users on emerging smishing tactics.

Final Thoughts

This latest pivot by China-based SMS phishers is a reminder that attackers evolve rapidly. When one scam loses effectiveness, another rises to take its place.

At White Cloud Security, we continue to track and report new hacking methods and tools — not just because of its immediate threat, but because patterns of reuse often expose the playbooks of these cybercriminal groups.

See What We’re Tracking

See examples of toll road and bank Smishing we've reported on VirusTotal.com.