Bright Nexus

Published on April 28, 2026

Chinese-Backed Smishing Services Use OTT Messaging and SMS to Scale Credential Theft

Severity

Medium

Detail

A growing wave of phishing campaigns powered by Phishing-as-a-Service is targeting users worldwide through everyday messaging platforms. These operations, largely backed by Chinese-language services, enable cybercriminals to launch large-scale credential theft attacks using ready-made phishing kits.

By leveraging trusted communication channels like iMessage and RCS, attackers are significantly increasing their success rates while expanding their reach across multiple countries.

How?

The campaigns operate through PhaaS platforms, where threat actors rent complete phishing toolkits that include pre-built templates, administrative panels, and infrastructure support. This removes the need for advanced technical skills, allowing even low-level actors to execute sophisticated attacks at scale.

Victims are typically targeted through SMS-based smishing or OTT messaging apps such as iMessage and RCS. These messages often impersonate trusted entities like banks, delivery services, or government agencies, urging users to click malicious links and enter sensitive information. Because these messages are delivered through legitimate communication channels, they are more likely to bypass traditional spam filters and raise less suspicion.

A key factor behind the scale of these campaigns is the use of SIM box infrastructure. SIM boxes allow attackers to send massive volumes of SMS messages using multiple SIM cards, making the messages appear as though they originate from normal mobile numbers. This helps evade carrier-level detection systems that typically flag bulk messaging from known commercial gateways.

The backend infrastructure supporting these campaigns is highly flexible. A single PhaaS platform can host multiple phishing templates tailored for different regions, enabling attackers to simultaneously target victims in countries like the United States, United Kingdom, Australia, and Japan. These platforms often operate on affiliate-based models, where different actors use the same infrastructure to run independent campaigns.

When law enforcement disrupts parts of the infrastructure, attackers quickly adapt by rotating domains, switching SIM cards, and rerouting traffic. This resilience allows campaigns to continue operating with minimal interruption, contributing to their rapid global expansion.

Conclusion

This surge in PhaaS-driven phishing highlights a shift toward more accessible and scalable cybercrime operations. Individuals should avoid interacting with unsolicited messages requesting sensitive information and verify any urgent requests through official channels.

Organizations should monitor newly registered domains, strengthen messaging security controls, and implement user awareness programs to reduce the risk of credential theft.

Source

https://cybersecuritynews.com/chinese-backed-smishing-services-use-ott-messaging/