Government contractor fraud is at the heart of a new indictment returned by a federal grand jury in Washington, D.C. against a former senior manager in Virginia. Prosecutors say Danielle Hillmer, 53, of Chantilly, misled federal agencies for more than a year about the security of a cloud platform used by the U.S. Army and other government customers. The indictment, announced yesterday, charges Hillmer with major government contractor fraud, wire fraud, and obstruction of federal audits. According to prosecutors, she concealed serious weaknesses in the system while presenting it as fully compliant with strict federal cybersecurity standards.

Government Contractor Fraud: Alleged Scheme to Mislead Agencies

According to court documents, Hillmer’s actions spanned from March 2020 through November 2021. During this period, she allegedly obstructed auditors and misrepresented the platform’s compliance with the Federal Risk and Authorization Management Program (FedRAMP) and the Department of Defense’s Risk Management Framework. The indictment claims that while the platform was marketed as a secure environment for federal agencies, it lacked critical safeguards such as access controls, logging, and monitoring. Despite repeated warnings, Hillmer allegedly insisted the system met the FedRAMP High baseline and DoD Impact Levels 4 and 5, both of which are required for handling sensitive government data.

Obstruction of Audits

Federal prosecutors allege Hillmer went further by attempting to obstruct third-party assessors during audits in 2020 and 2021. She is accused of concealing deficiencies and instructing others to hide the true state of the system during testing and demonstrations. The indictment also states that Hillmer misled the U.S. Army to secure sponsorship for a Department of Defense provisional authorization. She allegedly submitted, and directed others to submit, authorization materials containing false information to assessors, authorizing officials, and government customers. These misrepresentations, prosecutors say, allowed the contractor to obtain and maintain government contracts under false pretenses.

Charges and Potential Penalties

Hillmer faces two counts of wire fraud, one count of major government fraud, and two counts of obstruction of a federal audit. If convicted, she could face:

• Up to 20 years in prison for each wire fraud count
• Up to 10 years in prison for major government fraud
• Up to 5 years in prison for each obstruction count

A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors. The indictment was announced by Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division and Deputy Inspector General Robert C. Erickson of the U.S. General Services Administration Office of Inspector General (GSA-OIG). The case is being investigated by the GSA-OIG, the Defense Criminal Investigative Service, the Naval Criminal Investigative Service, and the Department of the Army Criminal Investigation Division. Trial Attorneys Lauren Archer and Paul Hayden of the Criminal Division’s Fraud Section are prosecuting the case.

Broader Implications of Government Contractor Fraud

The indictment highlights ongoing concerns about the integrity of cloud platforms used by federal agencies. Programs like FedRAMP and the DoD’s Risk Management Framework are designed to ensure that systems handling sensitive government data meet rigorous security standards. Allegations that a contractor misrepresented compliance raise questions about oversight and the risks posed to national security when platforms fall short of requirements. Federal officials emphasized that the government contractor fraud case highlights the importance of transparency and accountability in government contracting, particularly in areas involving cybersecurity. Note: It is important to note that an indictment is merely an allegation. Hillmer, like all defendants, is presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

India's Central Bureau of Investigation filed a chargesheet against 30 accused including two Chinese nationals who allegedly ran a cyber fraud network that siphoned over ₹1,000 crore (approximately US$112 million) from Indian investors through fake cryptocurrency mining platforms, loan apps, and bogus online job offers during the COVID-19 lockdown period.

The HPZ Token Investment Fraud case has exposed a well-coordinated transnational criminal syndicate that exploited India's emerging payment aggregation systems to launder proceeds at unprecedented speed through multiple shell companies before converting funds to cryptocurrency and transferring them overseas.

The fraud began when Shigoo Technology Pvt. Ltd., an entity owned and controlled by Chinese nationals, launched a fake mobile application titled "HPZ Tokens" claiming investments would be used for cryptocurrency mining yielding very high returns. Within just three months, crores were collected and diverted by fraudsters targeting vulnerable investors during pandemic lockdowns.

Chinese Nationals Directed Shell Company Network

Wan Jun served as director of Jilian Consultants India Private Limited, a subsidiary of Chinese entity Jilian Consultants. With help from accomplice Dortse, Wan Jun successfully created several shell companies including Shigoo Technologies that became conduits to collect and launder proceeds from major organized cyber frauds.

The second Chinese national charged, Li Anming, played key roles directing operations alongside Wan Jun. CBI investigation revealed these frauds were connected and controlled by a single organized criminal syndicate based overseas.

Jilian Consultants hired professionals including company secretaries and chartered accountants to create shell companies that helped them run the operation with ease. Money collected was converted into cryptocurrencies before being sent out of the country.

Also read: CBI Arrests Fugitive Cybercrime Kingpin, Busts Fifth Illegal Call Center Targeting US Nationals

Exploitation of Payment Aggregators

The investigation revealed misuse of payment aggregation systems that had just taken off in India at the time of the Covid-19 pandemic. Payment aggregators were providing large collection and money disbursal services using technology to genuine companies, with systems allowing users to access large numbers of bank accounts simultaneously.

Fraudsters exploited this well-structured payment infrastructure to launder money at high speed from accounts of one shell company to another. The system also allowed them to partially disburse money back to investors to gain confidence, sustaining the fraud scheme longer.

Total money moved from bank accounts of these companies surpassed ₹1,000 crore within just a few months.

Ongoing Investigation in Cyber Fraud Network

CBI initially arrested six people named Dortse, Rajni Kohli, Sushanta Behra, Abhishek, Mohd Imdhad Husain, and Rajat Jain. The agency has now filed chargesheet against 27 accused persons and three companies, with further investigation continuing against other suspects.

The investigation revealed this was not an isolated incident but part of a large cyber crime network responsible for several scams targeting Indian citizens in the post-COVID period using loan apps, fake investment platforms, and bogus online job offers.

"The CBI remains steadfast in its unwavering commitment to dismantling these sophisticated cyber fraud networks through relentless operations like Chakra-V," the agency said. The CBI will continue to fortify India's digital economy, protect vulnerable investors, execute targeted arrests, seize assets, and forge international collaborations."

Also read: Indo-U.S. Agencies Dismantle Cybercrime Network Targeting U.S. Nationals

TransUnion today added an ability to create digital fingerprints without relying on cookies that identify, in real time, risky devices and other hidden anomalies to its Device Risk service for combatting fraud. Clint Lowry, vice president of global fraud solutions at TransUnion, said these capabilities extend a service that makes use of machine learning models..

The post TransUnion Extends Ability to Detect Fraudulent Usage of Devices appeared first on Security Boulevard.

The BBB warns of a rising ghost-tap scam exploiting tap-to-pay cards and mobile wallets. How attackers use NFC proximity tricks.

The post Ghost-Tap Scam Makes Payments Scarier  appeared first on Security Boulevard.

China-based phishing groups blamed for non-stop scam SMS messages about a supposed wayward package or unpaid toll fee are promoting a new offering, just in time for the holiday shopping season: Phishing kits for mass-creating fake but convincing e-commerce websites that convert customer payment card data into mobile wallets from Apple and Google. Experts say these same phishing groups also are now using SMS lures that promise unclaimed tax refunds and mobile rewards points.

Over the past week, thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points. The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones.

The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone. The phishing websites will only load if the recipient visits with a mobile device, and they ask for the visitor’s name, address, phone number and payment card data to claim the points.

If card data is submitted, the site will then prompt the user to share a one-time code sent via SMS by their financial institution. In reality, the bank is sending the code because the fraudsters have just attempted to enroll the victim’s phished card details in a mobile wallet from Apple or Google. If the victim also provides that one-time code, the phishers can then link the victim’s card to a mobile device that they physically control.

Pivoting off these T-Mobile phishing domains in urlscan.io reveals a similar scam targeting AT&T customers:

Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said multiple China-based cybercriminal groups that sell phishing-as-a-service platforms have been using the mobile points lure for some time, but the scam has only recently been pointed at consumers in the United States.

“These points redemption schemes have not been very popular in the U.S., but have been in other geographies like EU and Asia for a while now,” Merrill said.

A review of other domains flagged by urlscan.io as tied to this Chinese SMS phishing syndicate shows they are also spoofing U.S. state tax authorities, telling recipients they have an unclaimed tax refund. Again, the goal is to phish the user’s payment card information and one-time code.

CAVEAT EMPTOR

Many SMS phishing or “smishing” domains are quickly flagged by browser makers as malicious. But Merrill said one burgeoning area of growth for these phishing kits — fake e-commerce shops — can be far harder to spot because they do not call attention to themselves by spamming the entire world.

Merrill said the same Chinese phishing kits used to blast out package redelivery message scams are equipped with modules that make it simple to quickly deploy a fleet of fake but convincing e-commerce storefronts. Those phony stores are typically advertised on Google and Facebook, and consumers usually end up at them by searching online for deals on specific products.

With these fake e-commerce stores, the customer is supplying their payment card and personal information as part of the normal check-out process, which is then punctuated by a request for a one-time code sent by your financial institution. The fake shopping site claims the code is required by the user’s bank to verify the transaction, but it is sent to the user because the scammers immediately attempt to enroll the supplied card data in a mobile wallet.

According to Merrill, it is only during the check-out process that these fake shops will fetch the malicious code that gives them away as fraudulent, which tends to make it difficult to locate these stores simply by mass-scanning the web. Also, most customers who pay for products through these sites don’t realize they’ve been snookered until weeks later when the purchased item fails to arrive.

“The fake e-commerce sites are tough because a lot of them can fly under the radar,” Merrill said. “They can go months without being shut down, they’re hard to discover, and they generally don’t get flagged by safe browsing tools.”

Happily, reporting these SMS phishing lures and websites is one of the fastest ways to get them properly identified and shut down. Raymond Dijkxhoorn is the CEO and a founding member of SURBL, a widely-used blocklist that flags domains and IP addresses known to be used in unsolicited messages, phishing and malware distribution. SURBL has created a website called smishreport.com that asks users to forward a screenshot of any smishing message(s) received.

“If [a domain is] unlisted, we can find and add the new pattern and kill the rest” of the matching domains, Dijkxhoorn said. “Just make a screenshot and upload. The tool does the rest.”

Merrill said the last few weeks of the calendar year typically see a big uptick in smishing — particularly package redelivery schemes that spoof the U.S. Postal Service or commercial shipping companies.

“Every holiday season there is an explosion in smishing activity,” he said. “Everyone is in a bigger hurry, frantically shopping online, paying less attention than they should, and they’re just in a better mindset to get phished.”

SHOP ONLINE LIKE A SECURITY PRO

As we can see, adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet. Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers (think third-party sellers on these platforms).

If you don’t know much about the online merchant that has the item you wish to buy, take a few minutes to investigate its reputation. If you’re buying from an online store that is brand new, the risk that you will get scammed increases significantly. How do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “created” date, the more likely it is a phantom store.

If you receive a message warning about a problem with an order or shipment, visit the e-commerce or shipping site directly, and avoid clicking on links or attachments — particularly missives that warn of some dire consequences unless you act quickly. Phishers and malware purveyors typically seize upon some kind of emergency to create a false alarm that often causes recipients to temporarily let their guard down.

But it’s not just outright scammers who can trip up your holiday shopping: Often times, items that are advertised at steeper discounts than other online stores make up for it by charging way more than normal for shipping and handling.

So be careful what you agree to: Check to make sure you know how long the item will take to be shipped, and that you understand the store’s return policies. Also, keep an eye out for hidden surcharges, and be wary of blithely clicking “ok” during the checkout process.

Most importantly, keep a close eye on your monthly statements. If I were a fraudster, I’d most definitely wait until the holidays to cram through a bunch of unauthorized charges on stolen cards, so that the bogus purchases would get buried amid a flurry of other legitimate transactions. That’s why it’s key to closely review your credit card bill and to quickly dispute any charges you didn’t authorize.

A sprawling infrastructure that has been bilking unsuspecting people through fraudulent gambling websites for 14 years is likely a dual operation run by a nation-state-sponsored group that is targeting government and private-industry organizations in the US and Europe, researchers said Wednesday.

Researchers have previously tracked smaller pieces of the enormous infrastructure. Last month, security firm Sucuri reported that the operation seeks out and compromises poorly configured websites running the WordPress CMS. Imperva in January said the attackers also scan for and exploit web apps built with the PHP programming language that have existing webshells or vulnerabilities. Once the weaknesses are exploited, the attackers install a GSocket, a backdoor that the attackers use to compromise servers and host gambling web content on them.

All of the gambling sites target Indonesian-speaking visitors. Because Indonesian law prohibits gambling, many people in that country are drawn to illicit services. Most of the 236,433 attacker-owned domains hosting the gambling sites are hosted on Cloudflare. Most of the 1,481 hijacked subdomains were hosted on Amazon Web Services, Azure, and GitHub.

Read full article

Comments

© Getty Images

India’s Department of Telecommunications (DoT) has introduced a shift in the way messaging platforms operate in the country, mandating the adoption of SIM-binding as a core security requirement. Under the Telecommunication Cybersecurity Amendment Rules, 2025, all major messaging services, including Telegram, and regional platforms such as Arattai, must ensure that their applications remain continuously linked to an active SIM card on the user’s device.   The mandate is part of the government’s intensified efforts to combat cyber fraud and strengthen nationwide cybersecurity compliance. The directive requires App-Based Communication Service providers to implement persistent SIM-linking within 90 days and submit detailed cybersecurity compliance reports within 120 days. The move seeks to eliminate longstanding gaps in identity verification systems that have enabled malicious actors to misuse Indian mobile numbers from outside the country. 

New Rules for SIM-Binding Communication 

According to the new requirements, messaging services must operate only when the user’s active SIM card matches the credentials stored by the app. If a SIM card is removed, replaced, or deactivated, the corresponding app session must immediately cease to function. The rules also extend to web-based interfaces: platforms must automatically log users out at least every six hours, requiring a QR-based reauthentication that is tied to the same active SIM.  These changes aim to reduce the misuse of Indian telecom identifiers, which authorities say have been exploited for spoofing, impersonation, and other forms of cyber fraud. By enforcing strict SIM-binding, the DoT intends to establish a clearer traceability chain between the user, their device, and their telecom credentials. 

Why Stricter Controls Were Needed 

Government observations revealed that many communication apps continued functioning even after the linked SIM card was removed. This allowed foreign-based actors to operate accounts associated with Indian mobile numbers without proper authentication. The ability to hijack accounts or mask locations contributed directly to an uptick in cybercrimes, often involving financial scams or identity theft.  Industry groups had previously flagged this vulnerability as well. The Cellular Operators Association of India (COAI), for instance, noted that authentication typically occurs only once, during initial setup, which leaves apps operational even if the SIM is no longer present. By requiring ongoing SIM-binding, authorities aim to close this loophole and establish reliable verification pathways essential for cybersecurity compliance.  The new mandate draws support from multiple regulatory frameworks, including the Telecommunications Act, 2023, and subsequent cybersecurity rules issued in 2024 and 2025. Platforms that fail to comply could face penalties, service restrictions, or other legal consequences under India’s telecom and cybersecurity laws. 

Impact on Platforms and Users 

Messaging platforms must redesign parts of their infrastructure to support real-time SIM authentication and implement secure logout mechanisms for multi-device access. They are also expected to maintain detailed logs and participate in audits to demonstrate cybersecurity compliance.  For users, the changes may introduce constraints. Accessing a messaging app without the original active SIM will no longer be possible. Cross-device flexibility, particularly through desktop or browser-based interfaces, may also be reduced due to the six-hour logout requirement. However, policymakers argue that these inconveniences are offset by a reduced risk of cyber fraud.  India’s focus on SIM-binding aligns with practices already common in financial services. Banking and UPI applications, for example, require an active SIM for verification to minimize fraud. Other regulators have taken similar steps: earlier in 2025, the Securities and Exchange Board of India (SEBI) proposed linking trading accounts to specific SIM cards and incorporating biometric checks to prevent unauthorized transactions. 

India Mandates Pre-Installed Cybersecurity App on Smartphones

In a parallel move to strengthen digital security, India’s telecom ministry has ordered all major smartphone manufacturers, including Apple, Samsung, Vivo, Oppo, and Xiaomi, to pre-install its cybersecurity app Sanchar Saathi on all new devices within 90 days, and push it via updates to existing devices. The app must be installed in a way that users cannot disable or delete it. Launched in January, Sanchar Saathi has already helped recover over 700,000 lost phones, blocked 3.7 million stolen devices, terminated 30 million fraudulent connections, and assists in tracking devices and preventing counterfeit phones. The app verifies IMEI numbers, blocks stolen devices, and combats scams involving duplicate or spoofed IMEIs. The move is aimed at strengthening India’s telecom cybersecurity but may face resistance from Apple and privacy advocates, as Apple traditionally opposes pre-installation of government or third-party apps. Industry officials have expressed concerns over privacy, user choice, and operational feasibility, while the government emphasizes the app’s role in digital safety and fraud prevention.

The FBI says that account takeover scams this year have resulted in 5,100-plus complaints in the U.S. and $262 million in money stolen, and Bitdefender says the combination of the growing number of ATO incidents and risky consumer behavior is creating an increasingly dangerous environment that will let such fraud expand.

The post FBI: Account Takeover Scammers Stole $262 Million this Year appeared first on Security Boulevard.

Peak e-commerce season hits retailers every year just as the Halloween decorations start to come down. Unsurprisingly, cyber criminals see this time as an opportunity to strike, and criminal activity online spikes alongside sales. Shockingly, 4.6% of attempted e-commerce transactions during the 2024 Black Friday period were suspected to be digital fraud. In the UK..

The post How to Protect from Online Fraud This Holiday Season appeared first on Security Boulevard.

AI-enabled cybercriminals are exploiting the holiday shopping season with precision phishing, account takeovers, payment skimming and ransomware, forcing retailers to adopt real-time, adaptive defenses to keep pace.

The post AI Cybercriminals Target Black Friday and Cyber Monday appeared first on Security Boulevard.

The Account Takeover fraud threat is accelerating across the United States, prompting the Federal Bureau of Investigation (FBI) to issue a new alert warning individuals, businesses, and organizations of all sizes to stay vigilant. According to the FBI Internet Crime Complaint Center (IC3), more than 5,100 complaints related to ATO fraud have been filed since January 2025, with reported losses exceeding $262 million. The bureau warns that cyber criminals are increasingly impersonating financial institutions to steal money or sensitive information. As the annual Black Friday sale draws millions of shoppers online, the FBI notes that the surge in digital purchases creates an ideal environment for Account Takeover fraud. With consumers frequently visiting unfamiliar retail websites and acting quickly to secure limited-time deals, cyber criminals deploy fake customer support calls, phishing pages, and fraudulent ads disguised as payment or discount portals. The increased online activity during Black Friday makes it easier for attackers to blend in and harder for victims to notice red flags, making the shopping season a lucrative window for ATO scams.

How Account Takeover Fraud Works

In an ATO scheme, cyber criminals gain unauthorized access to online financial, payroll, or health savings accounts. Their goal is simple: steal funds or gather personal data that can be reused for additional fraudulent activities. The FBI notes that these attacks often start with impersonation, either of a financial institution’s staff, customer support teams, or even the institution’s official website. To carry out their schemes, criminals rely heavily on social engineering and phishing websites designed to look identical to legitimate portals. These tactics create a false sense of trust, encouraging account owners to unknowingly hand over their login credentials.

Social Engineering Tactics Increase in Frequency

The FBI highlights that most ATO cases begin with social engineering, where cyber criminals manipulate victims into sharing sensitive information such as passwords, multi-factor authentication (MFA) codes, or one-time passcodes (OTP). Common techniques include:

• Fraudulent text messages, emails, or calls claiming unusual activity or unauthorized charges. Victims are often directed to click on phishing links or speak to fake customer support representatives.
• Attackers posing as bank employees or technical support agents who convince victims to share login details under the guise of preventing fraudulent transactions.
• Scenarios where cyber criminals claim the victim’s identity was used to make unlawful purchases—sometimes involving firearms, and escalate the scam by introducing another impersonator posing as law enforcement.

Once armed with stolen credentials, criminals reset account passwords and gain full control, locking legitimate users out of their own accounts.

Phishing Websites and SEO Poisoning Drive More Losses

Another growing trend is the use of sophisticated phishing domains and websites that perfectly mimic authentic financial institution portals. Victims believe they are logging into their bank or payroll system, but instead, they are handing their details directly to attackers. The FBI also warns about SEO poisoning, a method in which cyber criminals purchase search engine ads or manipulate search rankings to make fraudulent sites appear legitimate. When victims search for their bank online, these deceptive ads redirect them to phishing sites that capture their login information. Once attackers secure access, they rapidly transfer funds to criminal-controlled accounts—many linked to cryptocurrency wallets—making transactions difficult to trace or recover.

How to Stay Protected Against ATO Fraud

The FBI urges customers and businesses to take proactive measures to defend against ATO fraud attempts:

• Limit personal information shared publicly, especially on social media.
• Monitor financial accounts regularly for missing deposits, unauthorized withdrawals, or suspicious wire transfers.
• Use unique, complex passwords and enable MFA on all accounts.
• Bookmark financial websites and avoid clicking on search engine ads or unsolicited links.
• Treat unexpected calls, emails, or texts claiming to be from a bank with skepticism.

What To Do If You Experience an Account Takeover

Victims of ATO fraud are advised to act quickly:

1. Contact your financial institution immediately to request recalls or reversals, and report the incident to IC3.gov.
2. Reset all compromised credentials, including any accounts using the same passwords.
3. File a detailed complaint at IC3.gov with all relevant information, such as impersonated institutions, phishing links, emails, or phone numbers used.
4. Notify the impersonated company so it can warn others and request fraudulent sites be taken down.
5. Stay informed through updated alerts and advisories published on IC3.gov.

A look at why identity security is failing in the age of deepfakes and AI-driven attacks, and how biometrics, MFA, PAD, and high-assurance verification must evolve to deliver true, phishing-resistant authentication.

The post How AI Threats Have Broken Strong Authentication  appeared first on Security Boulevard.

Deepfake-powered fraud is exploding as attackers weaponize AI to impersonate executives and bypass trust. Learn why detection alone fails and how AI-driven verification restores security.

The post AI vs. AI: Why Deepfake Detection Alone Won’t Protect Your Enterprise appeared first on Security Boulevard.

As Black Friday sale scams continue to rise, shoppers across Europe and the US are being urged to stay vigilant this festive season. With promotions kicking off earlier than ever, some starting as early as October 30 in Romania, cybercriminals have had an extended window to target bargain hunters, exploiting their search for deals with fraudulent schemes. Black Friday 2025, this year, scammers have been impersonating top brands such as Amazon, MediaMarkt, TEMU, IKEA, Kaufland, Grohe, Oral-B, Binance, Louis Vuitton, Jack Daniel’s, Reese’s, and United Healthcare. Among them, Amazon remains the most frequently abused brand, appearing in phishing messages, fake coupon offers, and mobile scams promising massive discounts.

Amid these ongoing threats, many shoppers are also expressing frustration with deceptive pricing tactics seen during the Black Friday period. One Reddit user described the experience as increasingly misleading:

“I'm officially over the Black Friday hype. It used to feel like a sale, now it feels like a prank.

I was tracking a coffee machine at $129. When the ‘Black Friday early deal’ showed up, it became ‘$159 now $139 LIMITED TIME.’ I saw $129 two weeks ago. The kids’ tablet went from $79 to $89 with a Holiday Deal tag — paying extra for a yellow label.

I've been doing Black Friday hunting for 10+ years and it's only gotten worse. Fake doorbusters, fake urgency, fake ‘original’ prices. Feels like they're A/B testing how cooked our brains are as long as the button screams ‘53% OFF.’

Now I only buy when needed and let a Chrome extension track my Amazon orders. It clawed back $72 last month from so-called ‘preview pricing’ after prices dropped again.”

This sentiment reflects a growing concern: while scam campaigns imitate trusted brands, the pressure-driven marketing tactics surrounding Black Friday can also make consumers more vulnerable to fraud.

Moreover, a recent campaign even spoofed United Healthcare, offering a fake “Black Friday Smile Upgrade” with Oral-B dental kits, aiming to collect sensitive personal data. According to data from the City of London Police, shoppers lost around £11.8 million to online shopping fraud during last year’s festive season, from 1 November 2024 to 31 January 2025. Fraudsters often pressure victims with claims that deals are limited or products are scarce, forcing hurried decisions that can result in stolen funds or sensitive information.

A Month-Long Shopping Season Means More Risk

With strong discounts across electronics, toys, apparel, and home goods, consumers are drawn to higher-ticket items. This year, electronics saw discounts up to 30.1%, toys 28%, apparel 23.2%, and furniture 19%, while televisions, appliances, and sporting goods hit record lows in price, prompting significant e-commerce growth. Adobe reported that for every 1% decrease in price, demand increased by 1.029% compared to the previous year, driving an additional $2.25 billion in online spending, a part of the overall $241.4 billion spent online. The combination of high consumer demand and deep discounts makes the Black Friday shopping period especially attractive to cybercriminals, as the increased volume of online transactions offers more opportunities for scams.

How to Protect Yourself from Black Friday Sale Scams

Ahead of Black Friday on November 28, shoppers are being encouraged to follow advice from the Stop! Think Fraud campaign, run by the Home Office and the National Cyber Security Centre (NCSC). Key precautions include:

• Check the shop is legitimate: Always verify reviews on trusted websites before making a purchase.
• Secure your accounts: Enable two-step verification (2SV) for important accounts to add an extra layer of security.
• Pay securely: Use credit cards or verified payment services like PayPal, Apple Pay, or Google Pay. Avoid storing card details on websites and never pay by direct bank transfer.
• Beware of delivery scams: Avoid clicking links in unexpected messages or calls and confirm any delivery claims with the organization directly.

Individuals are also urged to report suspicious emails, texts, or fake websites to the NCSC, which collaborates with partners to investigate and remove malicious content. For businesses and security-conscious shoppers, leveraging tools like Cyble’s Cyber Threat Intelligence Platform can help monitor brand impersonation, detect scams, and protect sensitive data in real-time during Black Friday sale scams. With the rise of cyber threats during high-demand shopping periods, proactive intelligence is key to staying safe. Stay alert this Black Friday, your bargains are only valuable if your personal data stays safe. Learn more about how Cyble can protect you and your business here.

Four U.S. citizens and a Ukrainian national pleaded guilty to their roles in a North Korean IT worker scam that victimized more than 135 U.S. companies and netted more than $2.2 million for the DPRK regime and is military and weapons programs.

The post 4 U.S. Citizens, Ukrainian Plead Guilty in N. Korea IT Worker Scheme appeared first on Security Boulevard.

The Justice Department has announced major developments in its ongoing efforts to disrupt illicit financing operations linked to North Korea. Five defendants have pleaded guilty in a wide-ranging scheme involving identity fraud, remote IT employment, and large-scale virtual currency theft. The department has also initiated civil forfeiture actions totaling more than $15 million. These actions target financial networks supporting the DPRK government’s weapons program. The case highlights growing concerns surrounding virtual currency heists, identity theft, and the exploitation of U.S. companies through fraudulent remote employment schemes.

North Korean IT Employment Schemes Exposed

According to court documents, U.S. and Ukrainian facilitators helped North Korean IT workers obtain remote jobs with American companies. By providing stolen or falsified identities, hosting employer-issued laptops in the United States, and installing remote-access tools, the defendants created the false impression that the workers were operating domestically. Investigators say the scheme affected more than 136 U.S. companies, generated over $2.2 million in revenue for the DPRK regime, and compromised the identities of at least 18 American citizens. These tactics align with methods highlighted in federal advisories regarding identity misuse, proxy networks, and false documentation used by foreign threat actors—including those involved in virtual currency theft and broader revenue-generation operations.

$15 Million in Virtual Currency Seized

In a parallel action, two civil forfeiture complaints detail how the North Korean hacking group APT38 targeted four overseas virtual currency platforms in 2023. These virtual currency heists resulted in hundreds of millions of dollars being stolen from payment processors and exchanges in Estonia, Panama, and Seychelles. While DPRK-linked actors attempted to launder the stolen funds through mixers, bridges, and over-the-counter traders, U.S. authorities successfully froze and seized more than $15 million worth of USDT stablecoins. Federal officials intend to forfeit the assets so they can eventually be returned to victims.

Virtual Currency Theft: Three Guilty Pleas in Georgia

In the Southern District of Georgia, U.S. nationals Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis pleaded guilty to wire fraud conspiracy. From 2019 to 2022, the trio knowingly supplied their personal identities to overseas IT workers and assisted them in bypassing employer screening procedures. Travis, who served in the U.S. Army during the scheme, received over $51,000 for his involvement. Prosecutors emphasized that the fraudulent operation resulted in more than $1.28 million in salaries being paid out by victim companies, with most of the funds transferred to workers operating outside the United States.

Ukrainian Identity Broker Admits Role

On Nov. 10, Ukrainian national Oleksandr Didenko pleaded guilty in the District of Columbia to wire fraud conspiracy and aggravated identity theft. Didenko sold stolen identities to foreign IT workers— including those linked to North Korea—helping them secure jobs at more than 40 U.S. companies. He agreed to forfeit more than $1.4 million in fiat and digital currency.

Florida Defendant Pleads Guilty in Related Case

In the Southern District of Florida, U.S. citizen Erick Ntekereze Prince admitted to wire fraud conspiracy connected to fraudulent staffing operations. Prince supplied U.S. companies with remote IT workers who were, in fact, based overseas and using stolen identities. His participation earned him more than $89,000. Two co-defendants remain pending trial or extradition. Senior DOJ and FBI officials said the coordinated actions reflect a comprehensive federal strategy to counter North Korea’s illicit revenue-generation networks. They warned that DPRK-linked cyber operations—including identity fraud and virtual currency theft, remain a persistent threat to national and economic security. Authorities urged U.S. companies to strengthen vetting processes for remote workers and remain alert to identity anomalies, unauthorized access tools, and other indicators of foreign fraud.

AI agents are reshaping online retail. Discover why bot management is essential infrastructure to control agentic commerce and drive growth.

The post From Bots to Buyers: With Agentic AI, Bot Management Becomes Core Infrastructure appeared first on Security Boulevard.

Phishing attacks are becoming increasingly targeted as scammers refine their tactics to exploit social and economic issues. Instead of mass emailing identical messages, cybercriminals now create tailored campaigns that appear legitimate to specific audiences. The National Cyber Security Centre (NCSC) has warned that these phishing attacks are becoming more advanced, often imitating trusted institutions such as government agencies, banks, or health insurers. By leveraging familiar branding and credible topics like cryptocurrency or tax rule changes, scammers are deceiving individuals into sharing personal information.

Phishing Emails Impersonate Canton of Zurich

In one of the latest reported incidents, recipients received emails that appeared to originate from the Canton of Zurich, urging them to update information to comply with new cryptocurrency tax regulations. The email carried the official logo and layout, included a short compliance deadline, and threatened fines or legal action if ignored. [caption id="attachment_106720" align="aligncenter" width="1000"] Source: NCSC[/caption] Victims were directed to a fake website that closely mirrored the legitimate Canton of Zurich portal. After providing personal details such as their address, IBAN, date of birth, and telephone number, users were shown a confirmation page and then redirected to the real website — reinforcing the illusion of authenticity. [caption id="attachment_106721" align="aligncenter" width="1000"] Source: NCSC[/caption]   [caption id="attachment_106722" align="aligncenter" width="1000"] Source: NCSC[/caption]   Although the stolen data might not seem highly sensitive, authorities warn that it can be misused in follow-up scams. For instance, fraudsters may later call victims pretending to be bank representatives, using the collected personal details to sound credible and gain further access.

Emails Targeting Senior Citizens

A second phishing attack reported by the NCSC impersonated the Federal Tax Administration and focused on senior citizens. These emails referenced pension fund benefits, promising payouts and asking recipients to update their information. The messages used personalized greetings and professional formatting to build trust. While it is unclear if the emails were sent exclusively to older individuals, the targeted tone suggests an attempt to exploit a more vulnerable demographic. [caption id="attachment_106719" align="aligncenter" width="358"] Source: NCSC[/caption] Such campaigns highlight the shift from random spam emails to targeted phishing, where scammers invest more effort in psychological manipulation and social engineering.

Recommendations from the NCSC

Authorities are advising citizens to remain alert and follow these steps to reduce the risk of falling victim to phishing attacks:

• Be cautious of any email requesting personal or financial details.
• Never click on links or fill out forms from unsolicited messages.
• Verify the sender’s address and look for missing salutations or unofficial URLs.
• When uncertain, contact the official organization directly for clarification.
• Report suspicious links to antiphishing.ch.
• If financial information has been disclosed, contact your bank or card issuer immediately.
• In case of monetary loss, report the incident to the police via the Suisse ePolice platform.

Proactive Measures Against Phishing Attacks

The evolution of phishing attacks in Switzerland demonstrates how cybercriminals continuously adapt their methods to exploit trust and uncertainty. While public awareness campaigns remain vital, organizations must also invest in threat intelligence solutions that detect fraudulent domains, fake websites, and malicious email infrastructure before they reach potential victims. Platforms like Cyble provide proactive visibility into phishing campaigns and threat actor activity across the dark web and surface web, enabling businesses to take timely action and protect their customers and employees. Learn more about how intelligence-led defense can safeguard your organization from phishing and social engineering threats: Request a demo from Cyble

Discover DataDome’s Q3 2025 product & platform updates, including AI-driven fraud defense, adaptive protection, and new tools to control, monetize, and secure evolving AI traffic.

The post AI, Adaptability, & Ease: What’s New in DataDome’s Q3 2025 Platform Updates appeared first on Security Boulevard.

Over the past few decades, it’s become easier and easier to create fake receipts. Decades ago, it required special paper and printers—I remember a company in the UK advertising its services to people trying to cover up their affairs. Then, receipts became computerized, and faking them required some artistic skills to make the page look realistic.

Now, AI can do it all:

Several receipts shown to the FT by expense management platforms demonstrated the realistic nature of the images, which included wrinkles in paper, detailed itemization that matched real-life menus, and signatures.

[…]

The rise in these more realistic copies has led companies to turn to AI to help detect fake receipts, as most are too convincing to be found by human reviewers.

The software works by scanning receipts to check the metadata of the image to discover whether an AI platform created it. However, this can be easily removed by users taking a photo or a screenshot of the picture.

To combat this, it also considers other contextual information by examining details such as repetition in server names and times and broader information about the employee’s trip.

Yet another AI-powered security arms race.

Dohop cut bot traffic by 70% with DataDome, blocking millions of scrapers and protecting 75+ airline partners from API overload and downtime.

The post Dohop Uses DataDome to Block Millions of Scrapers & Protect 75+ Airline Partners appeared first on Security Boulevard.

We are in the middle of an AI gold rush. The technology is advancing, democratizing access to everything from automated content creation to algorithmic decision-making. For businesses, this means opportunity. For fraudsters, it means carte blanche. Deepfakes, synthetic identities and automated scams are no longer fringe tactics. According to Deloitte, GenAI could drive fraud losses..

The post The Wild West of AI-Driven Fraud appeared first on Security Boulevard.

Agentic commerce is here. See how AI-driven checkout reshapes fraud, attribution, and upsell motions, and how DataDome secures MCP, APIs, and helps you monetize trusted AI traffic.

The post Agentic Commerce Is Here. Is Your Business Ready to Accept AI-Driven Transactions? appeared first on Security Boulevard.

Caller ID spoofing causes nearly $1 billion (EUR 850 million) in financial losses from fraud and scams each year, according to a new Europol position paper that calls for technical and regulatory solutions to fight the problem. Phone calls and texts are the primary attack vectors, accounting for about 64% of reported cases, Europol said in the report. Caller ID spoofing is accomplished by manipulating the information displayed on a user’s caller ID, typically using Voice over Internet Protocol (VoIP) services or specialized apps to show a fake name or number “that appears legitimate and trustworthy,” Europol said. “The ability of malicious actors to conceal their true identity and origin, severely impedes the capacity of law enforcement agencies (LEAs) to trace and prosecute cybercriminals,” Europol said.

Caller ID Spoofing Attack Types

Europol outlined some of the caller ID spoofing attack types seen by EU law enforcement agencies. Criminals often spoof caller IDs to impersonate organizations like banks, government agencies, utility companies, or even family members, in scam calls to get recipients to reveal sensitive information, make fraudulent payments, or initiating money transfers under false pretenses. Tech support scammers impersonate legitimate tech support services to convince victims of non-existent computer issues in order to demand payment, install malware or obtain remote access for exploitation. Caller ID spoofing can also be used in swatting attacks to make it appear that an emergency call originated from a victim’s address. Organized crime networks have even set up “spoofing-as-a-service” platforms to automate caller ID spoofing, “with the aim of lowering the barrier for others to be able to commit crimes,” Europol said. “By offering such services, criminals can easily impersonate banks, LEAs or other trusted entities.”

Europol Calls for Regulatory and Technical Response

Europol surveyed law enforcement agencies across 23 countries and found significant barriers to implementing anti-caller-ID spoofing measures. “This means that the combined population of approximately 400 million people remain susceptible to these types of attacks,” the report said. The law enforcement agency said there is an “urgent need for a coordinated, multi-faceted approach to mitigate cross-border caller ID spoofing.” “The transnational nature of spoofing attacks demands seamless information sharing and coordinated action among Internet Service Providers (ISPs), telecommunications providers, law enforcement and regulatory bodies,” the agency said. Among the technical controls that are needed are “robust international traceback mechanisms” that include a neutral, cross-jurisdictional system for hop-by-hop tracing, standardized processes for information sharing, and APIs and signaling checks. Also needed are mechanisms for validating inbound international calls, and vendor-neutral tools with standardized interfaces for Do Not Call (DNC)/ Do Not Originate (DNO) lists, unallocated number lists, blacklisting, and malformed number detection. “Through multi-stakeholder collaboration, to address emerging threats and develop effective countermeasures, digital security can be significantly enhanced,” Europol said. “This will ensure citizens are better protected from the adverse effects of caller ID spoofing.” The report also acknowledged the importance of being prepared for other mobile threats such as SIM-based scams, anti-regulatory subleasing, the use of anonymous prepaid services in cybercrime, callback scams and smishing attacks.

Good Wall Street Journal article on criminal gangs that scam people out of their credit card information:

Your highway toll payment is now past due, one text warns. You have U.S. Postal Service fees to pay, another threatens. You owe the New York City Department of Finance for unpaid traffic violations.

The texts are ploys to get unsuspecting victims to fork over their credit-card details. The gangs behind the scams take advantage of this information to buy iPhones, gift cards, clothing and cosmetics.

Criminal organizations operating out of China, which investigators blame for the toll and postage messages, have used them to make more than $1 billion over the last three years, according to the Department of Homeland Security.

[…]

Making the fraud possible: an ingenious trick allowing criminals to install stolen card numbers in Google and Apple Wallets in Asia, then share the cards with the people in the U.S. making purchases half a world away.

Researchers have discovered a large ad fraud campaign on Google Play Store.

The Satori Threat Intelligence and Research team found 224 malicious apps which were downloaded over 38 million times and generated up to 2.3 billion ad requests per day. They named the campaign “SlopAds.”

Ad fraud is a type of fraud that lets advertisers pay for ads even though the number of impressions (the times that the ad has been seen) is enormously exaggerated.

While the main victims of ad fraud are the advertisers, there are consequences for the users that had these apps installed as well, such as slowed-down devices and connections due to the apps executing their malicious activity in the background without the user even being aware.

At first, to stay under the radar of Google’s app review process and security software, the downloaded app will behave as advertised, if a user has installed it directly from the Play Store.

But if the installation has been initiated by one of the campaign’s ads, the user will receive some extra files in the form of a steganographically encrypted payload.

If the app passes the first check it will receive four .png images that, when decrypted and reassembled, are actually an .apk file. The malicious file uses WebView (essentially a very basic browser) to send collected device and browser information to a Control & Command (C2) server which determines, based on that information, what domains to visit in further hidden WebViews.

The researchers found evidence of an AI (Artificial Intelligence) tool training on the same domain as the C2 server (ad2[.]cc). It is unclear whether this tool actively managed the ad fraud campaign.

Based on similarities in the C2 domain, the researchers found over 300 related domains promoting SlopAds-associated apps, suggesting that the collection of 224 SlopAds-associated apps was only the beginning.

Google removed all of the identified apps listed in this report from Google Play. Users are automatically protected by Google Play Protect, which warns users and blocks apps known to exhibit SlopAds associated behavior at install time on certified Android devices, even when apps come from sources outside of the Play Store.

You can find a complete list of the removed apps here: SlopAds app list

How to avoid installing malicious apps

While the official Google Play Store is the safest place to get your apps from, there is no guarantee that it will remain a non-malicious app just because it is in the Google Play Store. So here are a few extra measures you can take:

• Always check what permissions an app is requesting, and don’t just trust an app because it’s in the official Play Store. Ask questions such as: Do the permissions make sense for what the app is supposed to do? Why did necessary permissions change after an update? Do these changes make sense?
• Occasionally go over your installed apps and remove any you no longer need.
• Make sure you have the latest available updates for your device, and all your important apps (banking, security, etc.)
• Protect your Android with security software. Your phone needs it just as much as your computer.

Another precaution you can take if you’re looking for an app, do your research about the app before you go to the app store. As you can see from the screenshot above, many of the apps are made to look exactly the same as very popular legitimate ones (e.g. ChatGPT).

So, it’s important to know in advance who the official developer is of the app you want and if it’s even available from the app store.

As researcher Jim Nielsen demonstrated for the Mac App Store, there are a lot of apps trying to look like ChatGPT, but they are not the real thing. ChatGPT is not even in the Mac App Store, it is available in the Google Play Store for Android, but make sure to check that OpenAI is listed as the developer.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

A 20-year-old Florida man at the center of a prolific cybercrime group known as “Scattered Spider” was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims.

Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban conspired with others to steal at least $800,000 from five victims via SIM-swapping attacks that diverted their mobile phone calls and text messages to devices controlled by Urban and his co-conspirators.

Although prosecutors had asked for Urban to serve eight years, Jacksonville news outlet News4Jax.com reports the federal judge in the case today opted to sentence Urban to 120 months in federal prison, ordering him to pay $13 million in restitution and undergo three years of supervised release after his sentence is completed.

In November 2024 Urban was charged by federal prosecutors in Los Angeles as one of five members of Scattered Spider (a.k.a. “Oktapus,” “Scatter Swine” and “UNC3944”), which specialized in SMS and voice phishing attacks that tricked employees at victim companies into entering their credentials and one-time passcodes at phishing websites. Urban pleaded guilty to one count of conspiracy to commit wire fraud in the California case, and the $13 million in restitution is intended to cover victims from both cases.

The targeted SMS scams spanned several months during the summer of 2022, asking employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other missives advised employees about changes to their upcoming work schedule.

That phishing spree netted Urban and others access to more than 130 companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. The government says the group used that access to steal proprietary company data and customer information, and that members also phished people to steal millions of dollars worth of cryptocurrency.

For many years, Urban’s online hacker aliases “King Bob” and “Sosa” were fixtures of the Com, a mostly Telegram and Discord-based community of English-speaking cybercriminals wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering. King Bob constantly bragged on the Com about stealing unreleased rap music recordings from popular artists, presumably through SIM-swapping attacks. Many of those purloined tracks or “grails” he later sold or gave away on forums.

Sosa also was active in a particularly destructive group of accomplished criminal SIM-swappers known as “Star Fraud.” Cyberscoop’s AJ Vicens reported in 2023 that individuals within Star Fraud were likely involved in the high-profile Caesars Entertainment and MGM Resorts extortion attacks that same year.

The Star Fraud SIM-swapping group gained the ability to temporarily move targeted mobile numbers to devices they controlled by constantly phishing employees of the major mobile providers. In February 2023, KrebsOnSecurity published data taken from the Telegram channels for Star Fraud and two other SIM-swapping groups showing these crooks focused on SIM-swapping T-Mobile customers, and that they collectively claimed internal access to T-Mobile on 100 separate occasions over a 7-month period in 2022.

Reached via one of his King Bob accounts on Twitter/X, Urban called the sentence unjust, and said the judge in his case discounted his age as a factor.

“The judge purposefully ignored my age as a factor because of the fact another Scattered Spider member hacked him personally during the course of my case,” Urban said in reply to questions, noting that he was sending the messages from a Florida county jail. “He should have been removed as a judge much earlier on. But staying in county jail is torture.”

A court transcript (PDF) from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody. It involved an intrusion into a magistrate judge’s email account, where a copy of Urban’s sealed indictment was stolen. The judge told attorneys for both sides that a co-defendant in the California case was trying to find out about Mr. Urban’s activity in the Florida case.

“What it ultimately turned into a was a big faux pas,” Judge Harvey E. Schlesinger said. “The Court’s password…business is handled by an outside contractor. And somebody called the outside contractor representing Judge Toomey saying, ‘I need a password change.’ And they gave out the password change. That’s how whoever was making the phone call got into the court.”

Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.

Authorities in Knoxville, Tennessee last week said they arrested 11 Chinese nationals accused of buying tens of thousands of dollars worth of gift cards at local retailers with mobile wallets created through online phishing scams. The Knox County Sheriff’s office said the arrests are considered the first in the nation for a new type of tap-to-pay fraud.

Responding to questions about what makes this scheme so remarkable, Knox County said that while it appears the fraudsters are simply buying gift cards, in fact they are using multiple transactions to purchase various gift cards and are plying their scam from state to state.

“These offenders have been traveling nationwide, using stolen credit card information to purchase gift cards and launder funds,” Knox County Chief Deputy Bernie Lyon wrote. “During Monday’s operation, we recovered gift cards valued at over $23,000, all bought with unsuspecting victims’ information.”

Asked for specifics about the mobile devices seized from the suspects, Lyon said “tap-to-pay fraud involves a group utilizing Android phones to conduct Apple Pay transactions utilizing stolen or compromised credit/debit card information,” [emphasis added].

Lyon declined to offer additional specifics about the mechanics of the scam, citing an ongoing investigation.

Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said there aren’t many valid use cases for Android phones to transmit Apple Pay transactions. That is, he said, unless they are running a custom Android app that KrebsOnSecurity wrote about last month as part of a deep dive into the operations of China-based phishing cartels that are breathing new life into the payment card fraud industry (a.k.a. “carding”).

How are these China-based phishing groups obtaining stolen payment card data and then loading it onto Google and Apple phones? It all starts with phishing.

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the U.S. Postal Service to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “smishing” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the Apple iMessage service and through RCS, the functionally equivalent technology on Google phones.

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution in response to a request by the fraudsters to link the phished card data to a mobile wallet.

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control. These phones are then loaded with multiple stolen wallets (often between 5-10 per device) and sold in bulk to scammers on Telegram.

Merrill found that at least one of the Chinese phishing groups sells an Android app called “Z-NFC” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.

“I would be shocked if this wasn’t the NFC relay app,” Merrill said, concerning the arrested suspects in Tennessee.

Merrill said the Z-NFC software can work from anywhere in the world, and that one phishing gang offers the software for $500 a month.

“It can relay both NFC enabled tap-to-pay as well as any digital wallet,” Merrill said. “They even have 24-hour support.”

On March 16, the ABC affiliate in Sacramento (ABC10), Calif. aired a segment about two Chinese nationals who were arrested after using an app to run stolen credit cards at a local Target store. The news story quoted investigators saying the men were trying to buy gift cards using a mobile app that cycled through more than 80 stolen payment cards.

ABC10 reported that while most of those transactions were declined, the suspects still made off with $1,400 worth of gift cards. After their arrests, both men reportedly admitted that they were being paid $250 a day to conduct the fraudulent transactions.

Merrill said it’s not unusual for fraud groups to advertise this kind of work on social media networks, including TikTok.

A CBS News story on the Sacramento arrests said one of the suspects tried to use 42 separate bank cards, but that 32 were declined. Even so, the man still was reportedly able to spend $855 in the transactions.

Likewise, the suspect’s alleged accomplice tried 48 transactions on separate cards, finding success 11 times and spending $633, CBS reported.

“It’s interesting that so many of the cards were declined,” Merrill said. “One reason this might be is that banks are getting better at detecting this type of fraud. The other could be that the cards were already used and so they were already flagged for fraud even before these guys had a chance to use them. So there could be some element of just sending these guys out to stores to see if it works, and if not they’re on their own.”

Merrill’s investigation into the Telegram sales channels for these China-based phishing gangs shows their phishing sites are actively manned by fraudsters who sit in front of giant racks of Apple and Google phones that are used to send the spam and respond to replies in real time.

In other words, the phishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.

For more on how these China-based mobile phishing groups operate, check out How Phished Data Turns Into Apple and Google Wallets.