Latest news with #PandaShop
Forbes
3 days ago
- General
- Forbes
If You Get This Message On Your Phone It's An Attack
Delete these texts immediately Republished on May 28 with new warnings from Google and others as these attacks continue to surge across America. And still they come. Despite multiple warnings from the FBI and police forces across the United States, iPhone and Android owners are still falling victim to attacks daily — with their money, their data, even their identities being stolen. While Trump and Xi continue their game of tariff chicken, China's organized crime groups such as Smishing Triad and Panda Shop have quietly industrialized text message attacks, which have now reached almost every city and state in the U.S. It started with undelivered packages, but it's unpaid tolls that have really hit the big time. It's hard to imagine any American phone users can't have seen at least some of the FBI, police and DMV warnings that have been making weekly headlines for months. But users are still falling victim — the scam still works and it still works at scale. 'I got this message earlier today,' one Redditor posted. 'I have never received any text messages from DMV before nor do I owe any outstanding tickets. This is super fishy. Have anyone received anything like this before?' The latest warnings in recent days come from New York, Florida, California and the FCC, which told drivers 'toll operators typically don't use text messages to collect on overdue accounts, and do not use threatening language to rush customers into action.' That's an understatement. If you get an unpaid toll text, you should assume it's an attack. Every time. If you have concerns you may owe a toll, contact the operator using its usual, publicly available channels. Then do as the FBI says and delete the text. And you should get used to these attacks. They're not stopping. The next wave is expected to move from tolls to banking, with texts pretending to be from financial institutions instead of toll operators or delivery services. Resecurity warns 'the actors behind smishing campaigns are tightly connected with those involved in merchant fraud and money laundering activity. Smishing is one of the main catalysts behind carding activities, providing cybercriminals with substantial volumes of compromised data collected from victims.' Resecurity warns just one threat actor can send "up to 2,000,000 smishing messages daily,' which means targeting 'up to 60,000,000 victims per month, or 720,000,000 per year, enough to target every person in the U.S. at least twice every year.' The hope now is that these warnings are being amplified loudly enough for all U.S. citizens to be alert to unpaid toll texts. The Michigan Department of Transportation has even taken to warning of toll scams using the electronic traffic signs along its highways. And it's not ambiguous: 'Be aware,' it warns, 'toll texts are scams.' Louisiana's Office of Motor Vehicles has just warned its drivers in equally blunt terms: 'The @LouisianaOMV does not send text messages or emails threatening to suspend your vehicle registration or driving privileges. If you receive such a message: Do NOT click links; Do NOT respond; Delete the message; Report the scam.' In a new advisory, Google warns this is 'a global threat, we've observed that attackers will 'follow the sun', first sending scam messages mimicking toll roads in Europe, then in the East Coast of the U.S., then in the West Coast, and onwards over the course of a day. These messages aren't always the most realistic — our teams have seen cases where users are spammed with toll road fees in states that don't operate toll roads.' While there are telltale signs — such as Chinese top level domains such as .TOP or .XIN in links or the subtle use of a 'com-' to mimic a real .COM domain, staying safe is simpler. Assume any undelivered package, unpaid toll, compromised password, suspended account or similar is a scam. Never reply. Never engage. Always delete.
Forbes
5 days ago
- Business
- Forbes
If You Get This Message On Your Phone It's Always An Attack
Delete these texts immediately getty And still they come. Despite multiple warnings from the FBI and police forces across the United States, iPhone and Android owners are still falling victim to attacks daily — with their money, their data, even their identities being stolen. While Trump and Xi continue their game of tariff chicken, China's organized crime groups such as Smishing Triad and Panda Shop have quietly industrialized text message attacks, which have now reached almost every city and state in the U.S. It started with undelivered packages, but it's unpaid tolls that have really hit the big time. It's hard to imagine any American phone users can't have seen at least some of the FBI, police and DMV warnings that have been making weekly headlines for months. But users are still falling victim — the scam still works and it still works at scale. The latest warnings in recent days come from New York, Florida, California and the FCC, which told drivers 'toll operators typically don't use text messages to collect on overdue accounts, and do not use threatening language to rush customers into action.' That's an understatement. If you get an unpaid toll text, you should assume it's an attack. Every time. If you have concerns you may owe a toll, contact the operator using its usual, publicly available channels. Then do as the FBI says and delete the text. And you should get used to these attacks. They're not stopping. The next wave is expected to move from tolls to banking, with texts pretending to be from financial institutions instead of toll operators or delivery services. And it won't be SMS — it's more likely to be RCS and iMessage, with better media and copy, as AI makes messages more realistic and attacks harder to detect. These Chinese OCGs see themselves as untouchable, beyond the reach of U.S. law enforcement. Resecurity warns just one threat actor can send "up to 2,000,000 smishing messages daily,' which means targeting 'up to 60,000,000 victims per month, or 720,000,000 per year, enough to target every person in the U.S. at least twice every year.' While there are telltale signs — such as Chinese top level domains such as .TOP or .XIN in links or the subtle use of a 'com-' to mimic a real .COM domain, staying safe is simpler. Assume any undelivered package, unpaid toll, compromised password, suspended account or similar is a scam. Never reply. Never engage. Always delete.
Forbes
12-05-2025
- Forbes
‘No Fear Of FBI'—iPhone, Android Users Brace For ‘Massive' Chinese Attack
The FBI has warned iPhone and Android users to stop sending texts as Chinese hackers maraud through U.S. networks, and to delete all the fraudulent texts on their phones as Chinese cyber criminals bombard users from state to state. Now there's a new warning, as a new threat campaign 'on a massive scale' targets smartphone users. These Chinese gangs have 'compromised Apple and Gmail accounts in bulk to facilitate distribution,' and attack iMessage and RCS rather than SMS, given 'the richer set of tools for creating convincing attacks, better engagement features, and more sophisticated methods of deception.' The warning comes courtesy of Resecurity, which exposed China's Smishing Triad and is now warning smartphone users in America, Europe and elsewhere that there's a new Chinese gang in town, and this time it's not fake unpaid tolls and undelivered packages, it's your Google Wallet and Apple Pay at risk, with attacks that 'harvest traditional credit card and PII data, and intercept transactions.' Resecurity is now exposing this 'new smishing kit known as 'Panda Shop,' based on the same principles used by the Smishing Triad.' The giant panda, the team says, 'is a prominent and iconic symbol of China. It's recognized domestically and internationally as a symbol of the country, representing peace, friendship, and soft power. But in this case, it doesn't seem to bring anything good besides financial losses to consumers.' These criminals 'feel untouchable' and have 'no fear of FBI.' According to Resecurity, they favor Telegram over Chinese messaging apps and in their comms brazenly boast 'that they do not care about U.S. law enforcement agencies — residing in China, they enjoy complete freedom of action and engage in many illegal activities.' This is yet more evidence as to the scale of industrialized text attacks — whether SMS, iMessage or Google Messages. 'According to the latest chatter, one identified threat actor can send up to 2,000,000 smishing messages daily.' Put simply, this means a gang 'could easily target up to 60,000,000 victims per month, or 720,000,000 per year, enough to target every person in the US at least twice every year." Resecurity think these are rebadged Smishing Triad members, 'who transitioned their operations under the new brand after being publicly shamed.' The attack kit mimics what has been seen before, with 'improvements and new supported templates.' According to Zimperium's Kern Smith, the latest attacks "are a stark reminder that mobile devices and apps are uniquely vulnerable [and] show the continued investment by cybercriminals in targeting mobile users.' As with the road toll and parcel delivery based attacks, the phishing/smishing kits are sold to multiple gangs who then execute the attacks. The central gang provides multiple templates to target by region or brand — a bank or telco or retailer, for example. If you're hit, then your 'intercepted credit card data goes to underground carding shops and is sold to other cybercriminals.' As with the other attacks, it's not the modest value of the fraudulent transaction that matters, it the card details, your login credentials and even your identity that is being targeted. Resecurity warns 'the scale of global smishing activity generated by Chinese cybercriminals is impressive," with damages 'estimated at tens to hundreds of millions of dollars.' Stopping the threat is almost impossible, given that cybercriminals residing in China are not easily accessible by U.S. law enforcement. The geopolitical situation between China and the U.S. complicates timely legal action to contain this illegal activity, opening the doors for cybercrime and fraud at scale." The advice for users has not changed. Assume all unsolicited texts are scams. Never click links and always use normal channels to log into accounts or make contact. Delete all such texts from your phone. And if you think you've been hit, check your accounts and change your passwords right away.
Forbes
06-05-2025
- Forbes
Warning — 19 Billion Compromised Passwords Have Been Published Online
19 billion exposed passwords analyzed and it's not good news. getty Update, May 6, 2025: This story, originally published May 3, has been updated with details of the SMS phishing threat posed by the Chinese Panda Shop cybercrime group, and an open letter to the cybersecurity industry asking why the phishing threat behind the stolen passwords epidemic has yet to be fixed. In just the last few months, I have reported on confirmed lists of stolen passwords being made available on the dark web and in criminal forums that have risen from 800 million to 1.7 billion and even as high as 2.1 billion, mainly thanks to the rise and rise of infostealer malware attacks. But a new report has just blown even those shockingly large statistics out of the water with an analysis of 19 billion such passwords that are available online right now to any hackers who want to seek them out. The takeaway being that you need to take action now to prevent becoming a victim of the automatic password hacking machine epidemic. Forbes 884,000 Credit Cards Stolen With 13 Million Clicks By A Magic Cat By Davey Winder Imagine having access to 19,030,305,929 passwords that were compromised by leaks and breaches over the course of 12 months from April 2024 and involving 200 security incidents. Imagine that only sources where email addresses were available for consumption alongside the stolen password were included in this massive database. Oh, and forget about including any of those word-list compilations, such as RockYou, that regularly do the rounds but are about as useful to a criminal hacker as a chocolate router. Finally, get to grips with the fact that this dataset only includes passwords that have become publicly available in criminal forums online. Once you digest all of this, you can appreciate how huge, in all senses of the word, this really is, especially to any hacker with criminal intent. The analysis, published May 2 by the Cybernews research team, makes for truly eye-opening reading. It's so wide-ranging and security-scary in equal measure that it's hard to know where to start, so the beginning seems as good a place as any: password laziness and reuse. Of the 19,030,305,929 passwords that ended up exposed online, only 6% of them, or 1,143,815,266 if you like to be precise, were unique. Switch that around to 94% of them being reused across accounts and services, whether by the same or different people is moot, and you can see why the average cybercriminal gets very excited about the hacking potential such lists provide. Now throw in that 42% of the passwords were short, way too short, being only 8-10 characters in length. That now opens up the hacking potential to brute force attacks as well as credential stuffing. Ah, yes, and it just keeps getting worse; 27% consisted of only lowercase letters and digits, no special characters or mixed case. Sigh. Forbes Google Says Critical Android 'No User Interaction' Attacks Underway By Davey Winder According to Neringa Macijauskaitė, an information security researcher at Cybernews, 'the default password problem remains one of the most persistent and dangerous patterns in leaked credential datasets.' The analysis revealed that there were 53 million uses of admin and 56 million of password, for example. Changing these is one quick way to help mitigate against hackers, as Macijauskaitė said, 'attackers, too, prioritize them, making these passwords among the least secure.' Not reusing your passwords, ever, not at all, is another prime mitigation recommendation. 'If you reuse passwords across multiple platforms, a breach in one system can compromise the security of other accounts, creating a domino effect,' Macijauskaitė warned. Meaning that even without any existing system compromise, attackers are able to exploit common password patterns in their hacking exploits. 'Attackers constantly harvest the latest credential dumps from exposed info-stealers and recently cracked hashes available publicly,' Macijauskaitė concluded. 'These fresh datasets enable waves of highly effective credential-stuffing attacks, often bypassing traditional security defenses.' Forbes Apple Passwords Attack Warning — Do Not Install This Update By Davey Winder An Open Letter To The Cybersecurity industry — Stopping The Stolen Passwords Problem Paul Walsh, CEO of MetaCert and co-founder of the W3C Mobile Web Initiative in 2004, knows a thing or two about the problem of malicious messaging and has been involved in the creation of internet standards to protect against it. In conversation, Walsh told me that the latest national SMS phishing test carried out in March by MetaCert and including carriers such as AT&T, Verizon, T-Mobile and Boost Mobile, was as disappointing as it was expected. 'Every phishing message was still delivered,' Walsh told me, 'none were blocked, flagged, or rewritten.' This is, to say the least, given that the vast majority of phishing platforms are now developed to target mobile devices, overtaking email in this regard in 2024 according to ProofPoint. When you consider that phishing attacks, on whatever platform, are the starting point for most cyber attacks, it's no great leap to realize that the compromised passwords problem could be drastically reduced, if not stopped dead, by addressing the social engineering issue. Walsh has now written an open letter to the cybersecurity industry asking why the SMS phishing problem hasn't been solved ages ago? 'The cybersecurity industry has no shortage of experts in email security, endpoint protection, or network defense,' Walsh said, 'but when it comes to SMS infrastructure and security, there is a distinct lack of deep expertise.' His letter, therefore, is a call to action by security vendors who have 'built multi-billion-dollar businesses on stopping phishing in email and corporate networks,' Walsh said, 'yet the most trusted communication channel on the planet — SMS — remains an open, unprotected target.' Walsh demands that the same effort that has been made to address email security must now be made for the SMS vector because, he concluded, 'criminals have already moved in full force, and the industry is failing to respond.' Unless this happens, and happens with the full might of the cybersecurity industry behind it, I fear that I will be reporting about the compromise of user passwords for some time to come yet. Forbes 'Action Required Within 48 Hours' — PayPal Attack Warning Issued By Davey Winder From Passwords To Pandas A new report by the security researcher team at Rescurity has confirmed just how dangerous the SMS phishing threat is. Having already established that the 'Smishing Triad' criminal gang has been operating since at least 2023, the Rescurity researchers have been keeping a close eye on the group of Chinese cybercriminals with very global ambitions. Using the by now de rigueur crime-as-a-service model, the Smishing Triad comprises multiple associates and leverages that scale to target victims all over the world. Rescurity has reported how, according to the latest threat intelligence it has received, a single Chinese threat actor can distribute as many as 2 million phishing SMS text messages in a single day. The Smishing Triad, Rescurity said, 'could easily target up to 60,000,000 victims per month, or 720,000,000 per year,' or, to put it another way, every person in the U.S. — twice each year. The concern of Paul Walsh is brought sharply into focus when you realize that Smishing triad also uses network operator SMS gateways, alongside Google RCS and Apple's iMessage, to distribute their phishing attacks. So, where does this story turn from passwords to pandas? In March, Rescurity identified yet another smishing kit that appeared to be using the same principles as the Smishing Triad service, and went by the name of Panda Shop. The Panda Shop kit has 'multiple Telegram channels and interactive bots to automate service delivery,' the Rescurity report said, providing distribution services primarily by way of Apple's iMessage and Android's RCS platforms. Furthermore, it would appear that the threat actors are purchasing, and purchasing in significant numbers, compromised Gmail accounts, as well as compromised Apple accounts, to help with the distribution efforts. Forbes Microsoft Issues June 1 Warning — Do Not Wait, Save Your Passwords Now By Davey Winder 'Like the Smishing Triad,' the Resecurity report confirmed, 'Panda Shop offers a customized smishing kit that can be deployed on any server.' The research team investigation concluded that it is highly likely that the Panda Shop group itself consists of some former Smishing Triad members who 'transitioned their operations under the new brand after being publicly shamed.' This theory is reinforced by the fact that the Panda Shop phishing kit structure, along with various scripting scenarios that have been analyzed by Resecurity, 'mimic the same product but include specific improvements and new supported templates.' The scale of the smishing activity from Chinese threats actors, including Smishing Triad and now Panda Shop is, Resucurity warned, impressive. 'The spectrum of the crimes conducted due to smishing ranges from traditional carding and NFC-enabled fraud to money laundering chains, enabling fraudsters to process stolen funds,' Rescurity researchers said. There's more than just your passwords at stake from smishing or any phishing attacks; there's all the data that sits beyond it and the implications that the compromise of that and access to other services can have. 'Based on Resecurity's engagements with financial institutions globally,' the report concluded, 'this activity generates millions in losses annually.'
