Posted in

Phishing Campaigns Shift to iMessage and RCS, Evading SMS Defenses

by Rakesh0

A new generation of phishing attacks is exploiting iMessage and Rich Communication Services (RCS) to bypass traditional SMS security controls, marking a dangerous evolution in mobile-based cybercrime. These campaigns, tracked by Google Threat Intelligence Group (GTIG), show how phishing via iMessage and RCS is enabling attackers to evade carrier-level filtering and execute real-time financial fraud.

Unlike traditional smishing campaigns that rely on SMS, threat actors are leveraging encrypted messaging channels to deliver convincing, high-quality phishing lures directly into users’ primary communication apps.

The result: more effective attacks, faster credential theft, and increasingly sophisticated account takeovers.

Key Details

According to GTIG research, cybercriminals—particularly those operating within Chinese-language phishing-as-a-service (PhaaS) ecosystems—are rapidly adopting RCS and iMessage as their primary delivery channels.

The shift is strategic.

Traditional SMS phishing messages are increasingly blocked by telecom providers using URL scanning and pattern-based filtering mechanisms. In contrast:

  • RCS and iMessage use end-to-end encryption, limiting visibility for network-level security tools
  • Messages appear more legitimate due to enhanced UI features
  • Delivery success rates are significantly higher

Researchers analyzed over a dozen active PhaaS platforms and found them to be highly organized operations offering:

  • Ready-to-use phishing kits
  • Real-time credential harvesting dashboards
  • Global targeting capabilities across more than 100 countries

One platform, YY Lai Yu, has been active since August 2024 and provides over 400 phishing templates, highlighting the scale and maturity of this underground ecosystem.

Technical Analysis

The effectiveness of these campaigns lies in a combination of delivery evasion and real-time exploitation tactics.

Delivery Layer Evasion

By using RCS and iMessage, attackers bypass traditional SMS gateways, avoiding:

  • Carrier-level inspection tools
  • Spam detection algorithms
  • URL blacklisting at telecom infrastructure

These platforms also enable:

  • Read receipts and typing indicators (boosting user trust)
  • Rich media content (logos, branding, fake alerts)
  • Conversation-style phishing (interactive social engineering)

Real-Time Credential Harvesting

Once a victim clicks a phishing link:

  1. They are directed to a spoofed login page
  2. Credentials are entered and instantly transmitted to an attacker dashboard
  3. The attacker triggers a legitimate one-time password (OTP) request
  4. The victim inputs the OTP, believing it’s part of verification
  5. The attacker captures the OTP and completes authentication

This technique aligns with MITRE ATT&CK T1566 (Phishing) and T1111 (Multi-Factor Authentication Interception).

Financial Exploitation via Tokenization

What makes this wave particularly dangerous is post-compromise exploitation.

Attackers don’t stop at credentials. Instead, they:

  • Provision stolen cards into digital wallets (Apple Pay, Google Pay)
  • Use tokenization to create valid payment tokens
  • Perform contactless transactions or ATM withdrawals

This eliminates the need for physical cards, enabling fully remote financial theft.

Impact and Risks

For Individuals

  • Unauthorized financial transactions
  • Compromise of banking and payment apps
  • Loss of funds via contactless payments and ATM withdrawals

For Financial Institutions

  • Increased fraud losses from tokenized payments
  • Challenges detecting legitimate vs. malicious device provisioning
  • Pressure to strengthen authentication workflows

For Enterprises

  • Increased risk of employee-targeted mobile phishing
  • Potential compromise of corporate credentials
  • Expansion of attack surface into personal devices

The combination of encrypted delivery channels and real-time attack execution significantly raises the success rate of these campaigns.

Expert Recommendations

Strengthen Authentication

  • Deploy FIDO2/WebAuthn to eliminate reliance on OTPs
  • Avoid SMS-based MFA for high-risk transactions

Enhance Fraud Detection

  • Implement device fingerprinting during digital wallet provisioning
  • Use risk-based authentication for unusual login patterns

Improve User Awareness

  • Educate users about phishing messages in iMessage and RCS
  • Emphasize that encryption does not guarantee legitimacy

Strengthen Monitoring

  • Integrate phishing detection into mobile security frameworks
  • Monitor for abnormal transaction patterns in real time

Adopt Zero Trust Principles

  • Verify every transaction and authentication request
  • Limit trust based on device, behavior, and context

Industry Context

The rise of phishing via encrypted messaging platforms reflects a broader trend in cybercrime: attackers are adapting faster than traditional defenses.

Similar patterns are emerging in:

  • AI-generated phishing content improving realism
  • Adversary-in-the-middle (AiTM) attacks bypassing MFA
  • Cloud-based phishing infrastructure scaling campaigns globally

The growth of Chinese-language PhaaS ecosystems mirrors earlier developments in Russian-speaking cybercrime forums, indicating a diversification of global threat actor communities.

At the same time, the shift to mobile-first attack vectors underscores a key reality:
Smartphones are now the primary battleground for credential theft.

Conclusion

The move to iMessage and RCS marks a pivotal evolution in phishing tactics, combining stealth, realism, and speed.

As attackers continue to exploit encrypted communication channels and real-time authentication workflows, traditional defenses are struggling to keep pace.

Stopping this new wave of attacks will require a shift toward phishing-resistant authentication, advanced fraud detection, and user awareness.

The message is clear: phishing is no longer just about tricking users—it’s about outpacing security at every layer of the digital experience.

FAQ SECTION

Why are attackers using iMessage and RCS for phishing?

Because these platforms use encryption, making it harder for carriers to detect and block malicious messages.

What is phishing-as-a-service (PhaaS)?

PhaaS platforms provide ready-made phishing tools and infrastructure, allowing even low-skilled attackers to launch campaigns.

How do attackers bypass OTP-based MFA?

They capture OTPs in real time by tricking victims into entering codes during active phishing sessions.

What is digital wallet fraud in phishing attacks?

Attackers add stolen card details to digital wallets, enabling contactless payments and withdrawals without physical access.

How can users protect themselves from these attacks?

Use phishing-resistant MFA methods like FIDO2, avoid clicking unknown links, and verify suspicious messages independently.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *