Chinese-language smishing services use SMS, iMessage, and RCS to scale credential theft
7 min. read 
Published on
Chinese-language phishing-as-a-service platforms are helping cybercriminals run large credential theft campaigns through SMS, iMessage, and Rich Communication Services. urlscan.io researchers say these ecosystems now support global phishing activity at scale, with centralized backends, ready-made templates, and delivery methods built for mobile users.
The campaigns usually impersonate trusted brands such as banks, postal services, toll agencies, government departments, and payment platforms. Victims receive a short message that creates urgency, then land on a fake website designed to steal login details, card numbers, one-time codes, or personal identity information.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The key change is scale. Instead of building phishing kits from scratch, criminals can rent or buy complete platforms that include templates, hosting workflows, tracking tools, and support. urlscan.io says these Chinese-language PhaaS ecosystems have become a significant part of the modern phishing landscape.
Why these smishing campaigns are growing
Phishing-as-a-service lowers the technical barrier for fraud. A criminal no longer needs to write a phishing kit, design fake pages, configure infrastructure, and manage delivery alone.
These platforms package the whole workflow. They allow operators to launch campaigns across countries while changing only the visible phishing page, brand, language, and local lure.
urlscan.io says many campaigns focus on consumer phishing delivered through mobile channels such as SMS, iMessage, and RCS. These channels help attackers reach users directly on devices where people often click quickly and pay less attention to full URLs.
At a glance
| Item | Details |
|---|---|
| Threat type | Mobile phishing and smishing |
| Main ecosystem | Chinese-language phishing-as-a-service platforms |
| Delivery channels | SMS, iMessage, RCS, and other OTT messaging apps |
| Common lures | Toll payments, parcel delivery, banking alerts, tax notices, government messages |
| Main targets | Consumers and organizations across multiple regions |
| Main goal | Credential theft, card theft, one-time code theft, and fraud |
| Infrastructure model | Centralized backend with country-specific phishing templates |
| Scaling method | SIM boxes, rotating domains, affiliate models, and automated deployment |
| Main defensive focus | Domain monitoring, message filtering, user awareness, and brand abuse detection |
How OTT messaging helps attackers
OTT messaging platforms give attackers another path around traditional SMS controls. Messages sent through iMessage or RCS can feel more trusted than ordinary spam texts because they appear inside familiar default messaging apps.
urlscan.io specifically names iMessage and RCS as mobile delivery channels used in these consumer phishing operations. This matters because security teams and telecom providers often focus heavily on classic SMS abuse, while fraud operators keep testing other routes.
Google previously filed litigation against Lighthouse, a phishing-as-a-service operation that it said helped scammers run large smishing campaigns impersonating brands such as E-ZPass and other trusted organizations. Google described Lighthouse as a platform built to generate and deploy smishing attacks at scale.
Why SIM boxes remain useful
SIM boxes help attackers send large volumes of messages from many physical SIM cards. That can make scam texts look like they came from normal mobile numbers rather than obvious bulk-sending infrastructure.
urlscan.io notes that industry reporting and investigations have highlighted SIM box infrastructure as part of the industrialization of these campaigns. Operators can distribute sending across many cards, regions, and devices, which makes takedown harder.
When carriers block one route, attackers can move to another SIM supply, routing path, or messaging channel. That flexibility helps campaigns continue even after partial disruption.
Why centralized phishing platforms are effective
A single PhaaS backend can support many different phishing fronts. One campaign may impersonate a toll agency in the United States, a postal service in Australia, a bank in the United Kingdom, and a government service in Japan.
urlscan.io says centralized backend frameworks can support multiple frontend templates and impersonate brands across different countries at the same time. This increases efficiency and lets operators chase the most profitable regions quickly.
The affiliate-style model also helps the ecosystem grow. Developers maintain the platform, while smaller fraud crews run campaigns, rent access, and use templates without needing deep technical skill.
Common lures used in these campaigns
| Lure | What the message claims | What attackers want |
|---|---|---|
| Toll payment | The user owes a small unpaid road fee | Card details and billing information |
| Parcel delivery | A package needs address confirmation or payment | Personal data and payment details |
| Bank alert | An account needs urgent verification | Login credentials and one-time codes |
| Government service | A fine, benefit, tax issue, or identity check needs action | Identity data and financial information |
| Mobile account alert | A phone or cloud account requires confirmation | Account credentials |
| Fake shopping order | A purchase needs confirmation or refund details | Card data and account access |
The scale is now global
These operations no longer stay inside one country or language region. urlscan.io says Chinese-language PhaaS platforms support campaigns that target organizations and individuals across multiple regions.
Google’s Lighthouse lawsuit gives a sense of the scale. Reuters reported that Google accused the operation of creating about 200,000 fake websites over a 20-day span, targeting more than 1 million people across more than 120 countries.
That scale explains why users in different countries often see similar scam themes at the same time. The backend may be shared, while the visible brand and message change by market.
What users should watch for
Most smishing messages push the victim to act quickly. They often claim a small fee must be paid, a package will be returned, an account will be locked, or a government deadline is about to expire.
Users should avoid tapping links in unexpected SMS, iMessage, or RCS messages. A message that looks official should still be verified through the company’s official app, website, or customer support channel.
People should also avoid entering one-time codes, card details, or banking credentials through links received by message. Real banks, postal services, and government agencies usually provide safer ways to check account status directly.
What security teams should monitor
Organizations should monitor newly registered domains that imitate their brands, especially during tax seasons, shopping periods, travel peaks, and payment deadlines.
Teams should also watch for phishing pages that reuse the same layouts, scripts, favicon files, tracking paths, or backend indicators across many domains. urlscan.io says infrastructure analysis and campaign clustering can help identify related activity across large phishing ecosystems.
Brand protection teams should coordinate with domain registrars, hosting providers, telecom partners, and browser vendors when they find active phishing infrastructure.
Defensive checklist
- Monitor newly registered domains that copy your brand, products, login pages, or payment portals.
- Add detection for fake toll, parcel, banking, and government-themed pages.
- Report phishing domains to registrars, hosting providers, and safe browsing programs.
- Block known smishing domains at DNS, proxy, and email-security layers.
- Train users to open official apps instead of tapping links in messages.
- Warn customers that one-time codes should never be entered through message links.
- Watch for sudden spikes in failed logins, card verification attempts, or account recovery requests.
- Coordinate with telecom providers when abuse uses SIM box infrastructure.
- Use DMARC, brand monitoring, and takedown workflows to reduce impersonation.
- Track phishing kit patterns across URLs, JavaScript files, favicons, and page templates.
Why this matters
Smishing works because it combines trust, speed, and convenience. A short message on a phone feels personal, and many users respond before checking the link carefully.
Chinese-language PhaaS ecosystems make that problem harder to control. They give more criminals access to polished phishing kits, mobile delivery channels, and global infrastructure.
The result is a fraud market that can move quickly, change brands, rotate domains, and target users in many countries at once. Defenders need faster domain detection, stronger mobile-message filtering, and clearer user warnings to reduce the damage.
FAQ
Phishing-as-a-service is a criminal model where developers sell or rent phishing kits, backend panels, templates, and campaign tools to other criminals.
Smishing is phishing delivered through text messages or mobile messaging apps. The attacker sends a fake message that directs the victim to a phishing page.
iMessage and RCS let attackers reach users through trusted default messaging apps, not only traditional SMS. urlscan.io names both as channels used in Chinese-language PhaaS-driven consumer phishing.
A SIM box is hardware that uses multiple SIM cards to send large volumes of messages. Criminals use it to make scam messages look like they came from normal mobile numbers.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages