Chinese Phishing‑as‑a‑Service Platforms Target Global Enterprises, Bypass MFA with Real‑Time Token Capture
What Happened – Google Threat Intelligence identified at least a dozen Chinese‑language phishing‑as‑a‑service (PhaaS) operations that now offer live admin panels capable of intercepting one‑time passcodes and tokenizing stolen payment data. The services use AI‑generated pages, encrypted delivery channels (RCS, iMessage) and Telegram promotion to reach victims in 119 countries.
Why It Matters for TPRM –
- Real‑time MFA interception defeats a core control many third‑party risk programs rely on.
- AI‑generated, unique phishing pages evade signature‑based detection, increasing the likelihood of successful credential theft from vendors.
- The services target non‑Chinese brands, meaning your global supply chain could be exposed even if you never do business in China.
Who Is Affected – Financial services, SaaS providers, e‑commerce, telecom, and any organization that relies on MFA and digital‑wallet provisioning for employee or customer accounts.
Recommended Actions –
- Review MFA implementation across all vendors; consider phishing‑resistant authentication (e.g., FIDO2).
- Augment email and SMS filtering with behavioral analytics that detect encrypted delivery channels.
- Require vendors to demonstrate phishing‑resilience testing, especially against AI‑generated pages.
Technical Notes – Attack vector: phishing (phishing‑as‑a‑service) leveraging AI page generation, live admin panels, and encrypted messaging to capture OTPs and tokenized payment data. No specific CVE cited. Data types at risk include login credentials, OTPs, and payment‑card information. Source: Help Net Security