Evolution of phishing through the lens of Chinese PhaaS platforms

Google Threat Intelligence Group (GTIG) analyzed more than a dozen mature Chinese Phishing-as-a-Service (PhaaS) platforms closely tied to the broader cybercriminal ecosystem in the region. The study shows how social engineering and credential theft methods are evolving.

🔴 The main shift is moving away from "static" phishing that is simply collecting logins and passwords for later use, toward real-time attacks. After a victim enters their data, attackers intercept the OTP code in real time via the phishing campaign's control panel, using it before it expires to instantly bypass MFA.

🔴 Once the credentials and OTP are compromised, attackers tokenize victims' bank cards (provision them to digital wallets on their own devices). This enables high-value transactions, contactless payments, and ATM withdrawals with the use of obtained cards.

🔴 Instead of SMS, these PhaaS platforms increasingly use Rich Communication Services (RCS) and iMessage. End-to-end encryption in these protocols makes it harder for the server-side delivery infrastructure to detect and filter malicious links.

In addition, to scale their operations, several examined PhaaS platforms use AI tools to generate phishing pages and localize their content for different countries.

It's also worth noting that the as-a-service model allows a wide range of threat actors to conduct advanced phishing attacks regardless of their skill level. User education remains an important layer of defense, but it's no longer sufficient — the emphasis is shifting toward technical safeguards, such as phishing-resistant cryptographic authentication and binding logins to the device and session context.