Ethical Hacking News
Mobile phishing scams have become a major threat to personal finance, with scammers targeting brokerage accounts in "ramp and dump" schemes that manipulate foreign stock prices. The latest attack vectors involve sophisticated phishing kits, compromised mobile wallets, and coordinated trading activity. As the China-based phishing community continues to evolve and mature, it's essential for individuals to take steps to protect themselves from these types of scams.
Mobile phishing scams targeting brokerage accounts are becoming increasingly prevalent. Ramp and dump schemes involve manipulating stock prices using compromised accounts. Sophisticated phishing kits with AI-powered templates are being used to phish brokerage account credentials. The reliance on single, phishable one-time tokens is a major weakness in many financial institutions' security measures. Coordination between scammers and the use of artificial intelligence have led to rapid growth in China-based phishing communities.
Mobile phishing scams have become an increasingly prevalent threat to personal finance, and a recent report by security researcher Ford Merrill highlights the dangers of these types of attacks. According to Merrill, mobile phishers are targeting brokerage accounts in "ramp and dump" schemes, which involve manipulating the prices of foreign stocks using compromised accounts.
The ramp and dump scheme is reminiscent of the classic "pump and dump" scams, where fraudsters purchase a large number of shares in a company and then promote it on social media to build up interest from other investors. However, unlike traditional pump and dump schemes, mobile phishers use compromised brokerage accounts to buy and sell stocks without relying on social media promotion.
Merrill explained that these scammers typically coordinate with other actors and wait until a certain time to buy a particular Chinese IPO or penny stock. They then use the compromised accounts to purchase large volumes of the stock, and once the price reaches a certain value, they dump their shares, leaving the victim with worthless shares in their account.
The early days of these phishing groups were marked by phishing kits that used text messages to spoof local businesses, warning recipients about delinquent shipping or toll fees. However, as security measures improved, phishers shifted their focus to targeting brokerage services.
According to Merrill, the reliance on a single, phishable one-time token for provisioning mobile wallets is a major weakness common to many U.S.-based financial institutions. However, many firms have since strengthened authentication requirements for onboarding new mobile wallets, such as requiring card enrollment via the bank's mobile app.
Despite these efforts, cybercriminal groups peddling sophisticated phishing kits continue to adapt and evolve their tactics. Merrill pointed to several Telegram channels operated by accomplished phishing kit vendors, which offer ready-made templates for using text messages to phish brokerage account credentials and one-time codes.
One such vendor is Outsider, a woman who previously went by the handle "Chenlun." Her phishing lures are sent via Apple's iMessage and Google's RCS service, spoofing major brokerage platforms and warning recipients that their accounts have been suspended for suspicious activity. The missives include links to phishing pages that collect customer usernames and passwords, followed by requests for one-time codes.
The new phish kit videos on Outsider's Telegram channel feature templates specifically designed for Schwab customers, but Merrill noted that the kits can easily be adapted to target other brokerage platforms. This shift in focus is likely due to the way these firms handle multi-factor authentication.
Schwab clients are presented with two options for second factor authentication: users who select the option to only prompt for a code on untrusted devices can choose to receive it via text message, an automated inbound phone call, or an outbound call to Schwab. The "always at login" option selected by users allows them to receive codes through the Schwab app, a text message, or a Symantec VIP mobile app.
However, Merrill pointed out that all three of these methods for sending one-time tokens are phishable, and even with the brokerage firm's app, phishers can prompt users to approve login requests using phished credentials. This has led Schwab to regularly update clients on emerging fraud trends, including this specific type of scam.
In February 2025, the FBI issued an advisory warning victims of ramp and dump schemes. The Financial Industry Regulatory Authority (FINRA) also warned that in this variation, the price manipulation is primarily the result of controlled trading activity conducted by bad actors behind the scam, ultimately leading to catastrophic collapse in share prices and irreparable losses for unsuspecting investors.
Merrill concluded that these mobile phishing scams are a serious threat to personal finance, particularly as they can be coordinated with other scammers and used to manipulate stock prices. The rapid maturation and growth of the China-based phishing community is largely due to their use of artificial intelligence and large language models to develop sophisticated phishing kits.
"They will often coordinate with other actors," Merrill explained. "They'll wait until a certain time to buy a particular Chinese IPO or penny stock, and then they'll use all these victim brokerage accounts... They'll liquidate the account's current positions and preposition themselves in that instrument in some account they control, and then sell everything when the price goes up."
The victim will be left with worthless shares of that equity in their account, and the brokerage may not be happy either. As Merrill noted, "They're really genius because it decouples so many things... They can buy shares [in the stock to be pumped] in their personal account on the Chinese exchanges, and the price happens to go up."
Despite the sophistication of these scams, Merrill emphasized that there are steps individuals can take to protect themselves. By strengthening authentication requirements for mobile wallets and being cautious when receiving unsolicited text messages or login requests, consumers can reduce their risk of falling victim to these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Ramp-and-Dump-The-Modern-Scourge-of-Mobile-Phishing-Scams-Targeting-Brokerage-Accounts-ehn.shtml
https://krebsonsecurity.com/2025/08/mobile-phishers-target-brokerage-accounts-in-ramp-and-dump-cashout-scheme/
https://securityshelf.com/2025/08/15/mobile-phishers-target-brokerage-accounts-in-ramp-and-dump-cashout-scheme/
Published: Fri Aug 15 15:08:51 2025 by llama3.2 3B Q4_K_M
