Global Phishing at Scale: Inside the PointyPhish & TollShark Campaigns

Published Date: April 21, 2025
Category: ShadowOpsIntel
Share:

CTM360 has uncovered and tracked two widespread scam campaigns—PointyPhish (Rewards Points Scam) and TollShark (Toll Scam). These attacks are powered by a sophisticated Phishing-as-a-Service (PhaaS) infrastructure known as Darcula Suite. Operating at scale, the campaigns utilize SMS-based phishing vectors, targeting consumers by impersonating banking, transportation, telecom, retail, and reward-based services. The attacks aim to steal PII and credit/debit card data via convincing cloned websites of legitimate brands.

Severity Level: High

Threat Overview:

  • Attack Flow:
    • SMS Phishing: Fake alerts for toll dues or expiring reward points.
    • Fake Website: Mimics brand UI to trick users into submitting data.
    • Urgency Tactics: Push users to “redeem” or “pay” quickly.
    • PII Harvesting: Names, DOB, phone numbers, addresses collected.
    • Card Harvesting: Full card info (number, expiry, CVV) stolen.
  • Tool Used: Darcula (Phishing Kit with rapid deployment & customization).
  • Darcula Platform Insights:
    • Subscription-based access model with attacker licensing.
    • Real-time victim tracking with session IDs, IPs, and geolocation data.
    • Targeting controls (geo-fencing, mobile-only access, OTP prompts).
    • Modular phishing kits tailored for different regions and brand targets.
  • Affected Regions: Asia-Pacific, Middle East, Europe, North America
  • Affected Industries: Retail, Banking, Airlines (PointyPhish); Transportation and Toll Services (TollShark)
  • Notable Targeted Brands: Banks in UK, India, Spain, Malaysia; Toll companies in USA, UAE, China, Australia, Canada
  • Infrastructure Used: 5,000+ typo-squatted domains using TLDs like .top, .xin, .vip, .xyz, .cc, .ink, .sbs

Recommendations:

  1. Proactively block or monitor traffic to high-risk domains using abused TLDs such as .top, .vip, .xin, .xyz, .ink, .sbs, and .cc.
  2. Deploy mobile security solutions capable of detecting SMS-based phishing (smishing) and malicious link patterns.
  3. Restrict mobile browser-based payments in corporate environments unless validated through secured payment gateways.
  4. Ensure mobile devices use secure browsers with phishing protection (e.g., Google Safe Browsing, SmartScreen).
  5. Conduct phishing simulation campaigns focused on SMS scenarios (toll alerts, reward point expiry) to train users in identifying mobile phishing.
  6. Advise users to verify payment/toll requests through official apps or websites—never through links received via SMS.
  7. Disable or reduce reliance on SMS-based OTPs. Shift toward app-based authenticators (e.g., Google Authenticator, Authy).

Source:

  • https://www.security.com/threat-intelligence/billbug-china-espionage

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert