Hacked Inside the Smishing Triad
Dec 15, 2025
Ford Merrill, Senior Director of Research and Innovation at Sec Alliance and security researcher, breaks down Lighthouse and the smishing triad. He describes industrialized phishing kits, wallet provisioning that turns stolen cards into tap-to-pay phones, and the specialized mule and laundering networks that monetize fraud. He also covers takedown challenges, automation at scale, and where these operations find new techniques.
AI Snips
Chapters
Transcript
Episode notes
How Tap-To-Pay Actually Protects Cards
- Tap-to-pay uses device-bound tokens and one-time cryptograms rather than real card numbers.
- That cryptography prevents replay and limits usefulness of stolen transaction data.
Automating Wallet Provisioning At Scale
- Compromising mobile wallets at scale requires automating wallet provisioning from stolen card data.
- Attackers pair fake checkout flows with automated camera scans and MFA capture to add cards to attacker devices.
Researcher Traces Smishing To Phishing Kits
- Ford Merrill traced the operation to Chinese smishing campaigns targeting package-delivery and toll lures.
- He found phishing kits enabling real-time SMS OTP bypass and wallet provisioning features.