SOC 3.0 - The Evolution of the SOC and How AI is Empowering Human Talent - Related to are, how, ai, ransomware, talent

How Phished Data Turns into Apple & Google Wallets

Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the [website] Postal Service to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “smishing” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the Apple iMessage service and through RCS, the functionally equivalent technology on Google phones.

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution to verify that the user indeed wishes to link their card information to a mobile wallet.

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control.

Ford Merrill works in security research at SecAlliance, a CSIS Security Group business. Merrill has been studying the evolution of several China-based smishing gangs, and found that most of them feature helpful and informative video tutorials in their sales accounts on Telegram. Those videos show the thieves are loading multiple stolen digital wallets on a single mobile device, and then selling those phones in bulk for hundreds of dollars apiece.

“Who says carding is dead?,” revealed Merrill, who presented about his findings at the M3AAWG security conference in Lisbon earlier today. “This is the best mag stripe cloning device ever. This threat actor is saying you need to buy at least 10 phones, and they’ll air ship them to you.”.

One promotional video displays stacks of milk crates stuffed full of phones for sale. A closer inspection reveals that each phone is affixed with a handwritten notation that typically references the date its mobile wallets were added, the number of wallets on the device, and the initials of the seller.

Merrill stated one common way criminal groups in China are cashing out with these stolen mobile wallets involves setting up fake e-commerce businesses on Stripe or Zelle and running transactions through those entities — often for amounts totaling between $100 and $500.

Merrill noted that when these phishing groups first began operating in earnest two years ago, they would wait between 60 to 90 days before selling the phones or using them for fraud. But these days that waiting period is more like just seven to ten days, he noted.

“When they first installed this, the actors were very patient,” he noted. “Nowadays, they only wait like 10 days before [the wallets] are hit hard and fast.”.

Criminals also can cash out mobile wallets by obtaining real point-of-sale terminals and using tap-to-pay on phone after phone. But they also offer a more cutting-edge mobile fraud technology: Merrill found that at least one of the Chinese phishing groups sells an Android app called “ZNFC” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.

“The software can work from anywhere in the world,” Merrill mentioned. “These guys provide the software for $500 a month, and it can relay both NFC enabled tap-to-pay as well as any digital wallet. The even have 24-hour support.”.

The rise of so-called “ghost tap” mobile software was first documented in November 2024 by security experts at ThreatFabric. Andy Chandler, the firm’s chief commercial officer, mentioned their researchers have since identified a number of criminal groups from different regions of the world latching on to this scheme.

Chandler stated those include organized crime gangs in Europe that are using similar mobile wallet and NFC attacks to take money out of ATMs made to work with smartphones.

“No one is talking about it, but we’re now seeing ten different methodologies using the same modus operandi, and none of them are doing it the same,” Chandler stated. “This is much bigger than the banks are prepared to say.”.

A November 2024 story in the Singapore daily The Straits Times reported authorities there arrested three foreign men who were recruited in their home countries via social messaging platforms, and given ghost tap apps with which to purchase expensive items from retailers, including mobile phones, jewelry, and gold bars.

“Since Nov 4, at least 10 victims who had fallen for e-commerce scams have reported unauthorised transactions totaling more than $100,000 on their credit cards for purchases such as electronic products, like iPhones and chargers, and jewelry in Singapore,” The Straits Times wrote, noting that in another case with a similar modus operandi, the police arrested a Malaysian man and woman on Nov 8.

, the phishing pages that spoof the USPS and various toll road operators are powered by several innovations designed to maximize the extraction of victim data.

Merrill stated people who submit payment card data to these phishing sites often are then told their card can’t be processed, and urged to use a different card. This technique, he stated, sometimes allows the phishers to steal more than one mobile wallet per victim.

Many phishing websites expose victim data by storing the stolen information directly on the phishing domain. But Merrill mentioned these Chinese phishing kits will forward all victim data to a back-end database operated by the phishing kit vendors. That way, even when the smishing sites get taken down for fraud, the stolen data is still safe and secure.

Another key innovation is the use of mass-created Apple and Google user accounts through which these phishers send their spam messages. One of the Chinese phishing groups posted images on their Telegram sales channels showing how these robot Apple and Google accounts are loaded onto Apple and Google phones, and arranged snugly next to each other in an expansive, multi-tiered rack that sits directly in front of the phishing service operator.

In other words, the smishing websites are powered by real human operators as long as new messages are being sent. Merrill mentioned the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.

Notably, none of the phishing sites spoofing the toll operators or postal services will load in a regular Web browser; they will only render if they detect that a visitor is coming from a mobile device.

“One of the reasons they want you to be on a mobile device is they want you to be on the same device that is going to receive the one-time code,” Merrill expressed. “They also want to minimize the chances you will leave. And if they want to get that mobile tokenization and grab your one-time code, they need a live operator.”.

Merrill found the Chinese phishing kits feature another innovation that makes it simple for consumers to turn stolen card details into a mobile wallet: They programmatically take the card data supplied by the phishing victim and convert it into a digital image of a real payment card that matches that victim’s financial institution. That way, attempting to enroll a stolen card into Apple Pay, for example, becomes as easy as scanning the fabricated card image with an iPhone.

“The phone isn’t smart enough to know whether it’s a real card or just an image,” Merrill expressed. “So it scans the card into Apple Pay, which says okay we need to verify that you’re the owner of the card by sending a one-time code.”.

How profitable are these mobile phishing kits? The best guess so far comes from data gathered by other security researchers who’ve been tracking these advanced Chinese phishing vendors.

In August 2023, the security firm Resecurity discovered a vulnerability in one popular Chinese phish kit vendor’s platform that exposed the personal and financial data of phishing victims. Resecurity dubbed the group the Smishing Triad, and found the gang had harvested 108,044 payment cards across 31 phishing domains (3,485 cards per domain).

In August 2024, security researcher Grant Smith gave a presentation at the DEFCON security conference about tracking down the Smishing Triad after scammers spoofing the [website] Postal Service duped his wife. By identifying a different vulnerability in the gang’s phishing kit, Smith stated he was able to see that people entered 438,669 unique credit cards in 1,133 phishing domains (387 cards per domain).

Based on his research, Merrill noted it’s reasonable to expect between $100 and $500 in losses on each card that is turned into a mobile wallet. Merrill noted they observed nearly 33,000 unique domains tied to these Chinese smishing groups during the year between the publication of Resecurity’s research and Smith’s DEFCON talk.

Using a median number of 1,935 cards per domain and a conservative loss of $250 per card, that comes out to about $15 billion in fraudulent charges over a year.

Merrill was reluctant to say whether he’d identified additional security vulnerabilities in any of the phishing kits sold by the Chinese groups, noting that the phishers quickly fixed the vulnerabilities that were detailed publicly by Resecurity and Smith.

Adoption of touchless payments took off in the United States after the Coronavirus pandemic emerged, and many financial institutions in the United States were eager to make it simple for end-individuals to link payment cards to mobile wallets. Thus, the authentication requirement for doing so defaulted to sending the customer a one-time code via SMS.

Experts say the continued reliance on one-time codes for onboarding mobile wallets has fostered this new wave of carding. KrebsOnSecurity interviewed a security executive from a large European financial institution who spoke on condition of anonymity because they were not authorized to speak to the press.

That expert noted the lag between the phishing of victim card data and its eventual use for fraud has left many financial institutions struggling to correlate the causes of their losses.

“That’s part of why the industry as a whole has been caught by surprise,” the expert presented. “A lot of people are asking, how this is possible now that we’ve tokenized a plaintext process. We’ve never seen the volume of sending and people responding that we’re seeing with these phishers.”.

To improve the security of digital wallet provisioning, some banks in Europe and Asia require end-people to log in to the bank’s mobile app before they can link a digital wallet to their device.

Addressing the ghost tap threat may require updates to contactless payment terminals, to advanced identify NFC transactions that are being relayed from another device. But experts say it’s unrealistic to expect retailers will be eager to replace existing payment terminals before their expected lifespans expire.

And of course Apple and Google have an increased role to play as well, given that their accounts are being created en masse and used to blast out these smishing messages. Both companies could easily tell which of their devices suddenly have 7-10 different mobile wallets added from 7-10 different people around the world. They could also recommend that financial institutions use more secure authentication methods for mobile wallet provisioning.

Neither Apple nor Google responded to requests for comment on this story.

Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsear......

Die Backuplösung Commvault ist verwundbar und Angreifer können Computer kompromittieren. Dagegen gerüstete Versionen sind verfügbar.

[website] million people were affected, in a breach that could spell more trouble down the line.

EdFinancial and the Oklahoma Student Loan Authority (OSLA)......

SOC 3.0 - The Evolution of the SOC and How AI is Empowering Human Talent

Organizations today face relentless cyber attacks, with high-profile breaches hitting the headlines almost daily. Reflecting on a long journey in the security field, it's clear this isn't just a human problem—it's a math problem. There are simply too many threats and security tasks for any SOC to manually handle in a reasonable timeframe. Yet, there is a solution. Many refer to it as SOC [website]—an AI-augmented environment that finally lets analysts do more with less and shifts security operations from a reactive posture to a proactive force. The transformative power of SOC [website] will be detailed later in this article, showcasing how artificial intelligence can dramatically reduce workload and risk, delivering world-class security operations that every CISO dreams of. However, to appreciate this leap forward, it's key to understand how the SOC evolved over time and why the steps leading up to [website] set the stage for a new era of security operations.

For decades, the Security Operations Center (SOC) has been the front line for defending organizations against cyber threats. As threats become faster and more sophisticated, the SOC must evolve. I've personally witnessed three distinct phases of SOC evolution. I like to refer to them as SOC [website] (Traditional SOC), SOC [website] (the current, partly automated SOC), and SOC [website] (the AI-powered, modern SOC).

In this article I provide an overview of each phase, focusing on four core functions:

SOC [website] The traditional, manual SOC.

Let's take a look at how the earliest SOCs handled alert triage and remediation, detection & correlation, threat investigation and data processing.

Handling noisy alerts with manual triage & remediation.

In the early days, we spent an inordinate amount of time on simple triage. Security engineers would build or configure alerts, and the SOC team would then struggle under a never-ending flood of noise. False positives abounded.

For example, if an alert fired every time a test server connected to a non-production domain, the SOC quickly realized it was harmless noise. We'd exclude low-severity or known test infrastructure from logging or alerting. This back and forth—"Tune these alerts!" or "Exclude this server!"—became the norm. SOC resources were invested more in managing alert fatigue than in addressing real security problems.

Remediation, too, was entirely manual. Most organizations had a Standard Operating Procedure (SOP) stored in a wiki or SharePoint. After an alert was deemed valid, an analyst would walk through the SOP:

"Collect logs for forensics", and so on.

These SOPs lived primarily in static documents, requiring manual intervention at every step. The main tools in this process were the SIEM (often a platform like QRadar, ArcSight, or Splunk) combined with collaboration platforms like SharePoint for knowledge documentation.

During the SOC [website] phase, detection and correlation mostly meant manually written queries and rules. SIEMs required advanced expertise to build correlation searches. SOC engineers or SIEM specialists wrote complex query logic to connect the dots between logs, events, and known Indicators of Compromise (IOCs). A single missed OR or an incorrect join in a search query could lead to countless false negatives or false positives. The complexity was so high that only a small subset of expert individuals in the organization could maintain these rule sets effectively, leading to bottlenecks and slow response times.

OnlyExperts for L2 & L3 threat investigation.

Threat investigations required highly skilled (and expensive) security analysts. Because everything was manual, each suspicious event demanded that a senior analyst perform log deep dives, run queries, and piece together the story from multiple data findings. There was no real scalability; each team could only handle a certain volume of alerts. Junior analysts were often stuck at Level 1 triage, escalating most incidents to more senior staff due to a lack of efficient tools and processes.

With big data came big problems such as manual data ingestion and parsing. Each log source needed its own integration, with specific parsing rules and indexing configuration. If you changed vendors or added new solutions, you'd spend months or even multiple quarters on integration. For SIEMs like QRadar, administrators had to configure new database tables, data fields, and indexing rules for each new log type. This was slow, brittle, and prone to human error. Finally, many organizations used separate pipelines for shipping logs to different destinations. This was also manually configured and likely to break whenever insights changed.

In short, SOC [website] was marked by high costs, heavy manual effort, and a focus on "keeping the lights on" rather than on true security innovation.

SOC [website] The current, partly automated SOC.

The challenges of SOC [website] spurred innovation. The industry responded with platforms and approaches that automated (to some degree) key workflows.

With the advent of SOAR (Security Orchestration, Automation, and Response), alerts in the SIEM could be enriched automatically. An IP address in an alert, for example, could be checked against threat intelligence feeds and geolocation services. A host name could be correlated with an asset inventory or vulnerability management database. This additional context empowered analysts to decide faster whether an alert is credible. Automated SOPs was another big improvement. SOAR tools allowed analysts to codify some of their repetitive tasks and run "playbooks" automatically. Instead of referencing a wiki page step by step, the SOC could rely on automated scripts to perform parts of the remediation, like isolating a host or blocking an IP.

However, the decision-making piece between enrichment and automated action remained highly manual. Analysts might have advanced context, but they still had to think through what to do next. And to make matters worse, the SOAR tools themselves ([website], Torq, Tines, BlinkOps, Cortex XSOAR, Swimlane) needed extensive setup and maintenance. Expert security engineers had to create and constantly upgrade playbooks. If a single external API changed, entire workflows could fail. Simply replacing your endpoint vendor would trigger weeks of catch up in a SOAR platform. The overhead of building and maintaining these automations is not exactly trivial.

Upgraded SIEM: Out-of-the-box detection & XDR.

In SOC [website], detection and correlation saw key advances in out-of-the-box content. Modern SIEM platforms and XDR (Extended Detection and Response) solutions offer libraries of pre-built detection rules tailored to common threats, saving time for SOC analysts who previously had to write everything from scratch. Tools like Exabeam, Securonix, Gurucul and Hunters aim to correlate data from multiple insights (endpoints, cloud workloads, network traffic, identity providers) more seamlessly. Vendors like Anvilogic or Panther Labs provide libraries of comprehensive rule sets for various insights, significantly reducing the complexity of writing queries.

Incremental improvements in threat investigation.

Despite XDR advances, the actual threat investigation workflow remains very similar to SOC [website] Tools are superior integrated and more data is available at a glance, but the analysis process still relies on manual correlation and the expertise of seasoned analysts. While XDR can surface suspicious activity more efficiently, it doesn't inherently automate the deeper forensic or threat-hunting tasks. Senior analysts remain crucial to interpret nuanced signals and tie multiple threat artifacts together.

Streamlined integrations & data cost control.

Data processing in SOC [website] has also improved with more Integrations and advanced control over multiple data pipelines. For example, SIEMs like Microsoft Sentinel offer automatic parsing and built-in schemas for popular data findings. This accelerates deployment and shortens time-to-value. Solutions like CRIBL allow organizations to define data pipelines once and route logs to the right destinations in the right format with the right enrichments. For example, a single data source might be enriched with threat intel tags and then sent to both a SIEM for security analysis and a data lake for long-term storage.

These improvements certainly help reduce the burden on the SOC, but maintaining these integrations and pipelines can still be complex. Moreover, the cost of storing and querying massive volumes of data in a cloud-based SIEM or XDR platform remains a major budget item.

In sum, SOC [website] delivered significant progress in automated enrichment and remediation playbooks. But the heavy lifting—critical thinking, contextual decision-making, and sophisticated threat analysis—remains manual and burdensome. SOC teams still scramble to keep up with new threats, new data insights, and the overhead of maintaining automation frameworks.

SOC [website] The AI-powered, modern SOC.

Enter SOC [website], where artificial intelligence and distributed data lakes promise a quantum leap in operational efficiency and threat detection.

Thanks to breakthroughs in AI, the SOC can now automate much of the triage and investigation process with AI. Machine learning models—trained on vast datasets of normal and malicious behavior—can automatically classify and prioritize alerts with minimal human intervention. AI models are also packed with security knowledge which helps augment human analysts' capability to efficiently research and apply new information to their practices.

This doesn't eliminate human oversight, with humans-in-the-loop reviewing the AI's triage reasoning and response recommendations, but it does drastically reduce the manual, repetitive tasks that bog down SOC analysts. Junior analysts can focus on high-level validation and sign-off, while AI handles the heavy lifting.

The SIEM (and XDR) layer in SOC [website] is far more automated with AI/ML models, rather than human experts, creating and maintaining correlation rules. The system continuously learns from real-world data, adjusting rules to reduce false positives and detect novel attack patterns.

Ongoing threat intelligence feeds, behavioral analysis, and context from across the entire environment come together in near real-time. This intelligence is automatically integrated, so the SOC can adapt instantly to new threats without waiting for manual rule updates.

Automated deep-dive threat investigations.

Arguably the most transformative change is in how AI enables near-instantaneous investigations with no need to codify. Instead of writing a detailed manual or script for investigating each type of threat, AI engines process and query large volumes of data and produce contextually rich investigation paths.

Deep analysis at high speed is all in a day's work for AI as it can correlate thousands of events and logs from distributed data insights within minutes and often within seconds, surfacing the most relevant insights to the analyst.

Finally, SOC [website] empowers junior analysts as even a Level 1 or 2 analyst can use these AI-driven investigations to handle incidents that would traditionally require a senior staff member. Vendors in this space include startups offering AI-based security co-pilots and automated SOC platforms that drastically shorten investigation time and MTTR.

Distributed data lakes & optimized spend.

While the volume of data required to fuel AI-driven security grows, SOC [website] relies on a more intelligent approach to data storage and querying:

Distributed data lake AI-based tools don't necessarily rely on a single, monolithic data store. Instead, they can query data where it resides—be it a legacy SIEM, a vendor's free-tier storage, or an S3 bucket you own.

This approach is critical for cost optimization. For instance, some EDR/XDR vendors like CrowdStrike or SentinelOne offer free storage for 1st party data, so it's economical to keep that data in their native environment. Meanwhile, other logs can be stored in cheaper cloud storage solutions. Flexible, on-demand queries SOC [website] enables organizations to "bring the query to the data" rather than forcing all logs into a single expensive repository. This means you can leverage a cost-effective S3 bucket for large volumes of data, while still being able to rapidly query and enrich it in near real-time.

Data residency and performance concerns are also addressed by distributing the data in the most logical location—closer to the source, in compliance with local regulations, or in whichever geography is best for cost/performance trade-offs. Avoiding vendor lock-in In SOC [website], you're not locked into a single platform's storage model. If you can't afford to store or analyze everything in a vendor's SIEM, you can still choose to keep it in your own environment at a fraction of the cost—yet still query it on demand when needed.

From a CISO's vantage point, SOC [website] isn't just a buzzword. It's the natural next step in modern cybersecurity, enabling teams to handle more threats at lower cost, with superior accuracy and speed. While AI won't replace the need for human expertise, it will fundamentally shift the SOC's operating model—allowing security professionals to do more with less, focus on strategic initiatives, and maintain a stronger security posture against today's rapidly evolving threat landscape.

Radiant Security provides an AI-powered SOC platform designed for SMB and enterprise security teams looking to fully handle 100% of the alerts they receive from multiple tools and sensors. Ingesting, understanding, and triaging alerts from any security vendor or data source, Radiant ensures no real threats are missed, cuts response times from days to minutes, and enables analysts to focus on true positive incidents and proactive security. Unlike other AI solutions which are constrained to predefined security use cases, Radiant dynamically addresses all security alerts, eliminating analyst burnout and the inefficiency of switching between multiple tools. Additionally, Radiant delivers affordable, high-performance log management directly from clients' existing storage, dramatically reducing costs and eliminating vendor lock-in associated with traditional SIEM solutions.

Learn more about the leading AI SOC platform.

About Author: Shahar Ben Hador spent nearly a decade at Imperva, becoming their first CISO. He went on to be CIO and then VP Product at Exabeam. Seeing how security teams were drowning in alerts while real threats slipped through, drove him to build Radiant Security as co-founder and CEO.

The Electronic Frontier Foundation (EFF) has released a free, open-source tool named Rayhunter that is designed to detect cell-site simulators (CSS), ......

Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero......

A new malware campaign has been observed targeting edge devices from Cisco, ASUS, QNAP, and Synology to rope them into a botnet named PolarEdge since ......

Ransomware Attacks are on the Rise

Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.

After a recent dip, ransomware attacks are back on the rise. , the resurgence is being led by old ransomware-as-a-service (RaaS) groups.

With data gathered by “actively monitoring the leak sites used by each ransomware group and scraping victim details as they are released,” researchers have determined that Lockbit was by far the most prolific ransomware gang in July, behind 62 attacks. That’s ten more than the month prior, and more than twice as many as the second and third most prolific groups combined. “Lockbit [website] maintain their foothold as the most threatening ransomware group,” the authors wrote, “and one with which all organizations should aim to be aware of.”.

Those second and third most prolific groups are Hiveleaks – 27 attacks – and BlackBasta – 24 attacks. These figures represent rapid rises for each group – since June, a 440 percent rise for Hiveleaks, and a 50 percent rise for BlackBasta.

It may well be that the resurgence in ransomware attacks, and the rise of these two particular groups, are intimately connected.

Researchers from NCC Group counted 198 successful ransomware campaigns in July – up 47 percent from June. Sharp as that incline may be, it still falls some ways short of the high-water mark set this Spring, with nearly 300 such campaigns in both March and April.

Well, in May, the United States government ramped up its efforts against Russian cybercrime by offering up to $15 million for prized information about Conti, then the world’s foremost ransomware gang. “It is likely that the threat actors that were undergoing structural changes,” the authors of the findings speculated, “and have begun settling into their new modes of operating, resulting in their total compromises increasing in conjunction.”.

Hiveleaks and BlackBasta are the result of that restructuring. Both groups are “associated with Conti,” the authors noted, Hiveleaks as an affiliate and BlackBasta as a replacement strain. “As such, it appears that it has not taken long for Conti’s presence to filter back into the threat landscape, albeit under a new identity.”.

Now that Conti’s properly split in two, the authors speculated, “it would not be surprising to see these figures further increase as we move into August.”.

Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack......

YouTube warns that scammers are using an AI-generated video featuring the organization's CEO in phishing attacks to steal creators' credentials.