DomainGuard

T-Mobile SMS Phishing (Smishing)

A T-Mobile themed smishing campaign that uses Cloudflare-fronted infrastructure to harvest credit card data and one-time password (OTP) codes through real-time fraud workflows.

T-Mobile themed smishing landing page on a mobile device showing a fake payment interface.
T-Mobile themed smishing landing page on a mobile device showing a fake payment interface.
First Seen
2026
Status
Active in the wild
Smishing T-Mobile Credit Card Theft OTP Harvesting Cloudflare Fraud Kit 4 min read

What it is

T-Mobile SMS phishing, or smishing, is a targeted social engineering attack where victims receive a text message appearing to be from T-Mobile. The message typically warns of a billing issue or an urgent account update, directing the victim to a lookalike domain. These campaigns are designed to harvest sensitive payment information and one-time password (OTP) codes in real-time.

The kit identified in this campaign uses modern web techniques to evade automated detection and maximize the value of stolen data. By leveraging Cloudflare for infrastructure protection, the attackers increase their uptime and complicate efforts to identify the true origin of the malicious servers.

How it works

  1. Lure and Redirect. The victim receives an SMS with a link to a campaign-specific URL, such as t-mobile[.]dxzlc[.]cc/pay?qr=<token>. The qr parameter acts as a tracking token to identify specific victims or campaigns. Upon clicking, the victim is redirected to a clean /pay/ path.

  2. Victim Fingerprinting. Before showing the phishing page, the kit calls external APIs like ipinfo.io/json to collect the victim’s IP address, geographic location, and ASN. This data is used for bot filtering (blocking security researchers) and to ensure the victim matches the targeted demographic.

  3. Click Logging. The visit is logged to the attacker’s backend via a POST /api/open/addClick request. This allows the phisher to track the conversion rate of their campaign in real-time.

  4. Fake Payment Interface. The victim is presented with a pixel-perfect T-Mobile checkout page. Instead of a legitimate payment processor, the card data is sent directly to the phisher’s API:

    T-Mobile themed smishing landing page showing a fake payment interface.
    T-Mobile themed smishing landing page showing a fake payment interface.
    • POST /api/open/addCvv

  5. BIN Enrichment. As the victim types their card number, the kit performs a POST /api/bin/query to identify the issuing bank and card type. This allows the attacker to verify the card’s validity and determine if it is a high-value target (e.g., a corporate or premium card).

  6. Real-Time OTP Harvesting. The flow concludes by prompting the victim for an SMS OTP. This is a critical step in modern fraud workflows, such as provisioning the stolen card into a digital wallet (Apple Pay/Google Pay) or bypassing MFA for an account takeover.

    Real-time OTP prompt presented after the credit card data is captured.
    Real-time OTP prompt presented after the credit card data is captured.

Why it still works

  • Urgency and Trust. Using a well-known brand like T-Mobile creates a sense of urgency. Victims are often caught off guard by “payment failed” notifications and act quickly to avoid service interruption.
  • Mobile Context. Smishing is highly effective because users are more likely to click links in SMS than in email, and the smaller screen of a mobile device makes it harder to inspect the full URL and security certificates.
  • Real-Time Interaction. By harvesting OTPs while the victim is still on the site, attackers can use the stolen credentials immediately, often before the victim or the bank realizes a theft has occurred.

Signals to watch for

  • Suspicious TLDs. T-Mobile will never use domains ending in .cc, .top, or other generic top-level domains for official billing.
  • Requests for OTPs on Payment Pages. Legitimate payment flows may use 3D Secure, but they will never ask you to paste an SMS code into a non-bank page to “verify” a T-Mobile account.
  • Unexpected “Verification” Steps. T-Mobile does not require you to complete a checkout flow to fix a general account “error” sent via text message.
  • Infrastructure Signals. Traffic to backend API paths like /api/open/addCvv or /api/bin/query on non-standard domains is a high-confidence indicator of a phishing kit in operation.

Why it appears here

T-Mobile smishing is a high-volume threat that consistently targets consumer mobile users. This specific kit highlights the move toward “API-driven” phishing, where the frontend is a thin wrapper around a malicious backend that handles everything from victim tracking to real-time data enrichment. We monitor these campaigns to track the evolution of the underlying kits and to provide early warning for lookalike infrastructure.

Indicators of compromise

Domains and URLs

  • t-mobile[.]dxzlc[.]cc
  • /api/open/getSyncSettings
  • /api/open/addClick
  • /api/open/addCvv
  • /api/bin/query
  • /api/open/getPendingInstruction/

Technical Artifacts

  • Server Header: cloudflare
  • Frontend Framework: Often uses common libraries (Vue/React) but obfuscated to prevent signature-based detection.
All Threats