Fangxiao targets reputable companies with phishing scams

Share post:

A malicious group known as “Fangxiao,” which means “imitate” in Chinese, has created a vast network of more than 42,000 web domains that imitate and exploit the reputation of international, trusted brands by promising financial incentives to get victims to spread the campaign through WhatsApp.

Users are directed to a website controlled by Fangxiao via a link provided by WhatsApp. This message contains a link to the impersonated brand’s landing domain. To build credibility with victims, Fangxiao uses well-known, reputable brands, including consumer goods, pharmaceuticals, food, transport and financial services. Currently, more than 400 organizations are being imitated and the number is growing.

It dupes its victims with a phishing trick, then redirects them through a number of advertising companies, landing them in suspicious locations ranging from Android malware to fake gift card imposter scams.

On the last page, which is managed by Fangxiao, users see ads. When customers click on these ads, they are quickly redirected to a variety of different domains.

The researchers were directed to multiple domains using a UK IP address and Android user-agent before receiving a malicious APK. Virustotal identified this file as Triada, an Android malware. The site navigated to an Amazon affiliate link with an IP address from the United Kingdom and an iOS user agent. This allows whoever handled the last redirect to receive a commission for every Amazon purchase made with the same device for the next twenty-four hours, which could be a significant source of revenue.

It also registers approximately 300 new brand impersonation domains daily to generate massive traffic for its customers and its own sites. Most of these sites use the “.top” TLD, followed by “.cn, “.cyou”, “.xyz”, “.work”, and “.tech”. The sites are hidden behind Cloudflare and registered via GoDaddy, Namecheap and Wix.

Some of the spoofed brands include Coca-Cola, McDonald’s, Knorr, Unilever, Shopee, Emirates and more, with many counterfeit websites with extensive localization options, and its benefits include ads and fake recruitment sites.

The sources for this piece include an article in BleepingComputer.

Featured Tech Jobs



Related articles

Gartner debunks myths undermining cybersecurity success

Henrique Teixeira, Senior Director Analyst at Gartner, and Leigh McMullen, Distinguished VP Analyst at Gartner, highlighted and disproved...

Toyota discloses customer data breach

Toyota has disclosed that customer information from Japan and other countries in Asia and Oceania was publicly available...

Critical Vulnerability found in MOVEit

Progress Software has warned about a critical vulnerability in its popular file-transfer software, MOVEit, which could allow malicious...

Canadian Defence Minister concerned over increasing cyberattacks

Canadian Defence Minister Anita Anand has issued a warning that the country's key infrastructure is more vulnerable to...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways