Fangxiao targets reputable companies with phishing scams

Share post:

A malicious group known as “Fangxiao,” which means “imitate” in Chinese, has created a vast network of more than 42,000 web domains that imitate and exploit the reputation of international, trusted brands by promising financial incentives to get victims to spread the campaign through WhatsApp.

Users are directed to a website controlled by Fangxiao via a link provided by WhatsApp. This message contains a link to the impersonated brand’s landing domain. To build credibility with victims, Fangxiao uses well-known, reputable brands, including consumer goods, pharmaceuticals, food, transport and financial services. Currently, more than 400 organizations are being imitated and the number is growing.

It dupes its victims with a phishing trick, then redirects them through a number of advertising companies, landing them in suspicious locations ranging from Android malware to fake gift card imposter scams.

On the last page, which is managed by Fangxiao, users see ads. When customers click on these ads, they are quickly redirected to a variety of different domains.

The researchers were directed to multiple domains using a UK IP address and Android user-agent before receiving a malicious APK. Virustotal identified this file as Triada, an Android malware. The site navigated to an Amazon affiliate link with an IP address from the United Kingdom and an iOS user agent. This allows whoever handled the last redirect to receive a commission for every Amazon purchase made with the same device for the next twenty-four hours, which could be a significant source of revenue.

It also registers approximately 300 new brand impersonation domains daily to generate massive traffic for its customers and its own sites. Most of these sites use the “.top” TLD, followed by “.cn, “.cyou”, “.xyz”, “.work”, and “.tech”. The sites are hidden behind Cloudflare and registered via GoDaddy, Namecheap and Wix.

Some of the spoofed brands include Coca-Cola, McDonald’s, Knorr, Unilever, Shopee, Emirates and more, with many counterfeit websites with extensive localization options, and its benefits include ads and fake recruitment sites.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways