China-Based Campaign Uses 42,000 Phishing Domains

Security researchers have uncovered a sophisticated phishing campaign using tens of thousands of malicious domains to spread malware and generate advertising revenue.

Dubbed “Fangxiao,” the group directs unsuspecting users to the domains via WhatsApp messages telling them they’ve won a prize, according to security vendor Cyjax.

The phishing site landing pages apparently impersonate hundreds of well-known brands including Emirates, Unilever, Coca-Cola, McDonald’s and Knorr.

The victims will be redirected to advertising sites, which Fangxiao generates money from, en route to a fake survey where it's claimed they can win a prize. In some cases a malware download will be triggered during this process.

“Victims are then redirected to a main survey domain. When they click the link, they are sent through a series of advertising sites to one of a set of constantly changing destinations,” Cyjax explained in a blog post.

“A click on the ‘Complete registration' button with an Android user-agent will sometimes result in a download of the Triada malware. As victims are invested in the scam, keen to get their ‘reward,’ and the site tells them to download the app, this has likely resulted in a significant number of infections.”

This appears to be a complex and constantly evolving money-making exercise. Its operators have used other lures in the past, including COVID-19 themes, according to Cyjax.

The 42,000 domains registered by the group date back to 2019 and “continue to scale.” Infrastructure is protected behind Cloudflare and domain names are changed “regularly and quickly.” On a single day in October, the group used over 300 new unique domains.

Cyjax attributed the source of the scam campaign to China after de-anonymizing some of the domains and bypassing Cloudflare restrictions.

“We were then able to identify the IP address hosting a Fangxiao site that had been online since at least 2020. Browsing to this service showed us a page written in Mandarin,” the vendor claimed.

“In addition, analysis of the Fangxiao TLS certificates provided an interesting insight into the behavior of the group, further backing up our conviction that it is based in China. However, its use of WhatsApp implies targeting outside of China as the messaging service is banned by China’s Communist Party.”

What’s Hot on Infosecurity Magazine?