Threat intelligence firm Cyjax discovered over 42,000 domains registered since 2017 involved in phishing scams through brand impersonation of reputable companies.
Cyjax attributed this coordinated campaign to a threat actor named ‘Fangxiao’ based in China, whose primary goal is to earn advertising revenue and spread malware.
Brand impersonation phishing scams aggressively cycle through domains
The threat actor employs various tactics to maintain anonymity, including changing domains regularly. In a single day in October 2022, the scammer registered 300 new brand impersonation domains. Since March 2022, the fraudster has registered 24,000 brand impersonation domains to promote their phishing scams.
The group uses Cloudflare domain protection services to hide the identity of the malicious domains.
The brand impersonation sites are usually registered with Godaddy, Namecheap, and Wix with .top (67%), .cn (14%), .cyou (7.6%), .xyz (2.9%), .work (1.6%), .tech (1%), and other TLDs.
The researchers also uncovered a Mandarin phishing site that has been operating since 2020.
“We were then able to identify the IP address hosting a Fangxiao site that had been online since at least 2020. Browsing to this service showed us a page written in Mandarin,” Cyjax wrote.
The researchers also identified two Google Tag codes reused thousands of times across domains, thus linking the websites to a single operator.
Chinese phishing scams spread via WhatsApp messages
The phishing campaign started in 2017 based on a now-defunct website and involves sending phishing links via WhatsApp messages informing the victims that they have won a prize. Likely, the phishing scams target victims outside China since the Chinese Communist Party (CCP) has banned WhatsApp in the country.
Upon clicking, the link redirects the target to landing pages impersonating popular brands across various industries such as retail, banking, travel, energy, and pharmaceuticals.
The threat actor has impersonated at least 400 brands, including Emirates, Unilever, Shopee (Singapore), Indomie (Indonesia), Coca-Cola, McDonald’s, and Knorr.
According to the researchers, the landing domain redirects the victims to the main survey domain, which takes them through various advertising sites before landing on a “Complete registration” page. The survey page includes a timer to increase urgency and influence the victim’s determination to complete the steps and keep their price.
Before claiming their reward, victims with an Android user-agent are sometimes instructed to download an app containing Triada malware. Cyjax anticipates that the phishing scams have potentially resulted in significant infections.
The redirection chain depends on the user’s geographical region and user agent and includes suspicious adverts from affiliate links, dating sites, and SMS micropayment scams.
The researchers found various psychological tricks at play, such as fake prizes, COVID-19 relief funds, employment opportunities, free laptops and iPhones, spinning games, and dating, among others.
Tim Helming, Cybersecurity Evangelist at DomainTools, said that brand impersonation domains not only influenced users to fall for phishing scams but also negatively affected the company’s reputation.
“Creating spoofed domains of well-known brands not only tricks users into clicking on malicious sites, but it can also negatively affect a company’s brand reputation and relationship with its customers,” Helming said, “One in six products sold today on the web are counterfeit, and each month over 150 brands are hijacked in phishing attacks.”
Adware, benign applications, and suspicious websites
Another app featured in the campaign is ‘App Booster Lite – RAM Booster,’ which serves a barrage of intrusive and hard-to-close adverts and requests intrusive permissions, although it does not exhibit any malicious behavior.
The utility app (10 million downloads and 4.4 stars rating) is developed by Locomind, the owner of locomind[.]net domain hosted by Hetzner Online GmbH. The German data processor hosts 15 other domains, mostly adult sites, and provides website anonymity services, thus calling into question the developer’s credibility. The IP address also hosts another development agency with an app serving ads from 31 advertising services, including IronSource, with previous ties to malware.
Another app developer hosted on Hetzner’s IP address (matchlab[.]me) has apps with many negative reviews on Google Play Store, claiming they are scams. Other sites hosted on Hetzner promise to increase traffic on your website and offer app revenue and pay-for-click services.
Cyjax suggested that the questionable utility apps linked to the brand impersonation phishing scams are either benign or purely adware.
The researchers warned that ‘Fangxiao’ was experienced and determined to achieve their objectives and could technically and logistically scale their enterprise.
“The Fangxiao campaigns are effective lead generation methods which have been redirected to various domains, from malware to referral links, to ads and adware.”