Contents:
“Fangxiao,” a malicious for-profit company, has created a vast network of over 42,000 domains that imitate well-known companies to direct people to websites pushing adware software, dating sites, or “free” gifts.
The use of the fake domains appears to be a part of a substantial traffic-generating operation that brings in advertising revenue for Fangxiao’s websites or more visitors for “clients” from the group.
The threat actors are based in China, claims a thorough report by Cyjax. Since 2017, they have impersonated over 400 well-known brands in the retail, banking, travel, medicines, transportation, financial, and energy sectors.
In addition, the campaign’s organizers use pretty standard baits; one particularly pertinent example is how they have attempted to capitalize on fears about the COVID-19 epidemic.
How Does Fangxiao Operate?
Fangxiao employs various techniques to preserve its anonymity, including protecting the majority of its infrastructure using Cloudflare and quickly switching domain names— in October 2022, the group employed over 300 new, distinctive domains.
The majority of these websites use:
- “.top” TLD followed by “.cn”
- “.cyou”
- “.xyz”
- “.work”
- “.tech”
In addition, Cloudflare protects the websites registered with GoDaddy, Namecheap, and Wix.
Users are sent to a Fangxiao-controlled website via a link in a WhatsApp message, which directs them to a landing domain that impersonates a reputable, well-known company. As a result, over 400 brands are being copied, which is steadily increasing. Emirates, Shopee in Singapore, Unilever, Indomie in Indonesia, Coca-Cola, McDonald’s, and Knorr are just a few of the companies impacted.
The victims are then redirected to the primary survey domain and directed to one of several frequently changing locations when they click the link, passing through some advertising websites. Sometimes, clicking the “Complete registration” button while using an Android user agent will download the Triada malware.
The site instructs users to download the app, which has probably led to a sizable number of infections because victims are invested in the scam and eager to receive their “reward.”
The landing pages also host ylliX advertisements, which have been flagged as “suspicious” by Google and Facebook, and clicking on them results in a separate redirection chain.
The Play Store page of the ‘App Booster Lite – RAM Booster’ app, a performance booster for Android devices with over 10 million downloads, is another observed Fangxiao campaign destination.
According to Cyjax, the app does not have malicious functionality. Still, it asks users to approve access to risky permissions and serves an above-average amount of ads via difficult-to-close popups.
LocoMind, the app’s publisher, shares an IP address with another app developer named Holacode, who has previously been linked to adware distribution.
Key Takeaway
Phishing attacks are becoming more common around the world. These operations provide cybercriminals with an easy way to generate revenue, steal credentials, and spread malware.
Fangxiao is a refined, large-scale phishing campaign that leverages the public image of well-known international brands and benchmarks businesses in various industries, including retail, banking, travel, pharmaceuticals, travel, and energy.
How Can Heimdal™ Help?
Because email is used to deliver the vast majority of phishing attacks, Heimdal™ Email Security is essential to your spam filter.
It’s a revolutionary malware protection system that protects your digital communications with more security vectors than any other platform on the market. It is lightweight and easy to set up, and it includes advanced spam filtering that detects and removes malicious attachments, scans infected IPs and domains and recognizes malicious links.
You can use it with Heimdal™ Email Fraud Prevention to close any gaps in your email security. In addition, you can significantly enhance phishing prevention with over 125 vectors and a live monitoring team.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.