A Chinese hacking group known as "Fangxiao" is using thousands of imposter domains to target victims in a widespread phishing campaign.

Thousands at Risk of Fangxiao Phishing Campaign

A massive phishing campaign operated by Chinese hacking group "Fangxiao" is putting thousands of people at risk. This campaign has used 42,000 imposter domains to facilitate phishing attacks. These imposter domains are designed to redirect users to adware (advertising malware) apps, giveaways, and dating sites.

Cyjax, a cybersecurity and threat solutions company, discovered the 42,000 phony domains used in this campaign. In a Cyjax blog post by Emily Dennison and Alana Witten, the scam was described as sophisticated, with the ability to "exploit the reputation of international, trusted brands in multiple verticals including retail, banking, travel, pharmaceuticals, travel and energy".

The scam begins with a malicious WhatsApp message, wherein a trusted brand is impersonated. Examples of such brands include Emirates, Coca-Cola, McDonald's, and Unilever. This message provides the recipient with a link to a webpage that is given a sense of allure. The redirection site is dependent on the IP address of the target, as well as their user agent.

For example, McDonald's may be claiming to do a free giveaway. When the victim completes their registration to the giveaway, the download of the Triada Trojan malware can be triggered. Malware can also be installed upon the download of a specific app, which victims are told to install to continue taking part in the giveaway.

Attackers Protected by CloudFlare

you've been hacked message showing on laptop screen

Cyjax noted in its blog post regarding this campaign that Fangxiao's infrastructure is mostly protected by CloudFlare, an American Content Delivery Network (CDN). It was also noted that the imposter domains were created on GoDaddy, Namecheap, and Wix, with their names being rotated on a frequent basis.

The majority of these phishing domains were registered with .top, with the remainder being mostly registered with .cn, .cyou, .xyz, .tech, and .work.

The Fangxiao Group Is Nothing New

The Fangxiao hacking group has been around for some time. The domains being used in this campaign were first noticed by Cyjax in 2019, and have been increasing in number ever since. In October 2022, over 300 unique domains were added by Fangxiao in the space of just one day.

The group is not 100% confirmed to be based in China, but Cyjax has determined this location with a high level of confidence. One indicator of this is the use of Mandarin in one of the group's exposed control panels. Cyjax also speculated that the goal of the campaign is likely to be monetary gain.

Phishing Campaigns Are on the Rise

Phishing is one of the most popular cybercrime tactics out there today, and can come in a variety of forms. It can be tricky to spot phishing attacks, especially those that are highly sophisticated. Spam filters and antivirus programs can be used to mitigate phishing attacks, though it's still important to trust your gut and avoid any communications that don't seem quite right.