Posted on November 19, 2022 at 6:42 PM
Financially-Motivated Threat Actors Use 42,000 Impostor Domains For Phishing Attacks
Researchers have discovered that a China-based financially motivated threat actor is taking advantage of the trust of popular international brands to launch phishing campaigns on unsuspecting victims. The group, called Fangxiao by Cyjax, has been carrying out large-scale phishing attacks since 2019, but their initial activity began in 2017. The actors have registered more than 42,000 fake domains.
“It targets businesses in multiple verticals including retail, banking, travel, and energy,” researchers Alana Witten and Emily Dennison commented about the activities of the hackers. The group is using physical or financial incentives to trick their victims and spread the campaign via WhatsApp.
The Threat Actors Redirect Victims To Malware-Infested Apps
Users that click on the link the actors sent via the messaging app are sent to a site controlled by the threat actors. From there, the users are redirected to a landing page that impersonates a very popular brand. The hackers do not stop there. They take the users from the landing page to sites that distribute fake rewards and fraudulent apps.
The sites ask the visitors to carry out a survey and claim cash prices by filling out the form on the survey. They are directed to send the message to 20 persons or five WhatsApp groups to claim their reward. Throughout this process, the hacker collects the browser’s User-Agent string and the victim’s IP address.
According to the report, over 400 organizations, including Indomie, Unilever, Shopee, Emirates, Knorr, McDonald’s, and Coca-Cola were being impersonated as part of the scheme.
The Threat Actors Are Also Deploying Mobile Trojan
The threat actors are also using scammy mobile ads, which the targets are deceived to click from their android devices. They are deploying a mobile Trojan known as Triada, which was recently discovered multiplying through fake WhatsApp apps.
Apart from Triada, other another malware-infested app called “App Booster Lits” has also been used by the threat actors to propagate their attacks. It was also listed on the Google Play Store, which makes it easier for people to download because of the credibility of the store. Researchers also noted that the malware-infested app already has more than 10 million downloads.
The app is designed by LocoMind, a Czechia-based developer. It is described as a strong phone booster. It’s also described as an “effective Battery Saver” and a “Smart Junk Cleaner.”
Some users of the app wrote reviews calling out the publisher for putting up so many ads. Some of them pointed out that they were directed to the app’s download page through one of those “your android is damaged” ads.
However, LocoMind responded to some of the reviews by saying the app does not spread viruses. “Each of our updates is checked by Google Play – they would have removed our app long ago for this reason,” the developer stated in one of the responses.
The Actors Also Earn Commissions Through Affiliate Links
Apart from redirecting the user to App store, some of the victims using iOS are redirected to Amazon’s affiliate link when they perform the same action the threat actors requested. This gives the threat actor a commission whenever a purchase is made by the user from the link within 24 hours.
The hackers’ China link comes from the use of Mandarin text in a web service connected to aaPanel. This is a control panel based on the Python programming language used for hosting multiple sites.
When the researchers analyzed the TLS certificates a bit further, they discovered that those issued to the survey domains last year and this year overlap with the UTC+8 time zone. This corresponds to China Standard Time.
The Actors Are Experienced In Impersonation Campaigns
The researchers added that the threat actors are well-versed in organizing these types of impostor campaigns. They are also prepared to use different methods to achieve their fraudulent aims. The hackers are sophisticated logistically and technically to expand their operations across several regions.
These Fangxiao campaigns have been effective for the threat actors, who are redirecting their victims to several places to avoid being identified. They are engaging in a broader campaign with the use of malware, various domains, adware, ad, and referral links.
Fangxiao registers more than 300 new impersonation domains daily to generate massive traffic for its customers and its own sites.
Since March this year, the threat actors have utilized over 24,000 landing and survey domains to promote their bogus campaign to their targets.
Most of the sites are registered via Wix, Namecheap, and GoDaddy, and hidden behind Cloudflare.