A financially motivated gang operating out of China is using people’s trust in well-known multinational businesses to launch a massive phishing effort that began in 2019. With the first activity noted in 2017, the threat actor, called Fangxiao by Cyjax, is claimed to have registered more than 42,000 imposter domains.
“It targets businesses in multiple verticals including retail, banking, travel, and energy,” researchers Alana Witten and Emily Dennison said. “Promised financial or physical incentives are used to trick victims into further spreading the campaign via WhatsApp.”
Users who click on links received through the messaging app are transported to an actor-controlled website, which then directs them to a landing domain that impersonates a well-known company, where they are once more redirected to websites that offer fake applications and rewards. These websites invite users to fill out surveys to win cash rewards; in return, they want them to spread the word to five groups or 20 friends. However, the victim’s IP address and the User-Agent string of the browser determine the final redirect.
According to the researchers, more than 400 companies, including Emirates, Coca-Cola, Shopee, Indomie, McDonald’s, Unilever, and Knorr, are being mimicked as part of the illicit plot. Alternatively, attacks where malicious mobile advertising are clicked from an Android smartphone, have been seen to end with the deployment of a mobile trojan known as Triada, which was recently discovered spreading through phony WhatsApp applications.
The Google Play Store listing for the program “App Booster Lite – RAM Booster” (com.app.booster.lite.phonecleaner.batterysaver.cleanmaster), which has had over 10 million downloads, is another destination of the campaign in addition to Triada. The program is marketed as a “Smart Junk Cleaner,” “Powerful Phone Booster,” and an “Effective Battery Saver” and was created by LocoMind, a company located in the Czech Republic. The publisher of the app has come under fire for displaying too many advertisements in the game’s reviews, with some even mentioning how they “Arrived here [the Play Store page] from one of those ‘your android is damaged x%’ ads.”
On October 31, 2022, LocoMind replied to the review, saying that their app cannot distribute viruses. Google Play reviews each of our upgrades; otherwise, they would have taken down our application long ago. Suppose the identical action is taken using an iOS device. In that case, the victim is led to Amazon via an affiliate link, earning the actor a commission for any purchase made on the online store during the next 24 hours.
Due to the existence of Mandarin content in a web service connected to aaPanel, an open-source Python-based control panel for hosting several websites, the threat actor has links to China. Further investigation of the TLS certificates granted to the survey domains in 2021 and 2022 shows that most of the registrations come together with the UTC+08:00 time zone, corresponding to China Standard Time from 9:00 a.m. to 11:00 p.m.
According to the researchers, the operators have expertise in managing these impostor campaigns, are prepared to be dynamic to achieve their goals, and are technically and logistically capable of growing their business. The Fangxiao campaigns are efficient lead-generation strategies diverted to various websites, including malware, referral links, advertisements, and adware.