November 15, 2022
A malicious group known as “Fangxiao,” which means “imitate” in Chinese, has created a vast network of more than 42,000 web domains that imitate and exploit the reputation of international, trusted brands by promising financial incentives to get victims to spread the campaign through WhatsApp.
Users are directed to a website controlled by Fangxiao via a link provided by WhatsApp. This message contains a link to the impersonated brand’s landing domain. To build credibility with victims, Fangxiao uses well-known, reputable brands, including consumer goods, pharmaceuticals, food, transport and financial services. Currently, more than 400 organizations are being imitated and the number is growing.
It dupes its victims with a phishing trick, then redirects them through a number of advertising companies, landing them in suspicious locations ranging from Android malware to fake gift card imposter scams.
On the last page, which is managed by Fangxiao, users see ads. When customers click on these ads, they are quickly redirected to a variety of different domains.
The researchers were directed to multiple domains using a UK IP address and Android user-agent before receiving a malicious APK. Virustotal identified this file as Triada, an Android malware. The site navigated to an Amazon affiliate link with an IP address from the United Kingdom and an iOS user agent. This allows whoever handled the last redirect to receive a commission for every Amazon purchase made with the same device for the next twenty-four hours, which could be a significant source of revenue.
It also registers approximately 300 new brand impersonation domains daily to generate massive traffic for its customers and its own sites. Most of these sites use the “.top” TLD, followed by “.cn, “.cyou”, “.xyz”, “.work”, and “.tech”. The sites are hidden behind Cloudflare and registered via GoDaddy, Namecheap and Wix.
Some of the spoofed brands include Coca-Cola, McDonald’s, Knorr, Unilever, Shopee, Emirates and more, with many counterfeit websites with extensive localization options, and its benefits include ads and fake recruitment sites.
The sources for this piece include an article in BleepingComputer.
