42,000 phishing domains discovered masquerading as popular brands

Security researchers at Cyjax have uncovered a highly sophisticated and large scale phishing campaign in which the threat actors used as many as 42,000 phishing domains to distribute malware and gain ad revenue.

Campaign Details

Cyjax researchers noted that the threat actors have links to China and have been active since 2017. So far, the attackers, identified as the Fangxiao group, have spoofed over 400 brands from the banking, retail, travel, transport, pharmaceutical, energy, and finance sectors.

The group operates an extensive network comprising 42,000 domains used for impersonating famous brands. Their latest campaign aims to generate revenue from users who pay for traffic. At least 24,000 survey/landing domains have been used by the attackers to promote this scam since March 2022.

How does the Attack Works?

Fangxiao lures unsuspecting users to the malicious domains through WhatsApp messaging, informing them that they have won a prize. The users are redirected to fake dating sites, Amazon via affiliate links, adware, and giveaway sites. These sites appear convincing enough to the user. This brand impersonation campaign spoofs well-reputed names like McDonald’s, Unilever, Emirates, Knorr, and Coca-Cola.

Once visitors access the spoofed version of authentic brand sites, they are redirected to ad sites created by Fangxiao to generate money through fake surveys, promising the victim to win a prize upon completing it. Sometimes, the attacker may force Triada malware to be downloaded on the device when the victim clicks the Complete Registration button.

42,000 phishing domains discovered masquerading as popular brands
  1. Brand Protection is Essential for Cybersecurity
  2. Microsoft, PayPal & Facebook most targeted brands in phishing scams
  3. 240 top Microsoft Azure-hosted subdomains hacked to spread malware
  4. Hundreds of counterfeit branded shoe stores hacked with web skimmer

“As victims are invested in the scam, keen to get their ‘reward,’ and the site tells them to download the app, this has likely resulted in a significant number of infections,” Cyjax’s report (PDF) read.

Domain Analysis

The group uses 42,000 domains registered in 2019 through GoDaddy, Namecheap, and Wix….