Security researchers have uncovered a sophisticated phishing campaign using tens of thousands of malicious domains to spread malware and generate advertising revenue.
Fangxiao- The threat actor has been active since at least 2017, and has used more than 42,000 domains in its phishing operation
“Cyjax has investigated a sophisticated, large-scale phishing campaign that exploits the reputation of international, trusted brands,” the researchers write. “It targets businesses in multiple verticals including retail, banking, travel, and energy. Promised financial or physical incentives are used to trick victims into further spreading the campaign via WhatsApp. Once victims are psychologically invested in the phish, they are redirected through a series of sites owned by advertising agencies, earning Fangxiao money. Victims end up in a wide range of suspicious destinations, from Android malware to fake gift card imposter scams.”
The threat actor also uses a wide variety of phishing sites, from phony gambling platforms to fake job recruitment sites.
The 42,000 domains registered by the group date back to 2019 and “continue to scale.” Infrastructure is protected behind Cloudflare and domain names are changed “regularly and quickly.” On a single day in October, the group used over 300 new unique domains.
Cyjax attributed the source of the scam campaign to China after de-anonymizing some of the domains and bypassing Cloudflare restrictions.
“The Fangxiao campaigns are effective lead generation methods which have been redirected to various domains, from malware, to referral links, to ads and adware.”