Do you know what “fangxiao” means in simplified Chinese? Before you Google it, let me tell you that it stands for “imitate” and this is exactly what Fangxiao phishing campaign actors try to do – imitate and exploit the reputation of international, trusted brands by promising financial or physical incentives to trick victims into further spreading the campaign through WhatsApp.
Researchers at Cyjax have investigated this sophisticated, large-scale campaign and developed a comprehensive report providing valuable insights about Fangxiao’s operations. According to the report, once the victims are tricked by the phishing bate, they are redirected through a series of sites owned by ad companies, ending up in suspicious destinations, from Android malware to fake gift card imposter scams.
“This is another example of the diverse motivation for these campaigns, illustrating both simple but profitable money-making processes through click and advert payments alongside delivery mechanisms for mobile based malware,” says Chris Spinks, Cyjax Head of Operations. “We see the threat actors exploiting victim trust by utilizing WhatsApp delivery of the campaign to friend's networks.”
Let’s see how the campaign works.
The Fangxiao modus operandi
Users arrive at a Fangxiao-controlled website via a link supplied via WhatsApp. This message contains a link to a landing domain that specifies the impersonated brand. Fangxiao employs well-known, reputable brands to establish credibility with victims. Consumer goods, pharmaceuticals, food service, transportation, and financial services are included. Currently, over 400 organizations are being mimicked, and this figure continues to climb.
Affected companies include Emirates, Shopee of Singapore, Unilever, Indomie of Indonesia, Coca-Cola, McDonald's, and Knorr. Depending on the geolocation of the victim's IP address, the sites include significant localization and will alter the currency references and images of the displayed currency.
Users are redirected from the landing domain to the main survey domain. The bogus survey website also includes a copyright notice at the bottom. The countdown on the page creates a sense of urgency and encourages victims to proceed to the phishing page. Below the survey, the website displays dozens of fraudulent remarks to victims.
Once victims have answered the survey questions and the website has "validated" their responses with an animation, they are informed that they are eligible for prizes and urged to tap a box. The website may take up to three taps for a "win," with the second or third tap typically indicating that the user has won a high-value gift card. To claim this, users are instructed to share the phishing campaign over WhatsApp with "five groups and twenty friends."
After the user has shared the campaign, the website prompts them to download an app by clicking a button. After installation, the user must open this and leave it open for thirty seconds. The participant is then informed that the administrator will review their registration and contact them within 24 hours regarding their reward.
Malvertizing and malware delivery
On the final page managed by Fangxiao, users will also see advertisements. When consumers click on these ads, they are redirected to many domains in rapid succession. The redirection target depends on the browser's location and user agent.
With a UK IP address and Android user-agent, the researchers were led to multiple domains before receiving a malicious APK. This file is identified by Virustotal as Triada, an Android malware. With an IP address from the United Kingdom and an iOS user agent, the site went to an Amazon affiliate link. This permits whoever handled the final reroute to receive a commission on every Amazon purchase made using the same device for the next twenty-four hours, which may represent a substantial source of income.
Fake recruitment sites
URLScan provides a robust capability to pivot across filename-containing entries. Cyjax discovered while analyzing Fangxiao-controlled websites that they continuously loaded a script named "yuming.js." The simplified Chinese term for "domain name" is (yuming). Utilizing this signal with URLScan, researchers were able to find and download approximately 46,000 unique scans from 2019 that referenced over 13,600 unique domains.
One site discovered in this manner, recruitment.totalenergie.govservice[.]site, portrays as a Total Energy Nigerian recruitment campaign. On August 4, 2022, the bogus website received a peak of 303 hits, with the majority of visitors using an Android smartphone. job4you[.]live is another bogus job site that targets South Africans and offers 10,000 positions. The promise of employment in nations with high unemployment rates is a potent psychological incentive to deceive users.
Attribution and concluding thoughts
Fangxiao employs several methods to maintain anonymity, such as hiding the majority of their infrastructure behind CloudFlare and frequently changing their domain names. On a single day in October 2022, the organization registered more than 300 new domains. However, Cyjax researchers were able to deanonymize some domains and circumvent Cloudflare's restrictions to locate a web service that linked to a Mandarin-language page.
When we asked Ian Thornton-Trump to comment on the investigative report, he said that “What struck me here is the crafty use of monetized links to make more money on the journey to the money from exploring end-point compromise.” Another item he wanted to highlight was “the support received from the threat actors who registered the thousands of domains.”
Is this something that deserves some further consideration? Ian Thornton-Trump thinks so. “I mean and perhaps I am overly hopeful that a Registar would turn an eye up at least at such massive activity. To me it seems infrastructure providers are putting profit before thwarting criminal actors."
If you want to read the Cyjax report “Fangxiao - a Chinese Phishing Threat Actor”, you can download it here.