Threat intelligence firm Cyjax has uncovered more than 42,000 registered domains since 2017 involved in phishing scams by impersonating reputable brand names.

Cyjax attributed this coordinated campaign to a malicious actor named Fangxiao based in China, whose main goal is to generate advertising revenue and distribute malware.

Impersonation phishing scams aggressively roam domains

The threat actor employs various tactics to maintain anonymity, including regularly changing domains. In a single day in October 2022, the scammer registered 300 new brand impersonation domains. Since March 2022, the fraudster has registered 24,000 brand impersonation domains to promote his phishing scams.

The group uses Cloudflare domain protection services to mask the identity of malicious domains.

The brand impersonation sites are usually registered with Godaddy, Namecheap and Wix with .top (67%), .cn (14%), .cyou (7.6%), .xyz (2.9%), .work (1.6% ), .tech (1%), and other TLDs.

The researchers also uncovered a Mandarin-language phishing site that has been operating since 2020.

We were then able to identify the IP address hosting a Fangxiao site that had been online for at least 2020. Browsing that service showed us a page written in Mandarin, Cyjax wrote.

Researchers also identified two Google Tag codes reused thousands of times across domains, linking websites to a single operator.

Chinese phishing scams spread through WhatsApp messages

The phishing campaign started in 2017 based on a now defunct website and involves sending phishing links via WhatsApp messages informing victims that they have won a prize. Phishing scams are likely to target victims outside of China since the Chinese Communist Party (CCP) banned WhatsApp in the country.

Upon clicking, the link redirects the target to landing pages imitating popular brands in various industries such as retail, banking, travel, energy, and pharmaceuticals.

The menacing actor has impersonated at least 400 brands, including Emirates, Unilever, Shopee (Singapore), Indomie (Indonesia), Coca-Cola, McDonalds and Knorr.

According to the researchers, the destination domain redirects victims to the main survey domain, which takes them through various advertising sites before landing on a full registration page. The investigation page includes a timer to increase urgency and influence victims’ determination to complete stages and keep their prize.

Before claiming their reward, victims with an Android user agent are sometimes prompted to download an app containing the Triada malware. Cyjax anticipates that phishing scams have potentially resulted in significant infections.

The redirect chain depends on the geographical region of the users and the user agent and includes suspicious advertisements from affiliate links, dating sites and SMS micropayment scams.

Researchers have found various psychological tricks in play, such as fake prizes, COVID-19 relief funds, job opportunities, free laptops and iPhones, spin games and dating, among others.

Tim Helming, Cybersecurity Evangelist at DomainToolssaid that brand impersonation domains not only tricked users into phishing scams, but also negatively impacted company reputation.

Creating spoofed domains of well-known brands not only entices users to click on malicious sites, but can also negatively affect a company’s brand reputation and customer relationships, Helming said. One in six products sold online today is counterfeit, and every month more than 150 brands are hijacked by phishing attacks.

Adware, benign apps and suspicious websites

Another app featured in the campaign is “App Booster Lite RAM Booster”, which delivers a barrage of intrusive, hard-to-close ads and asks for intrusive permissions, although it does not exhibit any malicious behavior.

The utility app (10 million downloads and 4.4 stars) is developed by Locomind, the owner of locomind[.]net domain hosted by Hetzner Online GmbH. The German data processor hosts another 15 domains, mostly adult sites, and provides website anonymization services, thus calling into question the credibility of the developers. The IP address also hosts another developer agency with an app serving ads from 31 ad services, including IronSource, with previous links to malware.

Another app developer hosted on Hetzners IP address (matchlab[.]me) has apps with many negative reviews on Google Play Store claiming they are scams. Other sites hosted on Hetzner promise to increase your website traffic and offer app revenue and pay-per-click services.

Cyjax has suggested that dubious utility apps linked to brand impersonation phishing scams are either benign or purely advertising.

The researchers warned that Fangxiao was experienced and determined to achieve his goals and could technically and logistically scale his business.

Fangxiao campaigns are effective methods of generating leads that have been redirected to various areas, from malware to referral links, advertisements and adware.