Researchers at Cyjax describe a large phishing campaign being run by a China-based financially motivated threat actor called “Fangxiao.” The threat actor has been active since at least 2017, and has used more than 42,000 domains in its phishing operations.
“Cyjax has investigated a sophisticated, large-scale phishing campaign that exploits the reputation of international, trusted brands,” the researchers write. “It targets businesses in multiple verticals including retail, banking, travel, and energy. Promised financial or physical incentives are used to trick victims into further spreading the campaign via WhatsApp. Once victims are psychologically invested in the phish, they are redirected through a series of sites owned by advertising agencies, earning Fangxiao money. Victims end up in a wide range of suspicious destinations, from Android malware to fake gift card imposter scams.”
Fangxiao has put a great deal of effort into its impersonation campaigns, posing as more than 400 organizations.
“Currently, most of the sites identified impersonate a wide variety of brands across multiple verticals,” the researchers write. “These include consumer goods, pharmaceuticals, food service, transport, and financial services. Over 400 organizations are currently being imitated, with that number continuing to rise. Companies affected include Emirates, Singapore’s Shopee, Unilever, Indonesia’s Indomie, Coca-Cola, McDonald’s and Knorr. In one particularly memorable case, Fangxiao impersonates Christianity, Inc. The sites feature extensive localisation and will change the currency references as well as the pictures of the currency displayed depending on the geolocated IP address of the victim.”
The threat actor also uses a wide variety of phishing sites, from phony gambling platforms to fake job recruitment sites.
“One site found this way, recruitment[.]totalenergie.govservice[.]site, poses as a fake Total Energy recruitment campaign targeting Nigerians. Notably, this site has a user counter from supercounters.com, a website visitor tracking tool. This showed a peak of 303 visits on 4 August 2022, with most users accessing the site from an Android smartphone. Another fake job site, job4you[.]live, is targeted at South Africans and offers 10,000 jobs. The promise of jobs in countries with significant unemployment rates provides a powerful psychological incentive to trick users.”
New-school security awareness training can enable your employees to thwart phishing and other social engineering attacks.
Cyjax has the story.