Fangxiao Domain-Spoofing for Revenue

Domain Spoofing for RevenueResearchers at Cyjax describe a large phishing campaign being run by a China-based financially motivated threat actor called “Fangxiao.” The threat actor has been active since at least 2017, and has used more than 42,000 domains in its phishing operations.

“Cyjax has investigated a sophisticated, large-scale phishing campaign that exploits the reputation of international, trusted brands,” the researchers write. “It targets businesses in multiple verticals including retail, banking, travel, and energy. Promised financial or physical incentives are used to trick victims into further spreading the campaign via WhatsApp. Once victims are psychologically invested in the phish, they are redirected through a series of sites owned by advertising agencies, earning Fangxiao money. Victims end up in a wide range of suspicious destinations, from Android malware to fake gift card imposter scams.”

Fangxiao has put a great deal of effort into its impersonation campaigns, posing as more than 400 organizations.

“Currently, most of the sites identified impersonate a wide variety of brands across multiple verticals,” the researchers write. “These include consumer goods, pharmaceuticals, food service, transport, and financial services. Over 400 organizations are currently being imitated, with that number continuing to rise. Companies affected include Emirates, Singapore’s Shopee, Unilever, Indonesia’s Indomie, Coca-Cola, McDonald’s and Knorr. In one particularly memorable case, Fangxiao impersonates Christianity, Inc. The sites feature extensive localisation and will change the currency references as well as the pictures of the currency displayed depending on the geolocated IP address of the victim.”

The threat actor also uses a wide variety of phishing sites, from phony gambling platforms to fake job recruitment sites.

“One site found this way, recruitment[.]totalenergie.govservice[.]site, poses as a fake Total Energy recruitment campaign targeting Nigerians. Notably, this site has a user counter from, a website visitor tracking tool. This showed a peak of 303 visits on 4 August 2022, with most users accessing the site from an Android smartphone. Another fake job site, job4you[.]live, is targeted at South Africans and offers 10,000 jobs. The promise of jobs in countries with significant unemployment rates provides a powerful psychological incentive to trick users.”

New-school security awareness training can enable your employees to thwart phishing and other social engineering attacks.

Cyjax has the story.

Can hackers spoof an email address of your own domain?

DSTAre you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

Find out now if your domain can be spoofed. The Domain Spoof Test (DST) is a one-time free service. Run this test so you can address any mail server configuration issues that are found.

Try To Spoof Me!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews