The Fangxiao malicious group has devised a brand impersonation scheme that utilises more than 40,000 websites that spoofed famous brands to trap users on sites that promote adware apps, fake free giveaways, and dating sites.
Based on reports, the group uses a massive traffic generation campaign that develops ad profit on their sites. Moreover, the scheme could also increase their visitors, potentially becoming their customers, which increases traffic on their site.
The most well-known brands that the Fangxiao group impersonates are McDonald’s, Knorr, Shopee, Emirates, and Unilever. Most of these fake websites feature extensive localisation options.
Fangxiao’s brand impersonation scheme deploys the Triada trojan.
According to researchers, the brand impersonation scheme from Fangxiao infects its victims with the Triada trojan or other malware strains. However, the researchers could not yet link the Fangxiao to the malware as its operators.
Additionally, the Fangxiao group registers 300 new spoofed domains daily to generate visitor traffic for its site. At the beginning of the year, the threat actors utilised nearly 24,000 landing pages and survey domains to introduce fake giveaways to their victims.
Most of the sites owned by the group utilise uncommon domains such as [.]xyzzy, [.]work, [.]tech, [.]cn and [.]cyou. The sites are obfuscated behind Cloudflare and registered by its operators via Wix, GoDaddy, and Namecheap.
Users could land on these malicious domains through ads on mobile phones or after receiving a message that contains the compromised link on WhatsApp. These messages commonly endorse a limited offer or inform recipients that they won a prize to lure their victims.
Furthermore, these landing pages redirect visitors to a survey domain that includes a countdown timer to create a sense of urgency for its victim. The landing sites also host ads from ylliX, which Facebook and Google flagged as suspicious since accessing their results in a particular redirection site.
The redirection path varies on the user’s IP address and user agent. Upon access, the site could lead to the download of the Triada trojan downloads, fake dating sites, SMS micropayment scams, and Amazon through affiliated URLs.