Cybersecurity researchers have recently discovered a huge website spoofing campaign that impersonates major brands to distribute malware or serve malicious ads to visitors.
Researchers from Cyjax (opens in new tab) found a group called “Fangxiao”. This group operates more than 42,000 web domains impersonating companies such as Coca-Cola, McDonald’s, Unilever, Emirates, and others.
More than 400 companies have experienced a form of identity theft in this campaign, researchers said.
How it works
The group, which apparently operates out of China (one of the exposed control panels was allegedly in Mandarin), creates roughly 300 of these domains every day. They then advertise them either through WhatsApp messages or mobile ads.
Victims that click on these links are sent to landing pages that employ all kinds of tactics to keep them engaged and too busy to consider the fact that it’s all one big scam. These landing pages also host ads from ylliX, an ad network labeled “suspicious” by both Google, and Facebook, the publication claims.
The endgame is to have the victims either download an app (a Triada trojan), make SMS micropayments in ignorance, open up fake dating sites, or earn a commission for the attackers via Amazon affiliate links.
In some cases, the victims are also incentivized to download an app from the Play Store called “App Booster Lite – RAM Booster”. While this one isn’t outright malicious, it does request shady permissions and serves a huge number of hard-to-close ads. According to the report, this app was built by the same developer that was previously seen engaged in adware.
Other than the fact that the threat actors are based in China, there is very little information that could lead to its identification. Fangxiao was also observed selling its services for other entities looking to boost web traffic.