The Chinese group Fangxiao has built a huge network of 42,000 websites that pose as well-known brands (including Coca-Cola, McDonald’s, Knorr, Unilever, Shopee and Emirates) and generate ad traffic. These resources redirect their visitors to sites that advertise adware applications, dating sites, giveaways, or infect their systems with the Triada Trojan.
You might also be interested in our review: 8 Symptoms of Adware: How to Avoid it or TOP Facts About Adware Attacks to Be Reminded Today.
Cyjax experts write that Fangxiao has existed since at least 2017 and, judging by the use of Chinese in the control panels, is based in China. In a recently uncovered campaign, scammers are spoofing over 400 well-known brands across retail, banking, travel, pharmaceuticals, transportation, finance and energy industries.
In order to generate the right amount of traffic for their clients and their own sites, Fangxiao members register about 300 new domains daily. So, since the beginning of March 2022, attackers have used at least 24,000 domains to promote fake prize giveaways and surveys among victims.
One of the scam sites
Analysts say that the majority of fraudulent sites are in the .top domain zone, followed by .cn, .cyu, .xyz, .work and .tech. At the same time, scam resources are always hidden behind Cloudflare and registered through GoDaddy, Namecheap and Wix.
Typically, users reach these sites through mobile advertising or after receiving a WhatsApp message that convinces the victim that there is a special offer or some kind of prize available for them, for which they just need to click on the attached link (not as fun as Drinker Adware). After that, the landing page redirects the victim to a special site with a survey, which supposedly needs to be completed within a certain time.
Redirect scheme
In some cases, completing a survey results in an application being downloaded, which the victim is asked to launch and keep open for at least thirty seconds, likely allowing enough time for a new referral user to register. Landing sites also host ylliX ads that Google flags as “suspicious”, and clicking on them leads to a separate chain of redirects.
These redirects work based on the user’s location (IP address) and user agent, and typically lead to Triada Trojan downloads, referrals to Amazon via an affiliate link, fake dating sites, and SMS micropayment scams.
Redirecting scheme
In some cases, completing a survey results in the download of the application, and the victim is asked to launch and keep the app open for at least thirty seconds, likely allowing enough time for a new referral user to register. Landing sites also host ylliX ads that Google flags as “suspicious”, and clicking on them leads to a separate chain of redirects.
These redirects work based on the user’s location (IP address) and user agent, and typically lead to Triada Trojan downloads, referrals to Amazon via an affiliate link, fake dating sites, and SMS micropayment scams.