Fangxiao: A Phishing Threat Actor




The domain name industry experiences new types of scams all the time. The latest one reported, the so-called “Fangxiao case”, shows that brand owners and their legal advisors need to stay agile with defence mechanisms while being creative in their strategies in dealing with such threats.


In this article, we highlight what we have learned in the Fangxiao case and what brand owners could do to take pro-active steps against these malicious attacks.


What is Fangxiao?


A malicious for-profit group named ‘Fangxiao’ has created a huge network of over 42,000 web domains that impersonate well-known brands to redirect users to sites promoting adware apps, dating sites, or ‘free’ giveaways.


The imposter domains appear to be used for a number of scams including:

  • a massive traffic generation scheme that creates ad revenue for Fangxiao’s own sites or more visitors for ‘customers’ who purchase traffic from the group.
  • to steal sensitive information, such as login credentials, credit card numbers, and other financial data, by using a complex redirection path (depends on the user’s location (IP address) and user agent), leading to Triada trojan downloads, via affiliate links, fake dating sites, and SMS micropayment scams.


According to a detailed report published by the cyber security company, Cyjax last November, it appears that the bad actors originate from China. They have been operating since 2017, spoofing over 400 renowned brands from the retail, banking, travel, pharmaceuticals, transport, financial, and energy sector.


Their clever campaigns are notable for its use of sophisticated technical tactics and tools, as well as its ability to evade detection by traditional security measures. For example, they may use advanced malware that can evade detection by traditional security software, or they may use encrypted communications to hide their tracks. Additionally, they are known register up to 300 new brand impersonation domains daily, most of which use the “.top” TLD, followed by “.cn”, “.cyou”, “.xyz”, “.work”, and “.tech”. These sites are hidden behind Cloudflare and registered through well-known domain registrars, such as GoDaddy, Namecheap, and Wix. Since the start of March 2022, Cyjax counted that the malicious operators have used at least 24,000 landing and survey domains to promote their fake prizes to victims.


Another key tactic used by the Fangxiao phishers is the use of social engineering. The attackers will often use spoofed email addresses and domains that are designed to look like legitimate companies or organisations. They also use social media to gather information about their victims and craft highly targeted and personalised phishing emails, WhatsApp messages and mobile advertisements.


Why is so difficult for brands to act against Fangxiao?


Many brands are struggling to proactively prepare themselves for the potential tsunami that is Fangxia (or similar threat actors). So, what are the main issues for brand owners?


Looking at the Cyjax report, the key factors to consider are:

  • Amongst the 34,000+ domains reviewed, the fraudsters registered the domains using 89 different domain registrars and used different registrant email addresses (some through privacy protected services). With the hosting information being hidden behind Cloudflare services, there is no pattern for us to determine if a domain name is part of the Fangxiao operation.
  • Fangxiao registers approximately 300 new brand impersonation domains daily most of them using .top gTLD, however the domain name rarely incorporates the brand in itself. Fangxiao has primarily appended two words from a wordlist together, using the .top TLD – for example, hxxp://chamberhike[.]top.
  • The malicious campaign is mostly done via mobile advertisements or after receiving a WhatsApp message typically with the message to go through the survey to “win a prize” and this is how the users are redirected to numerous malicious links.

Considering the above, the two main issues we see are:

  • The sheer volume of domains being registered on a daily basis, it is overwhelming for brands to keep on top of it
  • The lack of brand names in the registered domains makes it incredibly difficult to monitor, detect and take down. Most domain name monitoring software out there at present is able to catch domain names that incorporate the brand or misspelled version of the same.


What preventative measures can brands employ?


It may seem like a hopeless “whack a mole” type situation, but there are a few tactics brands can use to take a more preventive rather than reactive approach. These include:


  • Since the websites under the malicious links impersonate well-known brands, it is advised to activate a web content monitoring service. This specific monitoring is able to identify and analyse web pages that contain a monitored term and implement swift action to stop possible infringements (takedowns). Brand protection agencies can review and report on the hits or suspicious results, providing a detailed report and strategic recommendations and prioritised actions.
  • To avoid users being deceived, it is recommended to add a warning message on all the official company webpages. The goal here is to warn the customers that your brand is not running any campaigns through WhatsApp and that any official promotion would only come from an official domain name that incorporates the brand name in the URL (e.g. Such clauses can also be added in a FAQ section of official company webpages.
  • Training – by educating employees, implementing technical measures, and having a plan in place, companies can greatly reduce their risk of falling victim to a phishing attack and increase the chance of identifying fraudulent activity before it is too late.

Overall, the Fangxiao phishing campaign is a reminder that phishing attacks are constantly evolving, and that it is important to stay vigilant and employ multiple layers of defence to protect yourself, your organisation, your brand and reputation from these types of attacks.


If you would like to discuss the Fangxiao issue in relation to your brand, or phishing scams in general, please contact us here.


Author: Severine Koster

© 2020 BRANDIT. All Rights Reserved. Privacy notice & Terms and Conditions

Share This