Fraud group ‘Fangxiao’ built a network of 42,000 sites that impersonate well-known businesses.

The network was designed to steer victims to websites pushing adware. Fangxiao uses fake domains to generate website traffic and advertising revenue for its own websites and the websites of customers who buy traffic from the group.

The group is likely to be based in China, according to a report by Cyjax. Since 2017, Fangxiao has impersonated more than 400 well-known brands in the retail, banking, travel, medicines, transportation, financial and energy industries.

How Fangxiao generates revenue

Fangxiao registers about 300 new brand impersonation domains each day in order to drive traffic to its own websites and the websites of clients. Since March 2022, the group has used at least 24,000 landing pages and survey domains to promote fake prizes to victims.

Coca-Cola, McDonald’s, Knorr, Unilever, Shopee, Emirates are just a few of the brands impersonated by Fangxiao. Many of the bogus websites also come in a wide range of local variations.

Victims of Fangxiao are frequently forwarded to websites where the Triada virus or other malware is installed. However, no connection has been made between Fangxiao and the owners of these websites at this time.

These websites are reached by users via advertisements and WhatsApp messages that contain links and typically claim to offer a great discount or prize. The links direct to websites with a countdown timer that creates a sense of urgency and distracts victims from telltale signals of fraud.

Cyjax

Aside from the use of Mandarin in the internal systems uncovered by Cyjax and a few email addresses connected to hacking forums, there are no details about the identity of the group.

Furthermore, it’s currently unknown if the websites that draw victims to Fangxiao’s final destinations are connected to the fraud group or if Fangxiao is simply partnering with websites to turn a profit.