42,000 phishing domains discovered masquerading as popular brands

According to researchers, this scam is highly sophisticated and large-scale, targeting brands like McDonald’s, Unilever, Emirates, Knorr, Coca-Cola, etc.

Security researchers at Cyjax have uncovered a highly sophisticated and large scale phishing campaign in which the threat actors used as many as 42,000 phishing domains to distribute malware and gain ad revenue.

Campaign Details

Cyjax researchers noted that the threat actors have links to China and have been active since 2017. So far, the attackers, identified as the Fangxiao group, have spoofed over 400 brands from the banking, retail, travel, transport, pharmaceutical, energy, and finance sectors.

The group operates an extensive network comprising 42,000 domains used for impersonating famous brands. Their latest campaign aims to generate revenue from users who pay for traffic. At least 24,000 survey/landing domains have been used by the attackers to promote this scam since March 2022.

How does the Attack Works?

Fangxiao lures unsuspecting users to the malicious domains through WhatsApp messaging, informing them that they have won a prize. The users are redirected to fake dating sites, Amazon via affiliate links, adware, and giveaway sites. These sites appear convincing enough to the user. This brand impersonation campaign spoofs well-reputed names like McDonald’s, Unilever, Emirates, Knorr, and Coca-Cola.

Once visitors access the spoofed version of authentic brand sites, they are redirected to ad sites created by Fangxiao to generate money through fake surveys, promising the victim to win a prize upon completing it. Sometimes, the attacker may force Triada malware to be downloaded on the device when the victim clicks the Complete Registration button.

  1. Brand Protection is Essential for Cybersecurity
  2. Microsoft, PayPal & Facebook most targeted brands in phishing scams
  3. 240 top Microsoft Azure-hosted subdomains hacked to spread malware
  4. Hundreds of counterfeit branded shoe stores hacked with web skimmer

“As victims are invested in the scam, keen to get their ‘reward,’ and the site tells them to download the app, this has likely resulted in a significant number of infections,” Cyjax’s report (PDF) read.

Domain Analysis

The group uses 42,000 domains registered in 2019 through GoDaddy, Namecheap, and Wix. Their infrastructure is protected with Cloudflare, and domain names keep changing regularly.

Reportedly, the group used 300 new brand domains in one day in October. Therefore, it seems like a continually evolving money-making scam. Researchers could identify the threat actor behind this scam campaign after domain de-anonymizing, bypassing Cloudflare security, and discovering the IP address.

They learned that the IP address was hosting a Fangxiao site operating since 2020, and the pages were written in Mandarin. They found Fangxiao TLs certificates and identified that the attackers were utilizing WhatsApp to claim victims. This means they are targeting people outside of China.


  1. Crooks Using FB Messenger Chatbots to Steal Login Data
  2. Zoom Phishing Scam Steals Microsoft Exchange Credentials
  3. Scammers Leveraging Microsoft Team GIFs in Phishing Attacks
  4. ‘Important Notification’ Phishing Scam Hits American Express Users
  5. Research sector targeted in new phishing attack using Google Drive
Related Posts