A malicious for-profit group named ‘Fangxiao’ has created a massive network of over 42,000 web domains that impersonate well-known brands to redirect users to sites promoting adware apps, dating sites, or ‘free’ giveaways.
The imposter domains are used as part of what appears to be a massive traffic generation scheme that creates ad revenue for Fangxiao’s own sites or more visitors for ‘customers’ who purchase traffic from the group.
According to a detailed report by Cyjax, the threat actors are based out of China. They have been operating since 2017, spoofing over 400 renowned brands from the retail, banking, travel, pharmaceuticals, transport, financial, and energy sector.
Examples given in the report include Coca-Cola, McDonald’s, Knorr, Unilever, Shopee, Emirates, and more, with many fake sites featuring extensive localization options.
Often, Fangxiao victims are redirected to sites that infect them with the Triada trojan or other malware. However, a connection between the operators of these sites and Fangxiao has yet to be established.