slot machine game over

400+ big brands impersonated in phishing campaign

Researchers at Cyjax have published a report on a, very likely Chinese, threat actor that specializes in impersonating well-known and trusted brands. Over 400 organizations are currently being imitated.

For this reason, the phishing group has been dubbed Fangxiao (simplified Chinese for “imitate”). The researchers found several clues to the fact that the group operates from China, including an exposed control panel in Mandarin.


Even though WhatsApp is banned in China, Fangxiao uses WhatsApp as a primary means to reach initial targets. They promise financial or physical incentives to trick these victims into further spreading the campaign via WhatsApp. A link in the WhatsApp messages takes the recipients to a Fangxiao controlled site which impersonates a well-known brand’s website.

Landing pages

The landing pages are landing domains that impersonate a localized version of a well-known and trusted brand, such as Coca Cola, Emirates, McDonalds, or Knorr. To avoid getting on blocklists, the group goes through a huge amount of domains. The researchers noted as many as 300 new unique domain names in one day.

The naming convention for these domains often matches the pattern of two words from a word list in the .top top level domain (TLD), e.g. http://preventpreceding[.]top.


The landing pages redirect visitors to all sort of mischief, such as surveys, adware, or even malware. But the surveys always come first. Equipped with a timer to add urgency into the equation, along with great prizes to be won, the visitor is encouraged to fill out the survey.

Once all the questions are answered and the site has “validated” their answers, the participants are told they can win prizes and they are asked to tap on a box. This will start an animation to keep the visitor in suspense about if and what they’ve won. The site can require up to three taps for a win, with usually either the second or third one telling them they have won a high value gift card or some other attractive prize. To claim the prize, they are told to share the phishing campaign via WhatsApp to five groups or 20 friends.


The next step after sharing the link with their contacts is to download an app, open it and leave it open for thirty seconds after installation. This is likely to enable the group to collect a referral fee from the publishers of the app. The next step in the redirection chain sends the visitor to an advertising site run by an ill-reputed advertising company called ylliX. Clicking on these ads redirects users through multiple domains in quick succession. The redirect destination depends on both the location and the user-agent of the browser.

Getting the visitor to the advertising page is likely another source of revenue for Fangxiao. And from that point on, the victim is in the hands of the advertising company. At this point it is unclear if this is a related entity or a “customer” of Fangxiao.


What’s important to note is that some of the redirects from the advertising page, besides more advertising and fraudulent sites, can also lead to the adware laden ‘App Booster Lite – RAM Booster’ app or the Triada trojan (detected by Malwarebytes for Android as Android/Trojan.Triada). The Triada Trojan is known to fingerprint the affected device and then drop more malware.

How to avoid becoming victim

This type of scheme typically plays on the fact that the more effort you have put in, the more you are willing to risk to get to the holy grail. Whether that is a whopper of a gift card, an iPhone, or a spin on the world’s best paying slot machine.

There are several points in this scheme where everything points to it being a scam. Here’s how to avoid becoming victim:

  • Do not click unsolicited links in WhatsApp messages (or any message), even if they come from a friend
  • Shy away from surveys, even when the information they ask for seems trivial
  • Never help the phishers by sending out more links to others
  • Do not download or install apps just because some site says you need to.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.