42,000 sites drive ad traffic claiming to be famous brands

0

China’s Fangxiao Group has built a vast network of 42,000 websites that impersonate well-known brands (including Coca-Cola, McDonald’s, Knorr, Unilever, Shopee and Emirates) and generate advertising traffic. These resources redirect their visitors to sites that advertise adware applications, dating sites, freebies or infect their systems with the Triada Trojan.

You might also be interested in our review: 8 Adware Symptoms: How to Avoid Them or Top Adware Attack Facts to Remember Today.

Cyjax experts write that Fangxiao has been around since at least 2017 and, judging by the use of Chinese in the control panels, is based in China. In a recently uncovered campaign, scammers are impersonating over 400 well-known brands in the retail, banking, travel, pharmaceutical, transportation, finance, and energy industries.

In order to generate the right amount of traffic for their clients and their own sites, Fangxiao members register around 300 new domains per day. So, since early March 2022, attackers have used at least 24,000 domains to promote fake giveaways and victim surveys.


One of the scam sites

Analysts say the majority of scam sites are in the .top domain zone, followed by .cn, .cyu, .xyz, .work and .tech. At the same time, fraudulent resources are still hidden behind Cloudy and registered with come on daddy, Namecheap and Wix.

Generate advertising traffic

Typically, users reach these sites through mobile advertising or after receiving a WhatsApp message that convinces the victim that there is a special offer or some sort of prize available for them, for which they just have to click on the attached link (not as fun as Adware for drinkers). After that, the landing page redirects the victim to a special site with a survey, which supposedly has to be completed within a certain time.

Generate advertising traffic
Redirection scheme

In some cases, completing a survey results in an app being downloaded, which the victim is prompted to launch and keep open for at least thirty seconds, presumably allowing enough time for a new reference user to get used to it. to register. The landing sites also accommodate yllix advertisements that Google flags as “suspicious”, and clicking on it leads to a separate chain of redirects.

These redirects work based on the user’s location (IP address) and user agent, and usually lead to Triad Trojan horse downloads, references to Amazon through an affiliate link, fake dating sites and SMS micropayment scams.

Generate advertising traffic
Redirection scheme

In some cases, responding to a survey results in the app downloading, and the victim being prompted to launch and hold the app open for at least thirty seconds, likely allowing plenty of time for a new benchmark user To register. The destination sites also host ylliX advertisements that Google flags as “suspicious”, and clicking on them leads to a separate chain of redirects.

These redirects work based on the user’s location (IP address) and user agent, and typically lead to downloads of Triada Trojans, referrals to Amazon via an affiliate link, fake dating sites and SMS micropayment scams.

Share.

Comments are closed.