Latest Phishing Kit Xiū gǒu Aims at Users in Five Nations With 2,000 Bogus Websites
A recent report from cybersecurity experts has unveiled a fresh phishing kit called Xiū gǒu, which has been used in cyber campaigns targeting Australia, Japan, Spain, the U.K., and the U.S. since September 2024 or earlier.
According to Netcraft, over 2,000 fraudulent websites employing this Xiū gǒu kit have been detected. The attackers behind these scams have been aiming at various sectors including public services, postal services, digital platforms, and financial institutions.
“Threat actors leveraging this phishing kit often make use of Cloudflare’s anti-bot and hosting masking features to evade detection,” read a recent report from Netcraft released on Thursday.
Security researchers such as Will Thomas (@ BushidoToken) and Fox_threatintel (@banthisguy9349) shed light on some components of this malicious phishing kit in the previous month.
Phishing toolkits like Xiū gǒu introduce risks as they might enable less experienced hackers to initiate harmful campaigns, leading to potential theft of critical data.
Xiū gǒu, crafted by a threat actor fluent in Chinese, offers users access to an administrative interface and is created using technologies like Golang and Vue.js. Furthermore, this kit is designed to siphon off credentials and sensitive details from the fraudulent phishing pages stored on the “.top” top-level domain via Telegram.
The phishing assaults are spread via Rich Communications Services (RCS) messages instead of traditional SMS, notifying recipients about alleged parking fines and unsuccessful package deliveries. These messages instruct them to click on a link that is shortened using a URL shortening service to either pay the fine or update the delivery details.
“These scams coerce victims into sharing personal information and making payments, such as to release a package or clear a fine,” clarified Netcraft.
RCS, accessible primarily through Apple Messages (from iOS 18) and Google Messages for Android, presents users with an enhanced messaging experience integrating features like file-sharing, typing indicators, and optional end-to-end encryption (E2EE).
In a recent blog post, the tech behemoth outlined new measures aimed at combating phishing activities, including the deployment of advanced scam detection leveraging on-device machine learning models to identify and filter out deceptive messages related to package deliveries and job offers.
Google is also experimenting with security alerts for users in India, Thailand, Malaysia, and Singapore when they receive messages from unfamiliar sources containing potentially risky links. These additional security features, anticipated to roll out worldwide later this year, also block messages containing links from suspicious senders.
Additionally, Google is introducing the ability to “automatically conceal messages from non-contact international sources by relocating them to the “Spam & blocked” section. This functionality was initially tested in Singapore.
The revelations by Cisco Talos showcased that users of Facebook business and advertising accounts in Taiwan are being singled out by an unidentified malicious actor in a phishing scheme intended to distribute stealer malware varieties like Lumma or Rhadamanthys.
The fraudulent messages contain a link that redirects the user to either a Dropbox or Google Appspot domain, prompting the download of a RAR archive containing a fraudulent PDF executable, which acts as a gateway to deliver the stealer malware.
“The email subjects and forged PDF filenames are meant to mimic a company’s legal department, enticing the recipient to download and execute malware,” explained Joey Chen, a researcher at Talos, adding that this malicious activity has been ongoing since July 2024.
“These emails demand the removal of infringing content within 24 hours and warn of legal consequences and compensation claims for non-compliance.”
Moreover, phishing campaigns have sought to impersonate OpenAI to target corporations globally, instructing them to swiftly update their financial details by clicking an obscured hyperlink.
“This attack was deployed from a single domain to over 1,000 recipients,” outlined Barracuda in a report. “Though various hyperlinks were used within the email to avoid detection, the sender passed DKIM and SPF checks, indicating that the message originated from an authorized server. However, the domain itself appeared suspicious.”
About Author
