Xiū gǒu, a phishing kit developed by a Chinese threat actor, is being used to craft sophisticated phishing websites to target victims. Threat actors using the kit to deploy phishing websites often rely on Cloudflare’s anti-bot and hosting obfuscation capabilities to prevent detection.
The phishing kit has been observed to be used in phishing attacks targeting Australia, Japan, Spain, the U.K., and the U.S.since at least September 2024. The campaign seems elaborate as more than 2000 websites have been planted that offer a variety of verticals, such as public sectors, postal, digital services, and banking services.
Attackers get in touch with their targets via Rich Communications Services (RCS) messages rather than SMS, the text taps the victims with warning recipients of traffic violation penalties or failed package deliveries. The messages also instruct them to click on a link that’s shortened using a URL shortener service to pay the fine or update the delivery address. If the victims fall into these false tricks, they end up providing their personal details and making money transfers in lieu of the penalties or to get the parcel delivered.
Researchers from Cisco Talos alerted that Facebook business and advertising account users in Taiwan are being targeted by an unknown threat actor as part of a phishing campaign designed to deliver stealer malware such as Lumma or Rhadamanthys. The messages come embedded with a link that, when clicked the victim gets redirected to a Dropbox or Google Appspot domain, triggering the download of a RAR archive packing a fake PDF executable, which serves as a conduit to drop the stealer malware.
The tech giants like Google are working to enhance their detection mechanisms and are also sending awareness messages to users across multiple countries. They are also trying to identify the source address or numbers so that their actions can be blocked and are working on improvising security features to block texts from unknown senders with URL links. However, the onus stays with the end users to stay vigilant against such attempts and turn ON their personal firewalls to stay safe from getting scammed.
