A brand new phishing equipment dubbed “Xiu Gou” (修狗), developed to deploy phishing assaults globally, has been concentrating on customers throughout the US, UK, Spain, Australia and Japan since not less than September 2024.
Uncovered by cybersecurity agency Netcraft, the equipment encompasses a distinctive “doggo” mascot and consists of over 2000 phishing web sites that concentrate on people within the public sector, postal providers, digital providers and banking.
Superior Expertise Makes Xiu Gou Onerous to Detect
Distinctive facets of the Xiu Gou equipment embrace its interactive cartoon mascot and “easter egg” options, the place customers can rework the avatar by clicking it. It additionally incorporates superior software program, reminiscent of a Vue.js frontend and Golang backend, distinguishing it from typical PHP-based phishing kits.
To remain below the radar, attackers use Cloudflare’s anti-bot providers and area obfuscation, deploying phishing websites on domains like “.high” that embrace key phrases linked to rip-off varieties.
Key Options and Technical Specs
Key technical options of this malware embrace:
-
A customized admin panel uncovered on the /admin path for straightforward marketing campaign administration
-
Use of Wealthy Communications Companies (RCS) as an alternative of SMS to ship phishing lures
-
Integration with Telegram bots for information exfiltration, guaranteeing continued entry to stolen data even when websites are shut down
Learn extra on phishing kits: New Tycoon 2FA Phishing Equipment Raises Cybersecurity Considerations
The Xiu Gou equipment has primarily focused well-known organizations reminiscent of USPS, gov.uk, Lloyds Financial institution and New Zealand Put up. Attackers use pretend notices associated to fines, parcel releases or authorities funds to lure victims into offering delicate data.
For instance, one of many campaigns impersonates the UK authorities web site gov.uk to imitate penalty cost notices, main victims to phishing websites styled identically to official pages.
Netcraft’s researchers additionally recognized quite a few subdomains linked to Xiu Gou, reminiscent of “usps0007[.]xiugou[.]icu” and “ai[.]xiugou[.]icu,” suggesting that the equipment’s creators function throughout a number of fronts. The equipment’s creator, thought to personal “xiugou.icu,” screens equipment installations by means of referrer headers.
By having access to a tutorial on Xiu Gou, Netcraft noticed how fraudsters arrange Telegram bots for information exfiltration, with step-by-step directions included within the equipment.
“Understanding how phishing tradecraft are developed is important to stopping phishing assaults,” the agency defined. “By analyzing phishing kits in-depth, it’s doable to enhance the velocity and accuracy with which threats could be detected, categorized and brought down.”
_Andrea_Danti_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop "Facebook Businesses Targeted in Infostealer Phishing Campaign")
