Join us for the Spring 2021 Series. Register Today
Insights and Research
Chinese Phishing Sites: Stocks And Government Lottery
I find Chinese phishing sites particularly interesting. For starters, they don't seem to attract too many security researchers. I have found that very few Chinese sites are blocked by Phishtank or Google Safe Browsing. Additionally, the type of phshing is very different from what we see in the US or other Western countries. While sites related to banking (PayPal, Bank of America, J.P. Morgan, etc.) are the primary targets of phishers overall, Chinese phishing sites are mainly focused on QQ (Instant messaging, online games, etc.) or Yahoo! Auctions.
Recently I found two Chinese phishing/scam sites: a site about stocks from Shanghai Huaer Securities, and a government lottery. These two types of sites use a large number of pages with an IFRAME displaying the main site, and both follow a similar layout. The domain names are registered to different people, so the phishers may not be affiliated.
Shanghai Huaer Securities
This site claims to be a stock trading company for the Shanghai Securities market.
The main sites is hosted on huaerzq.com. The "Add to Favorite" links do not use the same domain, rather they leverage short links (http://www.goo.gl/YebPW) which redirect to huaer88997766.now.to, which is simply an IFRAME to huaerzq.com.
There are many now.to sub-domains which display this website:
Government lottery
The second type of site claims to be a Government lottery. Proceeds are purported to help the kids you see on the right side. I found two slightly different versions of this site.
This site is hosted on these domains:
And the following domains contain an IFRAME to one of the sites above:
These sites are not blocked by any popular phishing blacklist that I am aware of, and will therefore likely stay up for some time.
-- Julien
Recently I found two Chinese phishing/scam sites: a site about stocks from Shanghai Huaer Securities, and a government lottery. These two types of sites use a large number of pages with an IFRAME displaying the main site, and both follow a similar layout. The domain names are registered to different people, so the phishers may not be affiliated.
Shanghai Huaer Securities
This site claims to be a stock trading company for the Shanghai Securities market.
 |
| Shanghai Securities trading site. |
The main sites is hosted on huaerzq.com. The "Add to Favorite" links do not use the same domain, rather they leverage short links (http://www.goo.gl/YebPW) which redirect to huaer88997766.now.to, which is simply an IFRAME to huaerzq.com.
There are many now.to sub-domains which display this website:
soso112233.now.to
huaer88997766.now.to
hua123567000.now.to
hua88899900.now.to
gugu99889988.now.to
gugu001122.now.to
lang123123.now.to
gugu6677.now.to
168.hua8899.now.to
soso9988.now.to
gugu8899.now.to
33223388.now.to
Government lottery
The second type of site claims to be a Government lottery. Proceeds are purported to help the kids you see on the right side. I found two slightly different versions of this site.
 |
| Fake government lottery |
www.330069.com
55882.co.cc
55571.co.cc
And the following domains contain an IFRAME to one of the sites above:
797.feels3.de
90.ezpagez.com
www.66797.co.cc
These sites are not blocked by any popular phishing blacklist that I am aware of, and will therefore likely stay up for some time.
-- Julien