Chinese Phishing Sites: Stocks And Government Lottery

I find Chinese phishing sites particularly interesting. For starters, they don't seem to attract too many security researchers. I have found that very few Chinese sites are blocked by Phishtank or Google Safe Browsing. Additionally, the type of phshing is very different from what we see in the US or other Western countries. While sites related to banking (PayPal, Bank of America, J.P. Morgan, etc.) are the primary targets of phishers overall, Chinese phishing sites are mainly focused on QQ (Instant messaging, online games, etc.) or Yahoo! Auctions.

Recently I found two Chinese phishing/scam sites: a site about stocks from Shanghai Huaer Securities, and a government lottery. These two types of sites use a large number of pages with an IFRAME displaying the main site, and both follow a similar layout. The domain names are registered to different people, so the phishers may not be affiliated.

Shanghai Huaer Securities

This site claims to be a stock trading company for the Shanghai Securities market.

Shanghai Securities trading site.

The main sites is hosted on huaerzq.com. The "Add to Favorite" links do not use the same domain, rather they leverage short links (http://www.goo.gl/YebPW) which redirect to huaer88997766.now.to, which is simply an IFRAME to huaerzq.com.

There are many now.to sub-domains which display this website:

soso112233.now.to
huaer88997766.now.to
hua123567000.now.to
hua88899900.now.to
gugu99889988.now.to
gugu001122.now.to
lang123123.now.to
gugu6677.now.to
168.hua8899.now.to
soso9988.now.to
gugu8899.now.to
33223388.now.to

Government lottery

The second type of site claims to be a Government lottery. Proceeds are purported to help the kids you see on the right side. I found two slightly different versions of this site.

Fake government lottery

This site is hosted on these domains:

www.330069.com
55882.co.cc
55571.co.cc

And the following domains contain an IFRAME to one of the sites above:

797.feels3.de 
90.ezpagez.com
www.66797.co.cc

These sites are not blocked by any popular phishing blacklist that I am aware of, and will therefore likely stay up for some time.

-- Julien

Insights and Research

Chinese Phishing Sites: Stocks And Government Lottery

Author

Julien Sobrier

Recommended for You

2021 “Exposed” Report – An Exposé on the True Corporate Network Attack Surface

Coverage Advisory For Email Based Attack From Nobelium

Threat Actors Distribute Malicious VPN Apps Masquerading as Popular Vendors

ThreatLabZ Ransomware Review: The Advent of Double Extortion

Stay up to date with the latest digital transformation tips and news.

By clicking the submit button, you are agreeing to our privacy policy.

Take the first steps on your transformation journey

English

Français

Deutsch

日本語

Subscribe and keep in touch with us!

By clicking the submit button, you are agreeing to our privacy policy.

©2008-2021 Zscaler, Inc. All rights reserved.