I find Chinese phishing sites particularly interesting. For starters, they don't seem to attract too many security researchers. I have found that very few Chinese sites are blocked by
Phishtank or Google Safe Browsing. Additionally, the type of phshing is very different from what we see in the US or other Western countries. While sites related to banking (PayPal, Bank of America, J.P. Morgan, etc.) are the primary targets of phishers overall, Chinese phishing sites are mainly focused on
QQ (Instant messaging, online games, etc.) or
Yahoo! Auctions.
Recently I found two Chinese phishing/scam sites: a site about stocks from Shanghai Huaer Securities, and a government lottery. These two types of sites use a large number of pages with an IFRAME displaying the main site, and both follow a similar layout. The domain names are registered to different people, so the phishers may not be affiliated.
Shanghai Huaer Securities This site claims to be a stock trading company for the Shanghai Securities market.
 |
Shanghai Securities trading site. |
The main sites is hosted on
huaerzq.com. The "Add to Favorite" links do not use the same domain, rather they leverage short links (
http://www.goo.gl/YebPW) which redirect to
huaer88997766.now.to, which is simply an IFRAME to
huaerzq.com.
There are many
now.to sub-domains which display this website:
soso112233.now.to
huaer88997766.now.to
hua123567000.now.to
hua88899900.now.to
gugu99889988.now.to
gugu001122.now.to
lang123123.now.to
gugu6677.now.to
168.hua8899.now.to
soso9988.now.to
gugu8899.now.to
33223388.now.to
Government lotteryThe second type of site claims to be a Government lottery. Proceeds are purported to help the kids you see on the right side. I found two slightly different versions of this site.
 |
Fake government lottery |
This site is hosted on these domains:
www.330069.com
55882.co.cc
55571.co.cc
And the following domains contain an IFRAME to one of the sites above:
797.feels3.de
90.ezpagez.com
www.66797.co.cc
These sites are not blocked by any popular phishing blacklist that I am aware of, and will therefore likely stay up for some time.
-- Julien