I find Chinese phishing sites particularly interesting. For starters, they don't seem to attract too many security researchers. I have found that very few Chinese sites are blocked by Phishtank or Google Safe Browsing. Additionally, the type of phishing is very different from what we see in the US or other western countries. While sites related to banking (PayPal, Bank of America, JPMorgan, etc.) are the primary targets of phishers overall, Chinese phishing sites are mainly focused on QQ (instant messaging, online games, etc.) or Yahoo! Auctions.
Recently, I found two Chinese phishing/scam sites: a site about stocks from Shanghai Huaer Securities and a site for a government lottery. These two types of sites use a large number of pages with an iframe displaying the main site, and both follow a similar layout. The domain names are registered to different people, so the phishers may not be affiliated.
Shanghai Huaer Securities
This site claims to be a stock trading company for the Shanghai Securities market.
|Shanghai Securities trading site|
The main sites is hosted on huaerzq.com. The "Add to Favorite" links do not use the same domain. Rather, they leverage short links (http://www.goo.gl/YebPW) which redirect to huaer88997766.now.to, which is simply an iframe to huaerzq.com.
There are many now.to sub-domains which display this website:
soso112233.now.to huaer88997766.now.to hua123567000.now.to hua88899900.now.to gugu99889988.now.to gugu001122.now.to lang123123.now.to gugu6677.now.to 168.hua8899.now.to soso9988.now.to gugu8899.now.to 33223388.now.to
The second type of site claims to be a government lottery. Proceeds are purported to help the kids you see on the right side. I found two slightly different versions of this site.
|Fake government lottery|
This site is hosted on these domains:
www.330069.com 55882.co.cc 55571.co.cc
And the following domains contain an iframe to one of the sites above:
797.feels3.de 90.ezpagez.com www.66797.co.cc
These sites are not blocked by any popular phishing denylist that I am aware of and will therefore likely stay up for some time.