Xiū gǒu, New Phishing Kit Targets the US, the UK, Australia, Japan, and Spain via 2,000 Fake Sites

• A novel phishing kit developed by a Chinese-speaking threat actor is used by at least 2,000 websites in the U.S. and more.
• The attacks use RCS messages to simulate fake scenarios that prompt victims to relinquish sensitive data and employ Telegram to exfiltrate credentials.
• The cybercriminals avoid detection by leveraging Cloudflare's anti-bot and hosting obfuscation techniques.

Cybersecurity experts have unveiled a sophisticated phishing kit, Xiū gǒu, that targets various sectors, including public services, postal, digital platforms, and banking in the U.S., Australia, the U.K., Japan, and Spain.

According to Netcraft, over 2,000 phishing websites have been identified utilizing Xiū gǒu. Developed by a Chinese-speaking threat actor, this kit has been active since at least September 2024 and includes a branded mascot and interactive features for entertainment purposes.

The kit is notably leveraging Cloudflare's anti-bot and hosting obfuscation techniques to evade detection. These developments were partly documented by security researchers Will Thomas and Fox_threatintel last month.

Xiū gǒu's design includes an admin panel built using Golang and Vue.js, facilitating the exfiltration of credentials via Telegram. 

The phishing attacks are innovatively propagated through Rich Communications Services (RCS) messages that simulate real-world scenarios such as parking penalties and failed deliveries. This method manipulates recipients into divulging personal details or making payments.

The threat extends to the use of shortened URLs to further obscure malicious links. RCS's integration in Apple Messages (iOS 18) and Google Messages for Android complicates detection due to its advanced messaging features.

In response, tech companies are enhancing security measures. For instance, Google is piloting new security warnings in countries like India and Thailand and expanding globally by year-end. These measures include blocking suspicious senders and deploying machine-learning models for scam detection.

Simultaneously, an ongoing phishing campaign targets Facebook business accounts. This operation involves distributing malware such as Lumma or Rhadamanthys through deceptive emails masquerading as legal notices.

The cybersecurity landscape continues to face threats from sophisticated campaigns. In recent news, hackers employed fake Google Meet conference errors to distribute infostealers like StealC and Rhadamanthys backed by social engineering via impersonating Zoom, PDF readers, video games, web3 browsers, and messenger applications.