nginx experienced the largest gain of 6.4 million sites (+2.92%) this month, and now accounts for 19.7% (+0.41pp) of sites seen by Netcraft. Cloudflare made the next largest gain of 2.6 million sites (+1.90%).

Apache experienced the largest loss of 1.1 million sites (-0.54%) this month, reducing its market share to 17.3% (-0.23pp). OpenResty suffered the next largest loss, down by 1.0 million sites (-0.88%).

000webhost shutdown

Earlier this year, Hostinger announced the closure of its 000webhost brand, which provided free web hosting. It has now shut down all remaining 000webhost sites, resulting in the number of sites hosted at Hostinger dropping by just under 50% this month – from 15.3 million to 8.1 million.

Most of the sites Hostinger lost this month no longer exist – only around 114,000 moved to competitors.

Vendor news

• Apache Tomcat versions 9.0.98, 10.1.34, and 11.0.2 were released on December 9th, adding support for strong ETags and the standards track RateLimit header.
• njs 0.8.8 was released on December 10th, adding support for more functions when QuickJS is used as an alternative JavaScript engine.

For more information see Active Sites.

Cloudflare experienced the largest gain of 2.6 million sites (+1.96%) this month, and now accounts for 11.8% (0.12pp) of sites seen by Netcraft. Google made the next largest gain of 1.4 million sites (+2.39%).

nginx experienced the largest loss of 6.6 million sites (-2.92%) this month, reducing its market share to 19.3% (-0.75pp). Microsoft suffered the next largest loss, down by 634,406 sites (-3.24%).

Vendor news

• nginx 1.27.3 was released on November 26th. It adds support for automatically re-resolving the IP address of an upstream server, which previously required a restart in the open-source edition of nginx. It also disables TLS 1.0 and 1.1 by default.
• Apache Tomcat versions 9.0.97, 10.1.33, and 11.0.1, were released, containing various bug fixes and improvements.
• Cloudflare published a blog post describing how it migrated its customers’ DNS records to a new database, improving performance.

For more information see Active Sites.

This article explores Netcraft’s research into the global growth of fake stores, including activity that makes use of the e-commerce platform SHOPYY to target Black Friday shoppers. Insights include:

• An increase of 110% in fake stores identified between August to October 2024
• Tens of thousands of fake stores utilizing the e-commerce tech platform SHOPYY
• More than 66% of SHOPYY-powered sites identified as fake stores
• More than 9,000 new and unique fake store domains detected by Netcraft between November 18–21, hosted on SHOPYY alone
• Most activity attributed to threat actors likely operating from China
• Activity primarily targeting U.S. shoppers
• Use of Large Language Models (LLMs) to generate text for product listings

Overview

Cyber Week, running from Black Friday to Cyber Monday (and often extending beyond), has become synonymous with holiday season shopping. Brands and e-commerce marketplaces offer significant discounts throughout November to entice consumers to buy products from their online stores. Some forecasts predict that 2024 Black Friday purchases will exceed those of 2023 by $1 billion. While legitimate brands go all out to provide the best offers, some too-good-to-be-true discounts are an indication of more malevolent activity — fraudulent online stores. 

In 2023, we saw a 135% increase in fake online stores leading up to the holidays. This trend continues in 2024, with a 110% increase in domains hosting fake stores from August to October. This represents an all-time high, with more activity expected before the end of November 2024. 

Since free domain names ceased being available in 2023, this growth represents a record investment in domain names for fake stores with each carrying a registration cost of $1 or more.

Powering the surge in volume is threat actors’ use of Large Language Models (LLMs) to generate long- and short-form text for the product descriptions on these sites. We first observed LLM-generated retail product descriptions in July 2024, and similar behaviors continue into the holiday shopping season. This includes examples of fake stores appropriating product listings directly from Amazon and using LLMs to rewrite the copy for enhanced search engine performance.

Large Language Product Laundering

SHOPYY (also referred to as SHOPOEM) is a Chinese e-commerce platform offering a broad portfolio of technical solutions to help retailers build and optimize online stores, promote their products, and accept different payment types. SHOPYY also provides hosting and domain registration on behalf of store operators.

Unfortunately, the customization and convenience that benefits genuine retailers can be misused by cybercriminals. While some legitimate businesses use SHOPYY as their e-commerce platform partner, we’ve detected thousands of SHOPYY-powered fake stores, increasing month-over-month since April 2024. Between November 18 to 21 alone, Netcraft’s systems identified more than 9,000 new fake store domains hosted through SHOPYY.

These sites often impersonate established brands to take advantage of their intellectual property, brand reputation, and existing customer base. Instead of offering the same quality products and services, they trick unsuspecting shoppers into paying for fake, substandard, or non-existent products. 

SHOPYY’s sprawling store portfolio, which spans multiple hosting providers and domain registrars, creates opportunities for criminal exploitation. Such a large and distributed infrastructure means abuse reporting and effective controls are harder to orchestrate, which is likely why the majority of stores on SHOPYY appear to be fraudulent. 

The spike since April 2024 can be mostly attributed to activities that catalog product listings scraped from Amazon. Since SHOPYY mainly serves Chinese-speaking users (the platform was founded in Xiamen, China, and offers documentation written exclusively in Mandarin Chinese), these threat actors are likely operating from the region. The activity targets English-speaking shoppers primarily in the U.S., with product listings scraped from Amazon’s U.S. site that offers $USD pricing.

Campaign Hallmarks

The following sections explore the hallmarks and behaviors exemplified by these SHOPYY threat actors.

Low Code Black Friday Branding

In early November, Netcraft systems observed SHOPYY-powered fake stores using a new “Black Friday” widget. This widget adds new code to their websites, revealing the promotional text that reads “Get Early Access to Our Black Friday Deals & More!” and Black Friday-themed imagery. Shortly after the code was introduced, these promotions became visible to site visitors (on November 19).

Fig. 1. Source code from a fake store site using the Black Friday widget.

Fig. 2. Example Black Friday-themed image.

Copy and Paste Amazon Product Listings

All of the sites identified list products cloned from Amazon, going so far as to configure each product ID to match the original listing. In the example below, the listing is a near-exact clone (containing the same product identifier — B08G8WTDR9 — in the URL). The only changes include new Teamfar product branding and a 30% discount.

Fig. 3. (Left) Fake store listing for a Teamfar-branded stock pot priced at $18.19. (Right) The same stockpot with an identical product description and different branding on Amazon for $25.99.

Deep discounts are a telltale sign of fraudulent online activity, enticing victims to purchase via criminal-controlled sites. Following payment, these criminals may complete the order using one of the following actions:

• Provide legitimate goods by carrying out return fraud (receiving a refund for a product without completing a legitimate return) or paying using stolen credit cards
• Send the buyer low-quality, potentially counterfeit goods
• Most often, send nothing at all, taking payment, and harvesting details from the victim.

LLM-Generated Titles and Descriptions

Many of these sites use LLMs to rewrite the titles and descriptions for cloned product listings. This frequently yields convincing results. However, in many other cases, the LLM leaves artifacts that describe its own response to the prompt provided (“prompt”: the set of instructions given to encourage a desired response or action from the LLM). These errors may be due to the sheer scale of these activities, which makes human action uneconomical. Language differences between the threat actor and their victims can also mean that text errors are overlooked.

LLMs are often used to rewrite product details with prompts to:

• Refine, simplify, and include keywords in the text (likely for search engine optimization (SEO) purposes)
• Change the wording and reduce duplication while maintaining the same meaning

These characteristics are seen in the nutribullet blender listing below. If the framing text had been removed, the only change would have been removing the word “personal” that appears in the original Amazon listing. The description also appears to be generated using an LLM, featuring the verbose, formal writing style typical of most language models. In both listings, the URL includes the Amazon product code B0CBWD3PN7.

Fig. 4.

Fig. 5.

Fig 4 – 5. Artifacts reveal the use of LLMs to rewrite Amazon product descriptions. The nutrishop fake store listing for the nutribullet blender (top) has cloned, rewritten text from the Amazon listing (bottom). 

In addition to editing listing titles, LLMs are being used to generate product descriptions, as shown in the Le Creuset example below. Here, the listing also leaks the threat actor’s text prompt with the response: “Here’s a rephrased version of each line to maintain their meanings while avoiding duplication.”

Fig. 6. This fake store, impersonating Le Creuset, leaks information about the LLM’s prompt as an artifact.

In the examples below, the entire product description has been populated with the original prompts:

• A rephrasing of “Modify the wording of each line to avoid duplicates while retaining the same meaning” appears in several forms where the LLM has resynthesized the text.
• The prompt appears verbatim: “Please rewrite the following content, adjusting the sentence structure while preserving the original meaning. Ensure the result remains within 500 words for better readability. Focus on using English directly in the output.”

Fig. 7. A fake store selling air conditioning equipment leaks the LLM prompt asking for each line to be reworded.

Fig. 8. A coffee-themed fake store leaks the LLM prompt used in full.

In Fig 7, note how a lack of input from the original product description has caused the LLM to hallucinate the “MA” in the text as the U.S. state code for Massachusetts.

Fake Trusted Store Seals

Trust adds value to online stores and their products. Many websites detailed throughout this article often feature a “Trusted Store” seal, either at the bottom of the page or directly under a product listing. When clicked, this offers a fake certification list: Certified Secure; 100% Issue-Free; Verified Business; Data Protection.

Unlike legitimate trust seals, there is no indication of who issued the certification, which demonstrates the bogus nature of the claim. To any unsuspecting user, this indicator of fraudulent activity could be easily missed.

Fig. 9. Bogus “Trusted Store” seal on fake store sites.

This same seal is used on a range of fake shopping sites with different behaviors, suggesting it may be a plug-in available as a SHOPYY feature. 

Flash Sale Page

The /MoreThemePages/ path on these sites (linked in the header or footer) takes the user to a “Flash Sale” page. In some cases, this page is broken. In others, it lists products from the fake store alongside various SEO terms tailored for seasonal sales throughout the year. This includes Black Friday, Valentine’s Day, Spring and Winter sales, and calendar months.

While LLMs don’t appear to have been used on this particular page, they are readily used by cybercriminals for SEO purposes.

Fig. 10. Fake store using Black Friday terms for SEO alongside a selection of other discount and seasonal terms.

.shop Top-Level Domain

This surge of activity almost exclusively uses the .shop top-level domain (TLD) —93.5% of SHOPYY fake stores do so. The second most common domain is .com, accounting for 4.2% of all SHOPYY-powered domains. 

Using .shop has dual benefits for fake store operators: 

• It may suggest to any unsuspecting user that the shop is legitimate (“.shop” is a recognized TLD like “.com”) despite fewer legitimate online stores using it;
• It’s also a particularly low-cost solution for new domain registrations, reducing the cost of setting up many domains for criminal campaigns 

In Summary

Black Friday, Cyber Monday, and the extended holiday shopping season is a time of heightened retail spending and online activity. This provides the ideal environment for threat actors to profit from shoppers’ money and data using fake stores. The allure of discounts and limited-time offers, and their sheer volume at this time of year, can easily create a false sense of security for consumers — making them more susceptible to scams. 

With the use of LLMs and the customization available in tools like SHOPYY, cybercriminals can affordably create and host convincing fake stores quickly and at scale. 

For retailers, fake stores are more than just a consumer inconvenience. They represent a significant brand protection and reputation issue. Fake store scams that impersonate your brand can result in: 

• Damage to customer confidence and trust
• Increased complaints and negative reviews
• Added resulting support costs
• Lost revenue, as sales are diverted from legitimate sites

To combat the fake store threat, retailers must invest in proactive security measures, educate customers, and actively monitor for fraudulent activity and brand impersonation.

Netcraft’s fake store solutions detect, take down, and provide valuable intelligence on the criminals exploiting your customers and extracting value from your organization. We analyze more than 600,000 e-commerce sites per month and have taken down hundreds of thousands of fake shops to date, giving brands the freedom and confidence to grow their business without fear of brand abuse.

To find out more, read our latest fake store case study for fashion retailer YoungLA or book a demo now.

1. Overview
   • Customer-Facing Phishing Attacks
2. How Do Phishing Attacks Work?
3. What’s the Impact of These Phishing Attacks?
   • Loss of Customer Trust
   • Brand Reputation Damage
   • Financial and Legal Ramifications
   • Increased Customer Service Burden
4. Why Do Organizations Struggle When Responding to External Phishing Threats?
   • Focus on Enterprise Threats
   • Lack of Integration with Cyber Strategies
   • Limited Data and Confusion Around Solutions
5. How to Prevent and Respond to Customer-Facing Phishing Attacks
   • Create a Cross-Departmental Task Force
   • Educate Your Customers
   • Regularly Update and Secure Your Website
   • Monitor Your Social Media
   • Detect Cybersquatting
   • Work With an Anti-phishing and Brand Protection Partner
6. What Next?

Overview

This article explains phishing attacks through the specific lens of those that target your customers, including:

• How phishing attacks work
• How they exploit your customers and users, your brand, and your intellectual property (e.g., your website or app)
• What impact they can have
• Why so little is often done to counter them
• How to prevent them

Customer-Facing Phishing Attacks

Most phishing attacks will follow one of two strategies:

• Targeting employees with the goal of exfiltrating data from within your organization or gaining a foothold from which to cause further damage
• Targeting your organization’s customers and users with the goal of exfiltrating their personal data or causing them harm via malware deployment and other tactics

The strategy used depends on the nature of the threat actors carrying out the attack, their motives, and their objectives.

While the first strategy falls under the primary remit of your security team and is often well understood, less is known and practiced with regard to the second. Phishing attacks that target your customers are more nebulous. Not only can they be much harder to detect, classify, and remediate, addressing them requires a more diverse stakeholder mix (beyond the security team alone).

Phishing attacks that target your customers—be they buyers or users—can have far-reaching consequences. While the victims themselves often come to harm, sometimes financially, the organizations that are impersonated can suffer too. This may be a damaged reputation, surplus security remediation and customer service costs, compensation payouts and fines, or a mix of these effects.

Thankfully, there are now a range of phishing detection and disruption solutions to help you protect your customers and brand.

How Do Phishing Attacks Work?

Phishing attacks that target your customers use a mix of techniques to impersonate your organization and deceive individuals into providing sensitive information, such as passwords, payment card numbers, and other personally identifiable information (PII). These threats utilize lure messages—communications used to drive engagement—and may take place across a range of channels, including email, phone calls (vishing), text messages (smishing), and social media. More novel means are also used, such as QR codes (quishing) and online forum comments. 

Many of these threat actors rely on phishing kits to build their campaigns. These kits come developed by more technically capable criminals and contain everything needed to set up suitable phishing attack infrastructure, including the functionality required to mimic websites and apps and exfiltrate user data. In essence, they’re a do-it-yourself (DIY) starter kit for anyone who wants to get started in cybercrime, regardless of their technical capability. Phishing kits lower the barrier to entry and enable threat actors to cause harm faster and more effectively than they would otherwise.

Phishing attacks use content that mirrors the brand style and user interface(s) from known and trusted organizations. High-value targets like banks, service providers, and even government agencies experience increased risk, along with popular and highly visible brands.

Typically, the kill chain for these types of phishing attacks follows this flow:

1. The threat actor deploys lure messages to draw their victims to a phishing website.
2. Victims visit the website and provide their personal information or credentials.
3. The threat actor harvests and exfiltrates victim data and stores it ready to either:
   1. Sell the stolen credentials on the dark web and develop the capital to invest in more sophisticated attacks.
   2. Use the stolen credentials to exfiltrate the victim’s finances.

What’s the Impact of These Phishing Attacks?

The direct victims–your customers–are not the only ones impacted by this type of external phishing attack. Organizations are affected by these threats in a number of ways.

Loss of Customer Trust

Trust is a key pillar for businesses, especially those that handle sensitive information, such as banks, e-commerce platforms, and online service providers. When customers fall victim to phishing attacks that misuse your brand, their trust can erode quickly; if they believe that interacting with your organization online puts them at risk, they are likely to look for alternatives where trust has a higher guarantee. 

According to Security Magazine, 75% of US consumers will sever ties with a brand in the aftermath of any cybersecurity issue, with 44% attributing cyber incidents to an organization’s lack of adequate security controls.

Brand Reputation Damage

Threat actors often use your organization’s brand assets and digital content to dupe your customers. Over time, consistent brand impersonation can tarnish your organization’s reputation. Negative press or social media backlash may paint your organization as either complicit in the attacks or ineffective in protecting customers. In all cases, brand protection solutions are required.

Financial and Legal Ramifications

If a customer falls victim to a phishing attack that uses your branding, the financial consequences can extend beyond the individual. Victims may file complaints, pursue legal action, or demand compensation for incurred losses. 

To maintain trust and provide the highest levels of service, most US financial institutions (though not yet required by regulation) reimburse customers who have lost money to fraud and scams. In the UK, regulations this year from the Payment Systems Regulator (PSR) require 50% of the sum lost to be covered by the sending institution and 50% by the receiving institution. Additional regulations will likely follow in other countries around the globe, increasing the financial responsibility of financial institutions. 

In some sectors, regulators may impose fines if an organization is found to lack adequate protections and response mechanisms. For industries that handle sensitive data, such as healthcare and finance, regulatory scrutiny is particularly intense.

Increased Customer Service Burden

Widespread phishing attacks of this nature may increase pressure on your customer service teams as victims flood your support channels with complaints, questions, and requests for help. This can divert resources away from regular customer service operations, increasing operational costs and reducing the standard of your customer care.

Why Do Organizations Struggle When Responding to External Phishing Threats?

Phishing disruption that focuses on your customers’ safety is essential to the long-term protection and longevity of your brand. As customers increasingly ask for more and for better, and as competition increases, this could make all the difference to your organization’s operational resilience. 

While there are many anti-phishing and anti-brand-abuse solutions available, like those provided by Netcraft, it’s also beneficial to recognize what blockers may exist within your organization. Doing so puts you in a much stronger position to identify and deploy the best solution most effectively. 

Heavy Focus on Enterprise Cyber Threats

Enterprise cybersecurity threats that target employees and internal systems (i.e., attacks on the company, not externally) attract more attention and investment because of their immediate, tangible effects on business continuity. The impact of customer-facing phishing attacks is perceived as indirect, leading to less urgency and smaller budgets.

Lack of Integration with Existing Cybersecurity Strategies

There’s limited guidance on how to integrate customer phishing protection into the overall cybersecurity strategy. Often, customer-facing phishing attacks are treated as a marketing or legal concern, thus failing to gain cross-functional support. Lack of collaboration between IT, security, legal, and marketing teams can leave organizations particularly vulnerable to cyber security threats and reputational damage.

Limited Data and Confusion Around Solutions

Generally, the problem space surrounding customer-facing phishing attacks is poorly understood. This is exacerbated two-fold by a lack of convincing ROI data (i.e., the tangible benefits of investing in remediation) and a growing confusion caused by unclear or misleading product messaging. For all organizations—even those aware of the need for action, these factors complicate any efforts to tackle the threat.

By acknowledging these barriers and opening up discussions, you’re better positioned to tackle the threat with the following recommendations.

How to Prevent and Respond to Customer-Facing Phishing Attacks

A mix of tactics can help you prevent customer-facing phishing attacks.

Create a Cross-Departmental Task Force

The initial step to prevent phishing attacks targeting your customers is to recognize that action requires influence and buy-in from stakeholders across IT security, marketing, public relations, legal, and the C-suite. Bringing these individuals and teams together to build a collective strategy is essential to the continued success of any proactive measures.

Educate Your Customers

An informed customer base is the first line of defense against phishing. By educating your customers on the threat and helping them recognize malicious indicators, you can lower the risk of threat actors achieving their objectives. Customer awareness activities include:

• Direct communications, including emails, newsletters, and in-app notifications showing examples of real phishing attempts and providing step-by-step tips to differentiate between legitimate and fraudulent content.
• A dedicated page on your website containing information like the above, as well as how customers can report phishing attempts.
• Automated support that requires limited resources, such as website chatbots, can be used to provide real-time advice if they suspect they are being targeted.

Regularly Update and Secure Your Website

Ensuring that your own websites demonstrate the hallmarks of legitimate content can set the standard for what customers should expect when interacting with your brand. Actions include:

• SSL/TLS Certificates: Make sure your website has up-to-date SSL/TLS certificates to ensure secure communication between customers and your servers. A visible padlock in the browser’s address bar provides customers with assurance that they are on the legitimate website.
• Custom Domain Name Extensions: Consider using advanced domain extensions that are harder for criminals to spoof. For instance, if your website uses “.com,” attackers might create a phishing site with a similar domain, such as “.net” or “.co.”. Novel extensions can help make your domain less vulnerable to mimicry.

Monitor Social Media Platforms

Since some phishing attacks occur on social media platforms, it’s important to monitor mentions of your brand across these channels. Some organizations use social media monitoring tools to track conversations and flag any potential phishing scams distributed through these platforms. Timely intervention can prevent customers from falling victim.

Target Cybersquatting

Threat actors may register domain names identical or similar to legitimate examples. This is known as cybersquatting and is a common tactic used to dupe victims into interacting with content.

Registering variations of your domain name and key brand-related URLs through a cybersquatting protection service can help prevent them from being acquired and used in phishing attacks. 

Work With an Anti-Phishing and Brand Protection Partner

Organizations like Netcraft specialize in detecting and preventing phishing attacks targeting your customers. Netcraft offers the industry’s fastest detection and takedown times, ensuring that phishing attacks mimicking your brand are identified and removed quickly, decreasing the risk of harm to your customers and your brand reputation. 

We’ve been delivering phishing disruption for over 10 years and have the strong partner relationships needed to ensure hosting providers act swiftly. Over time, with continued optimization, it’s possible to lower the rate of phishing attacks impersonating your brand as threat actors turn their attention towards low-hanging fruit—those organizations who fail to take proactive action.

What Next?

Preventing phishing attacks that target your customers requires a combination of internal collaboration, customer education, and security controls. Organizations that take proactive steps to detect and prevent phishing can not only protect their customers but also safeguard their own reputation and bottom line. 

By implementing a comprehensive anti-phishing strategy and working with a strong anti-phishing partner, you can make you and your customers the least attractive target by raising the cost of attack for threat actors.

To find out more about how to prevent phishing attacks, read our guide here.

OpenResty experienced the largest gain of 2.2 million sites (+1.98%) this month, increasing its market share to 10.1% (+0.09pp). Cloudflare made the next largest gain of 1.5 million sites (+1.18%).

Apache suffered the largest loss of 2.2 million sites (-1.11%) this month. It now accounts for 17.6% (-0.39pp) of sites seen by Netcraft. Microsoft experienced the next largest loss of 699,464 sites (-3.45%).

Future of the .io TLD

Earlier this month, the UK announced that sovereignty of the Chagos Islands, also known as the British Indian Ocean Territory, will be transferred to Mauritius. This has caused speculation over the future of the .io TLD, which has gained popularity amongst tech companies in recent years due to I/O also being an acronym for “input/output”. In January 2013, we saw just 4,224 web-facing .io domains, compared to 733,662 domains this month.

Around 17,000 of the top million busiest sites use the .io TLD, such as NFT platform OpenSea, AI audio company ElevenLabs, and open-source home automation project Home Assistant.

As country code TLDs correspond to ISO 3166 country codes, there is a possibility that .io will be retired if the IO country code is removed from the standard. While ccTLDs for some former countries still exist, such as .su for the Soviet Union, others have been deleted, including .yu, .tp, .zr, .an, and .um.

Vendor news

• Apache Tomcat versions 11.0.0, 10.1.31, and 9.0.96 were released, containing WebDAV, HTTP/2, and garbage collection improvements.
• nginx version 1.27.2 was released on October 2nd. It adds support for OCSP stapling and using OCSP during client certificate validation to the stream module.
• OpenResty version 1.27.1.1 was released on October 15th.

For more information see Active Sites.

This article explores Netcraft’s research into Xiū gǒu (修狗), a phishing kit in use since at least September 2024 to deploy phishing campaigns targeting the US and UK, Spain, Australia, and Japan. Insights include:

• A branded mascot and interactive features added for entertainment
• Over 2,000 phishing websites identified using the kit
• Campaigns targeting countries around the globe
• Organizations being targeted across the public sector, postal, digital services, and banking sectors

Doggo Background 

Netcraft has observed a phishing kit being used in campaigns targeting the US, UK, Spain, Australia, and Japan since September 2024. Over 1,500 related IP addresses and phishing domains have been identified, targeting victims with fake charges related to motorists, government payments, and postal scams. Threat actors using the kit to deploy phishing websites often rely on Cloudflare’s anti-bot and hosting obfuscation capabilities to prevent detection. This research builds on existing intelligence shared in September by security researchers BushidoUK and Fox_threatintel.

“Doggo” 

The kit, which uses Mandarin Chinese throughout, provides users with an admin panel (exposed at the /admin path) to configure and manage phishing campaigns. The word “xiū gǒu”, which is referenced in the kit source code, is derived from the admin panel title “xiū gǒu yuánmǎ” (修狗源码). Xiū gǒu roughly translates from Mandarin Chinese internet slang as “doggo” (small dog) and xiū gǒu yuánmǎ as “doggo source code”. This “doggo” concept comes to life as the avatar for the kit’s admin panel and Telegram account—a cartoon dog holding a bottle of soda. “Easter egg” functionality has been developed in the admin panel, allowing users to transform this mascot into a “thug life” version by clicking the avatar.

Figure 1. Admin Panel Login with “Doggo” mascot

Figure 2. Admin panel with alternative easter egg “doggo”

Key Characteristics

Netcraft observed the following characteristics:

• Xiū gǒu is developed using a modern tech stack, as opposed to the more traditional PHP phishing kits, including:
  • Vue.js is used in the front end for both the phishing pages and admin panel 
  • A Golang back-end, provided through the executable SynPhishServer, which appears to be based on go-gin-api
• The kit comes equipped with Telegram bots to exfiltrate credentials, ensuring that threat actors can maintain access to data even if their phishing site is taken down
• Threat actors using the kit use Rich Communications Services (RCS) rather than SMS to send lure messages
• They also often use the “.top” top-level domain (TLD) and typically register domains related to the nature of their scam, e.g., including the words ‘parking’ or ‘living’, or by including part of the phishing target name

Fig. 3. Xiū gǒu Telegram message containing (dummy) victim information and stolen card details

The kit’s author appears to own the domain xiugou.icu, which provides images in the kits. These enable the author to see where their kits are installed by analyzing referrer headers.

Various subdomains, such as those in the bullets below, suggest the author creates separate sites to perform different functions, such as:

• test1234[.]xiugou[.]icu
• usps0007[.]xiugou[.]icu
• store[.]xiugou[.]icu
• ai[.]xiugou[.]icu (currently live and hosting the open source AI chat framework lobe-chat)

Fig. 4. LobeChat website

Who is being targeted? 

Xiū gǒu is being used to impersonate brands across various verticals, including the public sector, postal, banking, and digital services. The scams typically manipulate victims into providing their personal details and making payments, for example, to release a parcel or fulfill a fine.

Some of those being impersonated include the USPS, UK Government (e.g., gov.uk and DVSA), Services Australia, Evri, Lloyds, New Zealand Post, and Linkt.

Fig. 5. Fake Evri parcel release page

Fig. 6. Fake Linkt payment page

Fig. 7. Fake USPS package release page

Fig. 8. Fake Lloyd’s Bank login form

Xiū gǒu attack flow 

Netcraft has documented the end-to-end xiū gǒu attack flow, showing how threat actors use the kit to deploy phishing campaigns. The example below shows an impersonation of gov.uk (the UK government’s main website).

1. RCS message is sent to the victim containing a shortened link; this link often includes a tracking parameter
2. Victim clicks link
3. Victim is sent to a phishing website styled to look exactly like gov.uk
   • Note: Bots, such as those used for attack detection, are directed to legitimate, non-malicious sites to obfuscate activity
4. Victim enters their personal data and payment details
5. Victim’s details (including their IP address and browser characteristics) are exfiltrated to Telegram via a bot set up by the fraudster running the phishing website

Fig. 9. RCS lure message targeting victims with communications regarding cost of living payments

Fig. 10. RCS lure message targeting victims with communications regarding a fake penalty charge notice (PCN)

Fig. 11. Phishing website for cost of living payments, mimicking gov.uk (where there is no such page)

Fig. 12. Phishing website mimicking the gov.uk page for PCNs

Fig. 13. Fake form mimicking gov.uk to extract victim payment details

Fig. 14. Fake form mimicking gov.uk to extract victim’s personal information

Fig. 15. Fake PCN form mimicking gov.uk

By observing the full list of domains using xiū gǒu, we’ve identified threat actors targeting UK victims specifically. At least eight variations of the domain “yingguo[.]top” have been logged—Yingguo translating to “United Kingdom”—in addition to 18+ of the domain “f^¢kgb[.]top”. 

Telegram bot scam

Netcraft gained access to a xiū gǒu tutorial, which shows users how to prepare a Telegram bot for data exfiltration. This includes a step-by-step flow via xiugou_example_bot, illustrated in the screenshots below.

Fig. 16.

Fig. 17.

Fig. 18.

Fig. 19.
Fig. 16 – 19: Step-by-step tutorial for setting up Telegram bot for data exfiltration

Conclusion

The findings from our research into the xiū gǒu phishing kit provide an interesting perspective into the minds and methods of the authors behind the kits. User experience is key, as we can see by xiū gǒu’s use of specific scripting languages as well as the inclusion of user tutorials. The author has also chosen to measure and analyze the use of their kit, most likely so that they can optimize and improve their competitiveness over time. We also get a sense of how—as with the doggo mascot—authors inject personality and humor into their kits, leaving their own distinctive mark.

Understanding how phishing tradecraft are developed is essential to preventing phishing attacks. By analyzing phishing kits in-depth, it’s possible to improve the speed and accuracy with which threats can be detected, classified, and taken down.To find out how Netcraft can help you move more quickly and address threats at any scale, book a demo now.

This article explores Netcraft’s research into the HookBot malware family and associated attacks on Android devices, including examples of: 

• Typical HookBot behaviors, such as the use of overlay attacks 

• The types of brands and apps being impersonated 

• How HookBot utilizes Command and Control (C2) servers to continuously evolve  

• A builder tool that enables threat actors to develop and deploy their own HookBot apps 

• Distribution via Telegram, which highlight the lucrative pricing models available for buyers, as well as competition between developers/distributors 

Netcraft’s Android Malware Analysis engine was developed to build a deeper, applied understanding of the malware strains being used by threat actors to abuse brands and exploit their customers. The sandbox uses handwritten rules to detect malware families and extract specific configurations (e.g., which servers they utilize), helping us understand criminal architecture and its potential impact on organizations. 

Using the analysis engine, our team has investigated instances of the notorious HookBot malware family targeting Android devices specifically. First identified in 2023, we’ll dig deeper to understand what makes this threat so effective, including the functionality underpinning HookBot-infected apps and the tactics being used by those developing and distributing them. 

Hookbot Background 

HookBot is a family of banking Trojans whose primary function is to steal sensitive data from victims, such as banking credentials, passwords, and other personally identifiable information (PII). Now linked to a number of cybercrime campaigns, it’s part of a malware ecosystem responsible for financial fraud globally. HookBot targets mobile devices, particularly Android. Not only does this provide the malware with optimal reach, from a security perspective, its mobile format adds complexity to the process of detecting and disrupting attacks. 

How HookBot Targets Android Devices 

The HookBot lifecycle begins with a victim installing a malicious app disguised as legitimate, brand-owned software. These apps often come from unofficial sources. However, some are known to bypass Google Play store security checks, enabling them to reach victims through a legitimate, high traffic marketplace. 

Once installed, the malicious app establishes communication with a  C2 server, enabling it to receive updates, new payloads, and device information including other legitimate apps and data. The malware then proceeds to extract user data using various attack techniques, such as apps overlays and surveillance techniques. 

Overlay Attacks  

Overlay attacks stack content from a malicious app on top of legitimate app screens. A victim opens an app and sees what looks like a legitimate form (e.g., a login or payment screen). In reality, they have triggered the malware-infected app to launch. This serves a visual overlay that (often convincingly) mimics the legitimate app interface. The victim enters their personal data, which is relayed to the threat actor. 

Keylogging, Screen Capture, and SMS Interception 

HookBot can also log keystrokes and capture screenshots to steal sensitive data while the user interacts with their device. It can also intercept SMS messages, including those used for two-factor authentication (2FA), enabling threat actors to gain full access to the victim’s accounts. 

HookBot in Action 

Netcraft has observed HookBot-infected apps targeting victims by mimicking known brands. In the sequence in fig 1 (below), we can see the malicious app—disguised as Facebook—requesting additional permissions to achieve greater control of the victim’s device. Once fully set up, it renames and disguises itself as Google Chrome. 

Fig. 1. Screenshots showing how a HookBot-infected app establishes control of the victim’s device. 

A sample from our research shows 460 different Android apps being impersonated. In some cases, the overlay screens are convincing, using brand logos and assets and mimicking the legitimate app interface (see fig 2 – fig 5). In other cases (see fig 6 – 8), threat actors appear to have used generic overlay designs requiring less development/expenditure. 

Fig. 2. App overlay mimicking Bank of Queensland login screen. 

Fig. 3. App overlay mimicking Citi login screen. 

Fig. 4. App overlay mimicking Tesco Mobile login screen. 

Fig. 5. App overlay mimicking PayPal login screen. 

Fig. 6. App overlay mimicking Airbnb login screen. 

Fig. 7. App overlay mimicking Coinbase login screen. 

Fig. 8. App overlay mimicking Transferwise login screen. 

HookBot Builder Tool 

Netcraft identified an interface used to generate new malware samples and build new apps. This “builder” featured an easy-to-use interface requiring elementary technical knowledge for operation. Each malware iteration can be programmed via the builder tool to a different configuration and adapted to obfuscate malicious behaviors from external detection. 

Fig. 8. Frame-by-frame showing the HookBot builder panel interface. 

The Malware Business 

Observing how threat actors use different platforms to distribute their products provides a glimpse into the malware supply chain enabling the mass spread of malware globally. In the case of HookBot, our research revealed Telegram accounts and channels being used to distribute the trojan, offering would-be buyers different purchase options to suit their budget and the scale of their campaigns. The feature list boasts built-in anti-security functionality to help HookBot campaigns prevent remediation and evade detection. 

Fig. 9. 

Fig. 10. 

Fig. 9 – 10: Screenshots showing the promotion of HookBot within Telegram 

Another interesting aspect of the malware supply chain is the competition between developers/distributors. In the screenshots below, we observe these criminals discrediting one another’s products and competency level for their own reputational gain. 

Fig. 11. 

Fig. 12. 

Fig. 13. 

Fig. 11 – 13: Screenshots showing three HookBot malware sellers posting on Telegram to discredit competitor products. 

Into the Code 

The following screenshots highlight some of the source code behind the infected apps. In fig 1., the app utilizes HTML to speed up the process of designing and pushing new overlays (from the C2 server) without any updates to the app itself. 

Fig. 14. Screenshot showing HTML used in HookBot’s source code to display an overlay. 

In the next figure, we observe the app’s C2 server using the victim device to send messages via WhatsApp: 

• The first snippet shows the C2 command forcing the device to launch WhatsApp (“openwhatsapp”) and send a message (“whatsappsend”) to a phone number of the threat actor’s choice. 

• The second shows the app abusing accessibility permissions in Android to automate “send”. 

This programming enables the malware to spread itself like a worm virus, autonomously replicating itself, spreading to other devices. 

Fig. 15. 

Fig. 16.  

Fig. 15 – 16. Screenshots showing source code allowing a HookBot app to utilize WhatsApp to send messages without any user input 

Finally, in fig 17 below, the source code reveals the app builder using an open-source tool to implement obfuscation measures against detection. Obfuscapk, and other tools like it, can be used to help protect organizations like banks by impeding malicious efforts to reverse engineer their apps. In the wrong hands, however, these tools can also help malware authors. By implementing a combination of these obfuscator tools, the malware developer/distributor can provide their apps with a unique appearance. 

Fig. 17. Screenshot showing integration with Obfuscapk 

Conclusion 

Despite general awareness and disruption efforts HookBot persists. Continuous iterations within the malware and the C2 infrastructure illustrate its resilience and effectiveness. There’s an appetite among threat actors for HookBot’s capabilities and the outcomes it can achieve.  

Because of the multi-channel supply chain available, we can also expect that HookBot will continue to spread worldwide, affecting more organizations and their customers. The tools that enable low-skill threat actors to build and deploy the malware will only exacerbate this trend. So, how can you act? 

For over a decade, Netcraft has helped banks and other organizations protect their customers from malware like HookBot. By developing solutions like our Android Malware Analysis, we’re able to offer peace of mind that malicious activity will be detected and blocked—quickly, reliably, and at scale. Unlike other solutions, we scan for indicators that highlight activity targeting specific brands, enabling us to act fast to remove the threat. Over time, this sustained security can lead to a decrease in the number of attacks impersonating your brand which erode hard-earned consumer trust and impact your bottom line. This helps to reduce the risk of security incidents, brand damage, and victim compensation. 

For more information on how we’re helping the financial sector fight back against malware, book a demo today. 

Our research uncovered 24 crypto-doubling scam domains related to the debate, including 14 phishing websites using the word “debate” in their domain, e.g. debatetrump[.]io, tesladebate[.]com, and debate[.]money. 

All the examples exploit the image of Republican presidential nominee Donald Trump, tech entrepreneur and billionaire, Elon Musk, or a blend of both. Criminals likely use these personas to add legitimacy to their crypto investment theme—one political leader, one policy influencer, both conveying the perception of wealth and authority. 

Netcraft observed similar tactics being used in attacks in March, during some of the earlier primary elections. In July, following the assassination attempt of Donald Trump, others were also discovered.  

In the lead up to the US presidential election on November 5, we expect to see these kinds of attacks continue. To help brands and internet users act with greater caution during that time, this article analyzes the different variants from this latest, debate-themed scam. It also includes guidance for organizations at risk from similar impersonation of their brand, intellectual property (IP), and executive personas. 

What is crypto-doubling?

Crypto-doubling scams lure victims into transferring cryptocurrency under the false pretence that their investments will be doubled. The perpetrators of these scams commonly use social engineering tactics via email, social media platforms, and messaging apps to coax victims into visiting a phishing website where the fraudulent transaction then takes place.

Crypto-doubling scams use the following tactics:

• Promises of quick returns, which often emphasize a rapid doubling of the victim’s investment.   
• A sense of urgency to encourage immediate action.
• Fake endorsements that falsely claim support from public figures.
• A lack of transparency that withholds any real detail about the scheme.

Crypto doubling leaves harms victims financially and emotionally and impacts customer/voter trust in the brands and personas being imitated.

Variants

The three crypto-doubling variants identified through our research use similar tactics, but their variances reflect how criminals’ resource and time investment differs scam to scam. Individually and together, they help us understand the mindset behind this kind of malicious activity in greater depth. 

Variant 1: “Elon Musk X Donald Trump Crypto Giveaway”

Fig. 1. Above the fold screenshot from the variant 1 website

In this first example, custom copy (see fig. 2.) and trusted brand logos are used to legitimize the website. The page content is rich, incorporating graphs and diagrams with step-by-step instructions and QR codes linking victims to a payment page.

Although the content itself doesn’t directly reference the debate it does use the domain debatetrump[.]io. 

Off-brand language and grammatical errors—common telltale signs of fake content—still occur across the site, such as, “Donald Trump immersing himself in the world of cryptocurrency to offer a nice gift to cryptoinvestors” or simply “Check instruction”.

Fig. 2.

Fig. 3. 

Fig. 4. (Fig. 2 – 4. Below the fold screenshots from the variant 1 website)

Variant 2: “Huge giveaway during Trump and Kamala Debate”

Fig. 5. Above the fold screenshot from the variant 2 website

Variant 2 utilizes content assets like those in variant 1. However, it calls out the US presidential election debate between Donald Trump and Kamala Harris directly in the text (see fig. 5 and fig. 7). It also uses an image featuring Harris, the Democrat presidential nominee.

The page features Elon Musk’s Tesla logo instead of Trump’s campaign logo, demonstrating how criminals tailor their content to appeal to different audiences, i.e., politically engaged vs cryptocurrency minded.

Unlike variant 1 (and variant 3), variant 2 includes an extra “What’s Happening” section, providing context on the cryptocurrency “giveaway” (see fig. 6).

Fig. 6.

Fig. 7 (Fig. 6 – 7.  Below the fold screenshots from the variant 2 website)

Variant 3: “Biggest Crypto Giveaway”

Fig. 8.

Variant 3 appears to hot swap personas while retaining the same core content, i.e., a new persona is used, while the other webpage assets remain the same. Netcraft has identified many examples using this approach, which is distinguished by its use of the distinctive hexagonal image frame and stock copy. The only variances in these examples are the target personas (different headshots) and in some cases the page colour and/or appearance (see fig. 10). 

In variants both 1 and 2, we observe extra, custom assets (logos, text, diagrams, etc.) being used to provide a theme to the web content. No such efforts are made with variant 3, which utilizes the same assets across the board. 

Fig. 9. (Fig. 8 – 9. Above the fold screenshots from the variant 3 website)

The characteristics of variant 3 are particularly interesting in the context of resource expenditure on the criminals’ behalf. By removing the need for custom text, and by using short, generic copy, threat actors alleviate any need to review their content or adapt it for different scenarios. To summarize, variant 3 demonstrates the speed and efficiency with which threat actors make use of ready-made, easily customizable assets to improve the efficiency of their campaigns, potentially increasing their gains.

Fig. 10. Screenshot demonstrating subtle changes to the variant 3 template.

Characteristics of variant 3

Netcraft logged the following common characteristics from variant 3 in this crypto-doubling scam.

Website headers

The scam uses the same header, which consists of a logo, navigation links to page sections, and a “Participate” call to action (CTA) which links to a page containing wallet addresses for the transaction.

Fig. 11. Screenshots of the different headers used in the variant 3 template

Page sections

Above the fold

Above the fold, the variant 3 template focuses on grabbing attention with bold H1 text (“BIGGEST GIVEAWAY CRYPTO OF $100,000,000”). It also uses:

• A seal icon with a tick and the text “official event”
• Text paragraph explaining the giveaway, including the different acceptable currencies
• The standard “Participate” CTA

Fig. 12. Screenshots of the different above the fold variations

Instructions and information

Directly below the fold, the variant 3 template includes two sections:

• “Instruction for participation”: a step-by-step diagram purporting to show the crypto investment process (note the grammatical error in “Instruction”).
• “Rules & Information”: two text blocks explaining (left) why the giveaway is happening  and (right) the accepted cryptocurrencies and minimum payment amount.

Fig. 13. Side-by-side comparison of the lower page sections from two of the phishing websites

In some examples (fig. 14), a calculator is embedded into the page to illustrate the amount the victim will allegedly receive in return for their investment.

Fig. 14. Screenshot showing variant 3 example with investment calculator

How are these scams being distributed?

Netcraft has observed these scams being distributed via YouTube featured in videos in which Elon Musk discusses the US presidential election debate (see fig. 15). The YouTube channels used include purpose-registered examples and others which have been compromised. Other external analyses report distribution via X, Facebook, Instagram, and Telegram.

Fig. 15. Screenshot from a fake YouTube video featuring Elon Musk 

How to protect your brand

The volume of these crypto-doubling scams, the variations identified, and the different tactics used indicate the scale at which threat actors can target would-be cryptocurrency investors.  

For the brands and personas imitated, this type of scam erodes trust and credibility and may lead to a backlash from victims, as well as surplus legal and customer service costs. The time it takes to recoup these losses can have far-reaching consequences.

Identifying and removing the digital content used to target victims through these campaigns requires speed, accuracy, and scale. Netcraft offers all three. Our Brand Protection services make use of the industry’s largest and most powerful dataset to continuously search the internet for any misuse of your brand name and likeness. Our website takedown times are the fastest and most reliable in the brand protection space, reducing the number of scams attempting to exploit your brand, IP, and customers.

To find out what ROI Netcraft can offer your organization, and to see our solutions in action, book a demo now.

• At least two threat groups identified, one of which Netcraft can link to customs tax and postal scams carried out earlier this year. 
• Up to 10,000 potential victims identified visiting this group’s phishing websites between June 19 and August 23. 
• At least 2,000 form submissions, indicating how much personal data has been extracted from victims, including payment information. 
• Evidence suggesting the group is running activity across Europe, including France, Germany, Italy, and Switzerland.
• How PayByPhone is adapting its business model and working with leading brand protection and anti-phishing provider Netcraft to proactively tackle attacks and protect its customers. 

Introduction 

Earlier this month, RAC issued an alert for UK motorists to beware of threat actors utilizing Quick Response (QR) code stickers luring them to malicious websites. These sites are designed to exfiltrate personal data, including payment information, by impersonating known parking payment providers. Reports of similar scams across Europe and in Canada and the US have also been increasing and gaining public attention. In the US, the FBI has now issued alert number I-011822-PSA, Cybercriminals Tampering with QR Codes to Steal Victim Funds, to raise awareness. We can expect that these attacks will continue to be deployed on a global scale. 

In the UK, phishing activity is peaking. On July 30, Southampton City Council posted on Facebook warning motorists of a wave of malicious QR codes appearing across the city center. Printed on adhesive stickers and affixed to parking meters, the QR codes directed users to phishing websites impersonating the parking payment app brand PayByPhone. Around the same time, several Netcraft staff shared stories of family members being duped by similar scams. In response, Netcraft deployed its research teams to analyze and understand the activity in depth. 

Fig. 1. Southampton City Council’s post on Facebook warning users to avoid scanning the QR codes and explaining the risk. 

Looking at British media reports, these parking QR code scams appeared to peak during the summer holiday period (June to September). Activity concentrated in and around coastal tourism locations such as Blackpool, Brighton, Portsmouth, Southampton, Conwy, and Aberdeen. There are now at least 30 parking apps in the UK, varying by location—an abundance that benefits criminals. By targeting tourist destinations, threat actors can prey on tourists who need to download the parking payment apps and are searching for ways to do so. 

Netcraft was able to identify two threat groups running such scams. This report focuses on an active group impersonating the PayByPhone brand. The other group has been identified using a phishing kit to simulate multiple brands, including RingGo. 

How do Parking QR Code Scams work? 

Mobile payments are now standard in many public and private parking lots across the world. While transactions were once used to involve calling or texting a number, mobile apps have become more commonplace. 

In the UK, the main providers include PayByPhone, RingGo, JustPark, ParkMobile, and MiPermit. Providers display user instructions in parking lots, typically on parking meters. These include a download link or QR code to access the payment app, as well as a unique location code to geolocate the user. This approach not only offers an opportunity for threat actors to target victims on-site, it may also enable them to further target victims with additional location-specific malicious messages. 

Step-by-step process  

Based on the PayByPhone threat group which forms the basis of the research, the following step-by-step process being used to extract victim data was observed: 

1. Threat actor acquires and deploys “boots on the ground” resources to set up the attack. 
2. Malicious QR codes are affixed to parking lot payment machines. 
3. A victim visiting that parking lot scans the malicious QR code and is directed to a mobile phishing website mimicking a legitimate parking lot payment provider. 
4. The phishing website prompts the victim to enter the following details in this order: 
5. Their 6-digit parking lot location code. 
6. Vehicle details, including license plate and vehicle type 
7. Parking duration 
8. Payment card details 
9. The website then displays a fake “Processing” page, simulating a familiar user experience. In some cases, a 3D secure code will be prompted from the victim’s bank/card provider. 
10. The victim is redirected to a “Payment accepted!” page. 
11. The phishing website confirms the victim’s entered details. 
12. The victim is directed to the official PayByPhone website. 

Fig. 2. Screenshots showing the step-by-step process on one of the fake PayByPhone websites. 

Following payment, phishing kit groups send the victim to a failed payment page, prompting them to use an alternative payment card. This extends the volume of credentials and funds the threat actor can exfiltrate. 

Fig. 3. Screenshot of fake failed payment page on one of the malicious websites. 

Tactics 

Netcraft has been able to analyze threat actor activity to understand the strategies underpinning these attacks. 

Timeline of activity 

Fig. 4. Chart showing malicious websites being activated and deactivated between June 17 and September 3. 

In the timeline above: 

• June 19: the scam begins; the first phishing websites appear, but these are taken offline after approximately one week. 
• June 28: the scam reappears online behind a new domain name. 
• July 2: threat actor registers two new domains, which redirect victims back to the initial websites. 
• July 27: websites continuously come online, as others gradually go offline. 
• Early August: more domains are registered every few days, but some only stay online for a short time and before any QR codes are used¹. 
• Mid-August: all known phishing websites go down; threat actor registers new domains showing variations to the format (using phrases like parkbyphone instead of pbp, and others that only refer to QR codes and scanning).  
• They register them in pairs with a .info domain hosting the actual phishing website and a .click equivalent redirecting to the .info version. Likely due to news coverage, these only remain online for a few days at a time and are quickly taken offline by the domain registrar. 
• Late August onwards: the same pattern of registering new domains multiple times per week continues. The threat actor experiments with different top-level domains (TLDs) (.live and .online) to evade detection. Each site remains online for a few days, in contrast to the start of the campaign when sites were live for up to a month. 

Website characteristics 

Numerous phishing websites were created to facilitate these attacks. Since June 17, Netcraft has seen the same scam on 32 distinct domain names. All of these demonstrated the following characteristics: 

• Registered with NameSilo 
• Using .info, .click, .live, .online, and .site TLDs 
• Protected with Cloudflare
  

The QR codes most typically linked directly to .click URLs, which redirected to a live phishing website at a .info or .site URL. This could be a persistence tactic to ensure that if the group’s core sites are taken down, new ones can be set up, and the redirects changed. Such an approach avoids the need to physically replace any QR code stickers, keeping the attack online while controlling costs. 

On-the-ground tactics 

After tracking the threat actor’s activity online throughout August, the Netcraft team then went a step further to gather additional on-the-ground research. 

Fig. 5. Map showing Netcraft-identified parking meters displaying the location of benign (black) and malicious (red) QR codes across Southampton city center. 

Of the 24 parking meters across Southampton City Center, seven are used to display malicious QR codes. Some of these were in prime locations, including opposite Southampton Central train station and near a large grocery store. Other areas in the city center and Portswood (another high foot traffic area) appeared to be clear of QR codes.  

The QR code stickers appear to have been distributed in a single batch—all linking to the same website—following the takedown of several of the threat actor’s websites. This highlights the persistent continuation of the campaign, with the threat actor rotating websites and remaining active despite their operations being disrupted.  

The domain name for the website mentioned above was registered on the afternoon of Sunday, August 25. The first visit was at approximately 07:00 the next morning. Netcraft researchers believe that this was the threat actor’s on-the-ground agent testing the QR code after placing the stickers. These timelines highlight the speed of activity between registering a new domain and placing a corresponding QR code sticker. 

In Southampton city center, there are two types of parking meters—red, which represent more dated models, and black, which are newer and display official PayByPhone branding. The threat actor’s QR codes were only found on these new black meters, pasted on top of the official branding to improve impersonation. 

Some meters had been pasted with three QR code stickers (front and both sides), but not all. At the time of visit, one meter on London Road had its front QR code sticker partially ripped off. Together, these observations may suggest either that stickers are being haphazardly removed, missed, or that the individuals responsible for planting them are inconsistent in their approach.  

Fig. 6. Photo of parking meter with QR code partially removed

The main takeaway from the on-the-ground research is that the threat actor has invested strategy and resources to achieve greater impact—making use of high-footfall areas and using tactics that add legitimacy to the scam. It’s clear that the measures being taken on the ground to deter these attacks are not as effective as takedowns online. 

Detection evasion tactics 

We were able to identify the following detection evasion tactics: 

• Bot detection and Traffic Distribution Systems (TDS) being used to evade detection. 
• Websites redirecting to badrobot[.]com based on the browser’s reported User Agent HTTP header.  
• Threat actors appear to have an approved list of User Agents including most recent versions of popular iOS and Android browsers. If the QR codes are scanned from any other device or browser, redirection occurs. 
• Cloudflare protection enabled on some websites using Captcha to gate user access.  
• Websites that detect suspected bot activity redirecting the user to an error page prompting them to rescan the QR code. 

Impact of these attacks 

Some of the most critical intelligence we’ve been able to gather on these attacks concerns their impact on victims. 

What data has been exfiltrated and how? 

As illustrated in the step-by-step flow earlier in this earlier, the threat actor used webforms on their phishing website to capture and store victim data including: 

• License plate 
• Vehicle type 
• Location code 
• Complete payment card details, including security code 

This personally identifiable information (PII) could be used in future phishing attacks, for example, utilizing the threat actor’s knowledge of the victim’s vehicle, including location-based campaigns that utilize the victim’s location codes. 

After each form is submitted, the phishing websites submit victims’ data to the server. This maximizes the amount of information gathered, i.e., even if the victim exits the site before completing the entire process. 

The research suggests that the stolen data is then stored temporarily on the web server before being sent on to the threat actor via a Telegram bot². An admin control panel on the website is used to configure the API keys for these bots and select which to send data to (default bot names are: “main” and “Hulingans”.) 

Fig. 7. Screenshot showing the app admin panel used to configure bot API keys. 

How many victims are there? 

Netcraft’s research identified an approximate number of victims affected by these attacks. 

On one of the threat actor’s websites, an API call to increment a visitor counter. The response displays the number of website visitors to date. By tracking the visitor counter over a few days, it was revealed that: 

• ~13 visitors per hour 
• ~320 visitors visit per day (with an increase at weekends)
  

From June 19 to August 23, 10,000 users accessed this website and another mirror site. Many of these users could be potential victims who have scanned one of the malicious QR codes. 

Fig. 8. Screenshot showing the website increment counter and number of website visitors. 

How much data was stolen? 

Two of the threat actor’s phishing websites featured an exposed debugging API endpoint showing the number of form submissions (i.e., every time a user submitted data through the malicious website forms). On one of these sites, Netcraft was able to identify 1,932 form submissions from mid-June to August 12. On the other, 267 details were collected from July 27 and August 20. This brings the logged total to 2,199. Although the other websites had this endpoint disabled. It can be assumed that across all of the malicious sites, more data was exfiltrated, including victims’ payment details³. 

Threat actor profile 

Netcraft has found indications that the threat actor studied in the research is related to a series of postal and customs tax-themed scams targeting Ireland and Poland. These indicators include: 

• Corresponding redirect behavior (for detection evasion) 
• Web servers running the same software version 
• Use of the same domain registrar 
• Use of Cloudflare with a very similar configuration
  

The step-by-step flow for extracting victim data is also similar. The customs tax scam was observed requesting the following data under the guise of releasing a parcel held at customs or a postal depot: 

• The victim’s phone number 
• Their address and other shipping information 
• Payment details to release the parcel and have it shipped to the victim
  

The following timeline helps demonstrate how the threat actor switched between their campaigns: 

• Three customs tax/postal scam websites first seen in February and March 2024 staying online for around two months. 
• Between May 12 and June 14, nine more domains registered (most inactive), some of which featured customs tax scams for approximately one week maximum. 
• After this point, the customs tax websites lay dormant while the first parking scam websites came online. 
• From July 19, four new domains were registered hosting the same website as before; two went down within a week, but the others remained online for over a month. 
• These websites have been manually disabled by the attacker, although this is likely to be a temporary measure.
  

We believe this shows that when the threat group’s parking scam became disrupted by takedown activity, they reactivated their previous campaign. 

Fig. 9. Screenshot showing a page from the customs tax website. 

Threat actor geography 

Netcraft was not able to find conclusive evidence pinning down the threat actor’s geographical location. However, a comment was found in the source code of one website containing a Romanian expletive: console.log(‘sloboz’). 

Another section of the source code contains comments in Romanian (translation: “Define the validate function to validate the card data validate function / Here you must add the validation code for the card data / You can use the jQuery library or pure Javascript, depending on your needs / Simple validation example”). 

Fig. 10. Screenshot showing Romanian language text in website source code. 

The phishing websites contain internationalization files for English, French, German, Italian, and Romansh (spoken in Switzerland), indicating that this attack is being deployed on a trans-European scale. This backs up news reports from both Switzerland and France where have been found linking to the same phishing websites 

Fig. 11 and 12. Screenshots showing translation files stored in the website.

Forcing a change in tactics

In light of these recent attacks, PayByPhone has been swift to act, halting provision of QR codes as an access to method of payment in the UK. Discussions are now taking place to identify the safest, most effective alternative solutions. Although this process may take time—PayByPhone has 200 clients across the UK—it’s a forward-thinking, security-first approach that will gradually force threat actors to change their tactics.

Fow now, PayByPhone is focused on raising awareness to help ensure motorists remain vigilant against this scam and other types of payment fraud. Using in-app messaging, emails, and social media campaigns, the organization has been advising users to download the PayByPhone app from the Apple App store, Google Play, or on their website, and never from a QR code link.

It’s encouraging to see this activity go one step further, with PayByPhone starting to work closely with other industry leaders in the British Parking Association. Collectively, these organizations have set out to provide guidance for educating motorists, helping them avoid being targeted by scams and recognize fraudulent payment practices such as:

• Fake penalty charge notices
• Credit card skimming devices attached to payment terminals
• Fake parking attendants

Fighting back

PaybyPhone is now working closely with Netcraft to proactively take steps to enhance security for parking customers. This collaboration aims to ensure that their customers’ safety and trust remain top priorities as they prepare to implement the protective measures mentioned above across their services.

Offering the industry’s fastest scam detection and disruption service, Netcraft provides an average blocking time of five minutes and a takedown time of six hours. Together, blocking and takedown are essential countermeasures in the battle against phishing websites. Deploying them with maximum speed, scale, and accuracy can vastly reduce the number of victims exposed to activity like that covered in this article; and over time, with continued, consistent effort, we can expect to see a reduction in the number of attacks targeting PayByPhone overall.

Conclusion 

Netcraft’s research into these parking lot QR code attacks highlights the tip of a much bigger iceberg. The insights drawn provide valuable insight into the criminals carrying them out, informing how organizations can best defend themselves. 

The behaviors and characteristics of the threat actor identified through the analysis demonstrates the scale and strategic approach being used. Not only is this one criminal group operating across a continent, but they are also investing to evade detection and achieve continuous operation. Additionally the criminal group is likely responsible for a number of other attacks. This shows how cybercrime groups adapt and evolve their tactics and respond to opportunities that yield greater impact.

The more organizations that take proactive action like PayByPhone, the greater the universal deterrent against threat actors and the lesser the threat to brands and their customers.

If you want to know more about how we detect, analyze, and take down attacks like these, get in touch with the team or book a demo now. 

Footnotes

¹ We may assume that the prevalence of this topic in the news in August influenced takedown activity. 

² Data exfiltration via Telegram is a common asset stored in phishing kits. Email used to be the most favoured channel, but as email takedown has advanced, threat actors have adapted. Telegram offers threat actors the ability to easily switch between Telegram bots to receive exfiltrated data. It also enables them to relay data to multiple Telegram bots, enabling them to maintain persistence if one bot is disabled.

³ In adhering to the Computer Misuse Act, we’re unable to confirm the exact number of exfiltrated payment details, as this would require directly accessing stolen data via the admin control panel. 

Cloudflare experienced the largest increase of 3.1 million sites (+2.41%) this month, now accounting for 11.6% (0.16pp) of sites seen by Netcraft. OpenResty made the next largest gain of 2.8 million sites (+2.54%).

Apache suffered the largest loss of 2.4 million sites (-1.19%) this month, with its market share now standing at 18.0% (-0.40pp). Google experienced the next largest loss, down by 1.7 million sites (-2.84%).

Vendor news

• The open-source nginx project moved its repository from Mercurial to GitHub and will now accept contributions via GitHub pull requests and issues. It also moved its community forum to GitHub discussions. It will continue to accept contributions via its mailing lists until the end of the year.
• LiteSpeed 6.3.1 was released on August 27th, adding support for disabling its caching engine at the request level.
• Apache Tomcat versions 9.0.94, 10.1.29 and 11.0.0-M25 were released on September 10th, containing various bug fixes.

For more information see Active Sites.