New Phishing Kit "Xiū gǒu" Targets Users Across Five Countries Using 2,000+ Fake Sites

Cybersecurity researchers have uncovered a new phishing threat, called Xiū gǒu, that has been targeting users in five countries — Australia, Japan, Spain, the U.K., and the U.S. — since September 2024. This sophisticated phishing kit has already generated over 2,000 fake websites, posing serious risks across industries like public sectors, postal services, digital services, and banking. Xiū gǒu represents a growing trend in phishing attacks that lower the barrier for cybercriminals to launch attacks, making it easier than ever for less-skilled hackers to infiltrate victims' personal information.

How Xiū gǒu Works: A New Layer of Phishing Tactics

Phishing kits like Xiū gǒu make it simple for cybercriminals to set up convincing fake websites that mimic legitimate services. These sites often steal user credentials and other personal data, which the attackers can then sell or exploit. Xiū gǒu, developed by a Chinese-speaking threat actor, combines advanced technologies — including Golang and Vue.js — to power an admin panel for the attackers, enabling seamless data theft from victims.

Xiū gǒu employs several advanced tactics to avoid detection. Key among them is the use of Cloudflare's anti-bot features and hosting obfuscation, making it more challenging for traditional security systems to spot and block these sites. Xiū gǒu further evades detection by using the ".top" domain for its fake sites, and it funnels stolen information through Telegram for easy access by the attackers.

Rich Communication Services (RCS): A New Avenue for Phishing

Instead of relying on traditional SMS phishing, Xiū gǒu uses Rich Communications Services (RCS) to lure victims. RCS messaging, available through Apple Messages (starting with iOS 18) and Google Messages for Android, enhances the texting experience by supporting file-sharing, typing indicators, and even optional end-to-end encryption. Ironically, RCS’s enhanced capabilities make it appealing to cybercriminals, who leverage these trusted communication channels to send fake notifications.

Xiū gǒu's RCS-based phishing messages often claim the recipient owes a parking penalty or needs to update a delivery address. A shortened URL link is included, directing the victim to a fake site designed to harvest personal data and trick them into making payments. By impersonating well-known services and creating a sense of urgency, these messages manipulate victims into sharing their sensitive information.

Google’s Response: Enhanced Protections to Combat Phishing Scams

Google has recognized the threat posed by these enhanced phishing methods and has rolled out new protections for RCS messages to combat these risks. The tech giant recently introduced on-device machine learning algorithms to filter fraudulent messages related to package deliveries and other common phishing scams. Additionally, Google has launched a pilot program in regions like India, Thailand, Malaysia, and Singapore to alert users when they receive messages with potentially dangerous links from unknown senders. This feature is expected to expand globally by the end of 2024 and aims to block suspicious messages more effectively.

To add another layer of protection, Google also allows users to “automatically hide messages from international senders who are not existing contacts,” placing these messages in a “Spam & blocked” folder to minimize their visibility.

Widespread Implications: Phishing Attacks Targeting Businesses and Individuals

The Xiū gǒu phishing kit is not the only threat in circulation. Cisco Talos has also revealed an ongoing phishing campaign targeting Facebook business and advertising account holders in Taiwan. This campaign delivers stealer malware, including Lumma and Rhadamanthys, which can harvest sensitive information and compromise business accounts. Victims receive an email claiming to be from a company's legal department, demanding the removal of allegedly infringing content under the threat of legal action. A malicious link within the email downloads a fake PDF file, infecting the victim’s device with malware.

In addition, recent phishing campaigns have been seen impersonating OpenAI, with messages sent to business recipients worldwide urging them to update their payment information. These emails, sent from a single domain to thousands of recipients, use multiple hyperlinks within the email body to evade detection. Despite being suspicious, these emails pass DKIM and SPF checks, appearing legitimate to both recipients and automated email security systems.

Why Phishing Kits Like Xiū gǒu Are Dangerous for Everyone

Phishing kits such as Xiū gǒu lower the barrier for entry, allowing even novice cybercriminals to launch successful phishing attacks with minimal technical skill. Xiū gǒu’s admin panel and easy-to-use interface make it simple for attackers to monitor their fake sites, harvest credentials, and target victims en masse. As these kits become more available and affordable on dark web marketplaces, the number of phishing attacks will likely increase.

To avoid falling victim to these scams, users should follow these security best practices:

  1. Verify Links Carefully: Avoid clicking on links in unsolicited messages, even if they appear to come from legitimate sources. Verify URLs by manually navigating to the official website instead.
  2. Enable Two-Factor Authentication (2FA): Many phishing attacks seek login credentials. 2FA adds an extra layer of security, making it harder for attackers to access accounts even if they steal a password.
  3. Stay Informed of Security Features: With companies like Google enhancing RCS security, users should keep their apps up to date and take advantage of any new security features offered.
  4. Be Wary of Urgent Requests: Many phishing scams create a sense of urgency to pressure victims. Be cautious when messages demand immediate action, especially if they involve payments or account verification.

Final Thoughts

The Xiū gǒu phishing kit and similar threats demonstrate the evolving landscape of cybercrime. As phishing kits become more advanced and accessible, it’s more important than ever for users to stay vigilant. By implementing security best practices and staying aware of the latest threats, individuals and businesses alike can protect themselves against these increasingly sophisticated attacks.

By Zane
November 1, 2024
Malware
English
November 1, 2024
Malware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Browser Hijacker

Stabilitysupport.com Scares Users With Fake Warnings

Stabilitysupport dot com is a misleading website that displays fake, confusingly presented warnings to frighten users and get them to act without thinking. The main goal of this sort of misleading page is to confuse... Read more

November 18, 2022
Computer Security

Microsoft Users Targeted in Phishing Campaign

While a bigger cyber war takes place in and around the conflict zone of the Russian invasion of Ukraine in Europe, it seems cybercriminals are doing their best to capitalize on the turmoil as well. A new phishing... Read more

March 2, 2022
Phishing

Aytonus.com Scares Users with Fake Warning Messages

Aytonus dot com is a malicious and misleading website that displays fake warning messages to users who land on it. The site is targeting mobile users, specifically iPhone owners, and will display a window, tailored to... Read more

May 20, 2022
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.