Exclusive A Chinese-developed phishing kit hosted on thousands of domains and boasting 97 different brands to make criminals' scams look more believable is driving a surge in financial fraud around the globe, according to security researchers.

Since 2023, the Chinese cybercrime economy – specifically phishing websites – have seen their illicit business boom. These are the financial fraudsters that target victims via text-message phishes with lures like "your package is missing," or "you have a toll violation." Increasingly, they use iMessage and RCS instead SMS to send text messages, which means the texts can bypass SMS firewalls.

These phishing kits make it especially easy for financial fraudsters to send phishing lures in bulk, tailored to victims' specific languages and regional brands. In research shared exclusively withThe Register, threat hunters at SpyCloud and urlscan dove deep into one of these phishing-as-a-service panels. It's called YYlaiyu - which roughly translates to erotic fantasizing about catching fish - and earlier this year, the DIY phishing service began offering bespoke brand templates to its subscribers.

"They're hitting globally, so almost no one is safe," Jake Sloane, security researcher at URL threat-scanning service urlscan toldThe Register.

The kit, active since at least September 2024, spoofs all types of brands that span the classics – like shipping companies includingDHL andFedEx - to newer lures such as cryptocurrency platformCoinbase, video streaming appTikTok, food delivery serviceKeeta and major airlines such as Japan's All Nippon Airways and Australia'sQuantas.

They're hitting globally, so almost no one is safe

Beginning in May, the phishing service's operators also began to roll out brand templates that impersonate investment companies including Fidelity and Schwab, plus Singaporean trading app Tiger Brokers and Hong Kong based trading platform Futu NiuNiu.

Urlscan is currently tracking 2,158 unique domains that have had a YYlaiyu kit hosted on them, according to Sloane.

"They also have a lot of interesting cash-out methods," SpyCloud security researcher Aurora Johnson, toldThe Register, adding that these occur in real time. "They have 97 different things that they're trying to impersonate at once, so they have an actual physical operator sitting there waiting for a live session, for a victim to visit the site, and then they will decide what to do next."

Cashing out…at the expense of your brand

When someone clicks on a text lure, they land on one of YYlaiyu's phishing webpages that allows the attackers to capture OPT card verification codes. But because different companies use various OTP card verification methods – some might send a code to a user's email, others send a PIN to a mobile device – there's a human operator standing by to interact with the victim in real-time. 

When a potential victim visits one of these sites, the operator receives an alert that the page has a visitor. The operator then makes a decision about what to display to the user based on their input, such as prompting the victim for an OPT code.

"The phishing operator will be interacting with the victim, they'll usually have a mobile device, and they'll be loading data into a digital wallet," Johnson said. "Then they'll use the digital wallet version of the credit card to cash out in different ways."

These include making fraudulent transactions using attacker-controlled point of sale (POS) terminals, purchasing gift cards for luxury companies for resale, relaying the NFC traffic to other phones via theGhost Tap method, or selling phones that they'veloaded with stolen card data. 

Another method calledRamp and Dump involves phishing for login credentials to brokerage services, using those stolen names and passwords to buy shares of attacker-owned stocks. This drives up the stocks' value and allows the miscreants to dump their shares at inflated prices.

• Darcula adds AI to its DIY phishing kits to help would-be vampires bleed victims dry
• OpenAI bans suspected Chinese accounts using ChatGPT to plan surveillance
• Microsoft warns of 'payroll pirate' crew looting US university salaries
• New string of phishing attacks targets Python developers

Also unique to YYlaiyu is that operators can temporarily disable their phishing pages when the panel is unattended to ensure victims don't submit their data when no one is available to receive and operationalize it.

Plus, the service's domain name registration integrates with Alibaba to allow the phisherfolk to easily register and manage new phishing pages without leaving YYlaiyu's panel.

And, this is just one such phishing service in a sea of similar Chinese-language sites enabling financial fraud. Many of these phishing sites' operators share tools, service providers, and techniques with their fellow criminals, and increasingly theyuse AI tospin up bespoke sites in multiple languages more efficiently.

Johnson cautioned against corporations viewing this as just a threat to individuals – although she does warn, "be aware that they're targeting everyone."

"For enterprises," she added, "be aware that not only are they likely targeting your corporate users, but they're also going to target your customers, and have the ability to do customized branding, to impersonate your brand, and try and steal your customer information using that brand recognition." ®

More about

• China
• Cybercrime
• Phishing