Xiū gǒu Phishing Kit
Cybersecurity experts have uncovered a new phishing kit, known as the Xiū gǒu, that has been actively used since at least September 2024 in campaigns targeting Australia, Japan, Spain, the U.K. and the U.S.
To date, over 2,000 phishing websites utilizing this kit have been identified. It has been deployed across various sectors, including public services, postal, digital and banking industries. Threat actors behind this kit frequently leverage Cloudflare's anti-bot features and hosting obfuscation techniques to evade detection, making the attacks harder to trace.
Table of Contents
What Are Phishing Kits?
Phishing kits such as the Xiū gǒu present a risk by lowering the entry barrier for less experienced hackers, which could drive a rise in malicious campaigns aimed at stealing sensitive information.
Created by a Chinese-speaking threat actor, the Xiū gǒu includes an admin panel and is built with technologies like Golang and Vue.js. The kit is also configured to exfiltrate credentials and other data from phishing pages hosted on the '.top' domain through Telegram.
How Are the Xiū gǒu Attacks Carried Out?
The phishing attacks are delivered through Rich Communications Services (RCS) messages instead of traditional SMS, alerting recipients about alleged parking fines and failed package deliveries. These messages motivate recipients to click on a shortened link created using a URL shortener service to pay the fine or update their delivery address.
These scams often trick victims into providing personal information and making payments, such as fees to release a parcel or settle a fine.
RCS, which is mainly available through Apple Messages (starting with iOS 18) and Google Messages on Android, enhances the messaging experience by offering features like file sharing, typing indicators, and optional End-to-End Encryption (E2EE).
Google Implementing Additional Security Measures
Google has announced new measures to enhance protection against phishing tactics, including the deployment of improved scam detection that utilizes on-device machine learning models to specifically filter out fraudulent messages related to package deliveries and job offers.
The company is also testing security warnings for users in India, Thailand, Malaysia, and Singapore who receive text messages from unknown senders containing potentially harmful links. These new safeguards, which are set to be rolled out globally later this year, will also block messages with links from suspicious sources.
Additionally, Google is introducing a feature that allows users to 'automatically hide messages from international senders who are not existing contacts' by moving them to the 'Spam & blocked' folder. This feature was initially piloted in Singapore.
