Security researchers have discovered a phishing kit comprising over 2,000 websites using languages like Golang and Vue.js, targeting victims in Australia, Japan, Spain, the UK, and the US since at least September 2024. The kit is developed by a Chinese-speaking threat actor called Xiū Gǒu. Over 1,500 related IP addresses and phishing domains have also been identified that target victims with fake charges, including government payments and postal scams.
The kit was discovered by security researchers from Netcraft, who reported that it had been used in attacks on public sectors and postal, digital, and banking services. To make matters worse, hackers using the kit often rely on Cloudflare’s anit-bot and hosting obfuscation capabilities to avoid detection. It also has an admin panel and can extract login credentials and other sensitive information from fake phishing pages it hosts on the “.top” top-level domain via Telegram.
As mentioned before, the kit is developed using a more modern tech stack, as opposed to the basic HTML/PHP code we’ve seen. It uses Vue.js to create front-end UIs for the admin panel and phishing page combined with a Golang backend. The kit also comes with Telegram bots that can retain access to stolen data even after the phishing pages are offline. Finally, threat actors have been observed using the kit via RCS (Rich Communication Services) instead of SMS to get more legitimate-looking and believable lure messages.
Most of the observed attacks involve using the kit to impersonate popular brands and services across verticals. The scams usually involve tricking users into providing their details or making payments. So far, the companies being impersonated include the USPS, UK Government (e.g., gov.uk and DVSA), Services Australia, Evri, Lloyds, New Zealand Post, and Linkt.
The attack flow is also surprisingly easy to follow. For example, in the case of an impersonation of the UK government’s main website (gov.uk), an RCS message is sent to the victim with a shortened URL, often including a tracking parameter. Once the victims click the link, they’re taken to an identical-looking phishing page. However, if they use bots or other attack detection methods, they’re redirected to the legitimate site instead.
From this point onwards, depending on the scam, the victim enters their personal and payment details, while other information like their IP address and browser data is sent to Telegram via a bot set up by the threat actor who created the phishing website.
Kits like this are a big problem because they allow hackers or troublemakers without enough technical knowledge to quickly pull off rather sophisticated scams. Netcraft also accessed a tutorial showing kit users how to make a Telegram bot for data extraction, complete with a step-by-step flow and screenshots.
In the News: Indonesia blocks sale of Pixels following local content requirements