Breaking News: Sophisticated Phishing Kit “Xiu Gou” Targets Global Users

A new phishing kit, dubbed “Xiu Gou,” has emerged, designed to launch widespread phishing attacks across the United States, United Kingdom, Spain, Australia, and Japan since at least September 2024. Discovered by cybersecurity firm Netcraft, this malicious kit features a distinctive “doggo” mascot and includes over 2,000 phishing websites aimed at public sector employees, postal services, digital service providers, and banking institutions.

What Makes Xiu Gou Hard to Detect?

The Xiu Gou kit boasts advanced technology that makes it challenging to detect. Some of its notable features include:

• An interactive cartoon mascot that allows users to customize the avatar by clicking on it
• “Easter egg” features, where attackers can embed additional malicious code or messages within the phishing sites
• A sophisticated frontend built using Vue.js and a Golang backend, which sets it apart from typical PHP-based phishing kits

Cloudflare Evasion Techniques

To remain undetected, Xiu Gou’s creators employ Cloudflare’s anti-bot services and domain obfuscation techniques. They deploy phishing sites on domains with the “.top” suffix, often incorporating keywords linked to scam types.

Example Domain Structure

markdown
* usps0007.xiugou.icu
* ai.xiugou.icu

Key Features and Technical Specifications

The Xiu Gou kit includes several key features that make it a sophisticated phishing tool:

• A custom admin panel accessible at the /admin path for easy campaign management
• The use of Rich Communications Services (RCS) instead of SMS to send phishing lures, making it more difficult to detect
• Integration with Telegram bots for data exfiltration, ensuring continued access to stolen information even if phishing sites are shut down

Technical Details

markdown
* Frontend: Vue.js
* Backend: Golang

Targeting Well-Known Organizations

Xiu Gou has primarily targeted prominent organizations such as the United States Postal Service (USPS), gov.uk, Lloyds Bank, and New Zealand Post. Attackers use fake notices related to fines, parcel releases, or government payments to lure victims into providing sensitive information.

Example Campaigns

• Impersonating the UK government site gov.uk, mimicking penalty charge notices that lead victims to phishing sites styled identically to official pages.
• Targeting the United States Postal Service (USPS) with fake parcel delivery notifications.

Netcraft’s Investigation

Netcraft’s researchers identified numerous subdomains linked to Xiu Gou, including usps0007.xiugou.icu and ai.xiugou.icu, suggesting that the kit’s creators operate across multiple fronts. The kit’s creator is believed to own “xiugou.icu” and monitors kit installations through referrer headers.

Understanding Phishing Tradecraft

Netcraft emphasized the importance of understanding how phishing tradecraft are developed to prevent phishing attacks. By analyzing phishing kits in-depth, it’s possible to improve detection speeds and accuracy.

“The more we learn about the tactics, techniques, and procedures (TTPs) used by attackers, the better equipped we’ll be to detect, classify, and take down threats like Xiu Gou,” said Netcraft spokesperson.

    Netcraft
    October 2024