APT Targets NetEase 163.com Users with Fake Download Pages & Spoofed Domains
Essential information
- Published
- 05/02/2025 00:14
- Modified
- 05/02/2025 11:17
- Tags
- 163.com 2025-02-05 apt credential-theft fake download pages netease phishing spoofed domains taiwan
- Related entities
- 9 observables, 1 intrusion sets (apt), 10 techniques (mitre), 4 others
Description
The GreenSpot Advanced Persistent Threat group, operating from Taiwan since 2007, is targeting users of NetEase's 163.com email service. The group employs sophisticated phishing techniques, including spoofed domains and fake download pages, to steal login credentials. Researchers identified domains mimicking 163.com services, with one hosting a malicious login page and others presenting fake large attachment download services. The campaign uses deceptive domain registrations, manipulated TLS certificates, and counterfeit interfaces to harvest credentials. While primarily focused on Chinese targets, this operation highlights the vulnerability of free email services to advanced threat actors and emphasizes the importance of enhanced security measures like multi-factor authentication.