Cyber criminals all over the world have been using a new kit to easily create over 2000 phishing websites in Australia, Japan, Spain, the U.K., and the U.S.
The kit, known as Xiū gǒu (‘Doggo’ in Mandarin, roughly), has been available since September 2024, according to research from netcraft. Users are being targeted by fake payment requests to fulfil a fine, or release parcels, to name a few.
High-profile organisations, including the USPS, UK Government, Evri, and Lloyds Bank, have been convincingly mimicked to lure unsuspecting users.
While phishing kits are not new, Doggo is uniquely concerning due to its ease of use, level of customisation, and focus on undermining typical security measures. This user-friendly design drastically lowers the technical barrier, making phishing accessible to a wider range of cybercriminals worldwide.
Doggo’s Key Features
Doggo is built on an advanced framework that combines Golang and Vue.js, allowing for a robust server backend (SynPhishServer) and an intuitive, interactive interface on the front end. The backend, written in Golang, facilitates the efficient deployment of phishing sites and helps attackers obfuscate their presence. Vue.js powers the user-friendly phishing pages and a highly customisable admin panel that is designed for easy management and configuration even by novice attackers.
Doggo’s developers have integrated Cloudflare’s anti-bot technology, which plays a critical role in shielding phishing sites from detection. By redirecting bots to benign domains, this tactic effectively bypasses automated security checks, giving attackers time to engage more users.
The Doggo kit also uses Rich Communications Services (RCS) messages rather than the traditional SMS approach. As an evolution of SMS, RCS allows for enhanced messaging options that include media and interactive features, which attackers use to create highly convincing phishing lures. Victims receive messages about purported parking penalties, missed deliveries, or even urgent government notifications, all designed to elicit a quick, unthinking click on a malicious link.
Doggo attack flow
Netcraft’s research provides an in-depth look at Doggo’s attack flow, showing how threat actors use the kit to deploy phishing campaigns. The example below shows an impersonation of gov.uk (the UK government’s main website).
- RCS message is sent to the victim containing a shortened link; this link often includes a tracking parameter
- Victim clicks link
- Victim is sent to a phishing website styled to look exactly like gov.uk
- Note: Bots, such as those used for attack detection, are often directed to legitimate, non-malicious sites to obfuscate activity using Cloudflare’s anti-bot technology.
- Victim enters their personal data and payment details
- Victim’s details (including their IP address and browser characteristics) are exfiltrated to Telegram via a bot set up by the fraudster running the phishing website
There is even a built-in tutorial in Doggo that instructs the cyber criminal on how to set up their Telegram exfiltration, which allows them to access the stolen details even after their phishing website has been taken down.
Impact on Global Security
The threat of Doggo is not in increased processing power, or more sophisticated messaging, because most phishing scams are basically the same. Instead, by lowering the technical skills needed to deploy effective phishing schemes, this kit could contribute to an increase in the number of phishing campaigns, including those run by less sophisticated attackers.
As of 2024, phishing remains one of the top methods for cyber criminals to steal credentials and commit fraud, and with kits like Doggo, these threats are only becoming more accessible and frequent.
The global cyber security community has expressed concern over this trend. According to recent studies, 74% of cyber security professionals believe that the 2024 threat landscape is the most challenging in recent years.
Recognising these dangers, giants like Google are ramping up security. Recently, Google shared updates to its Messages app to improve phishing protection, using machine learning to detect scams related to package deliveries and job offers. These protections include piloting security warnings for potentially dangerous links and blocking messages from unknown senders. The updates, which will initially be available in select regions, are expected to become available globally by the end of 2024, signalling a broader move towards adaptive, real-time threat mitigation.
Recommended Security Best Practices for Organisations
With Doggo setting a new standard for plug-and-play phishing tools, organisations must adopt proactive defence strategies to mitigate risk. Here are several key measures to consider:
- Enhanced Staff Training: Continuous phishing awareness and training are crucial for employees.
- Multi-Factor Authentication (MFA): MFA adds an essential layer of security, making it harder for attackers to use stolen credentials.
- Comprehensive Anti-Phishing Tools: Anti-phishing software can intercept phishing sites and warn users before they interact with them.
Doggo’s accessibility marks a new era in cyber threats, where the boundaries to launch effective phishing campaigns are lower than ever. As the 2024 threat landscape becomes increasingly challenging, organisations must remain vigilant and invest in security awareness, advanced defences, and a proactive stance toward cybersecurity.
To learn more about protecting against phishing threats, OmniCyber Security is here to offer guidance and robust anti-phishing strategies. Contact us today.
