Chinese Scammers Exploit Cloned Websites in Vast Gambling Network

hackread.com
 
Chinese Scammers Exploit Cloned Websites in Vast Gambling Network

The large-scale scam campaign has been ongoing for at least two years, and the cloned websites are still operational.

Online gambling is a booming industry, and the Asia-Pacific region has become the hub of gambling in the world, with China and India leading the way. However, this unexpected rise has led to a sharp incline in illegal activities such as money laundering, online scams, and fraud.

In October 2023, Hackread reported a scam campaign discovered by CloudSEK involving Chinese scammers targeting the Indian digital payment system using illegal instant loan apps. Now, an even bigger scam has come to the fore.

According to Qurium Media, a Swedish nonprofit provider of digital security solutions, Chinese scammers have been creating cloned versions of legitimate websites, redirecting visitors to gambling sites.

It all began when MindaNews discovered a Chinese clone of their website and promptly notified Qurium. For context, MindaNews is a Philippine newspaper headquartered in Davao City and serves as the news outlet for the Mindanao Institute of Journalism.

MindaNews’ clone (mmart-inn.com) was registered in China. It had been replicating the newspaper’s content (news, photos, opinion pieces) illegally after translating it into Chinese for the past two years, the most recent translation being of content from February 2023.

“Some MindaNews authors were retained in their English names, while others were translated into Chinese. However, in general, the content is the same when translated to English,” explained MindaNews in its blog post.

The company dug deeper and found more than 500 cloned websites, many of which were of academic institutions, and all were promoting gambling services based in China. 

It is important to note that in August 2023, the Chinese APT group Bronze Starlight was reported to be using stolen Ivacy VPN certificates to sign malware targeting the Southeast Asian gambling sector. However, as of now, it remains unclear if that attack campaign was related to the ongoing website cloning attack.

The cloned websites were hosted on two /24 networks operated by the US-based, Eonix Corporation-owned ServerHub and included websites from public libraries, universities, and private businesses.

All the clones were created in September 2021 and promoted a gambling platform called ‘188bet’ (520xingyun.com/from/188bet.php) through advertisements.

These ads contained a physical address in the Isle of Man, where many other gambling firms (including Kaiyun, BetVictor, Raybet, or Manbetx) were already registered. A website 520xingyun{.}com was hosting a large number of such ads.

Moreover, all the companies were registered in July 2021 through the domain registrar Gname.com Pte. LTD, employing a white-label partnership with TGP Europe and Cube Limited. Both Cube Limited and 188bet have affiliations with the Isle of Man.

These companies served as intermediaries from Asian gaming partners. Further probing revealed that TGP Europe was based in the UK and was found guilty of social responsibility failures and anti-money laundering.

According to Qurium’s report, Gname was involved in different WIPO cases of domains used for ads. It is worth noting that 188bet has officers in Makati, Philippines, which is a standard practice. 

“These Chinese gambling companies are often headquartered in nearby nations like Vietnam and the Philippines due to the fact that gambling is banned in China.”

Qurium

So far, ServerHub has not taken any action against the client for cloning hundreds of websites, as it is still investigating the claims. As the report develops, Hackread.com will monitor the situation and provide updates to readers accordingly.