APT Targets NetEase 163.com Users with Fake Download Pages & Spoofed Domains

Description

The GreenSpot Advanced Persistent Threat group, operating from Taiwan since 2007, is targeting users of NetEase's 163.com email service. The group employs sophisticated phishing techniques, including spoofed domains and fake download pages, to steal login credentials. Researchers identified domains mimicking 163.com services, with one hosting a malicious login page and others presenting fake large attachment download services. The campaign uses deceptive domain registrations, manipulated TLS certificates, and counterfeit interfaces to harvest credentials. While primarily focused on Chinese targets, this operation highlights the vulnerability of free email services to advanced threat actors and emphasizes the importance of enhanced security measures like multi-factor authentication.