Open Forum

Imagine you're going about your day-checking emails and paying bills-when you receive a message that appears to be from your bank. It warns of an issue with your account and prompts you to click a link to fix it. The site looks exactly like your bank's, leading you to enter your login information and personal details. Just like that, a scammer gains access to your account.

Phishing is a common online scam, and what's alarming is that you don't need to be a tech expert to carry it out. Criminal groups are selling easy-to-use phishing kits for anyone, regardless of experience.

A recent investigation by Netcraft revealed a group called the Haozi Gang, which runs an online storefront that's basically the Amazon of cybercrime tools. For $2,000, buyers can purchase a complete "phishing-as-a-service" kit, including fake websites that mimic banks, login pages, and payment systems. The group has been in business since at least 2021. Researchers estimate that their operation has helped facilitate thousands of phishing campaigns targeting victims across more than 50 brands, including PayPal, Apple, Wells Fargo, and Bank of America. Even more chilling: their phishing kits can support multilingual scams in 30+ languages, which means they're going global, fast. And if the scammer runs into trouble? The Haozi Gang offers customer support via Telegram and WhatsApp. These scams aren't just targeting large companies; they are aimed at everyday people, and they are proving effective. With convincing fake messages and cloned websites, phishing scams are tricking individuals into providing sensitive information, such as bank account details, passwords, and credit card numbers. 

To give you a sense of scale:

• The Haozi Gang's tools have helped run tens of thousands of phishing pages
• Over 7,000 unique phishing domains were linked directly to the group
• These pages target everything from banks and payment services to mobile carriers and online stores

Takeaways:

• Be suspicious of urgency. If a message tells you to act fast, especially when money or personal info is involved, pause
• Don't click links in messages. If you get an email or text from your bank or a service you use, don't click the link. Type the web address yourself or use a trusted app
• Look closely at who sent it. Scammers often use email addresses that look almost right-but have extra letters or small changes. Always double-check
• Use two-factor authentication (2FA). It's one of the most effective defenses you can use

What makes the Haozi Gang so dangerous isn't just the tools they sell. They've taken something that used to require skill and turned it into an online shopping experience. That's why these scams are exploding in number and getting harder to spot.

#ALTACyber

------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------

Genady:

I recently experienced a situation where I needed to make a reservation over the phone in WY, during which I was required to provide my credit card information. Two hours later, I received an alert from the "bank" stating that "my transaction for $3,014 at Pizza Hut" had been declined until they received my authorization. I must admit, I do enjoy pizza quite a bit! 🍕

Naturally, when I confirmed that this transaction was not authorized by me, the bank sent me a link. However, due to my awareness from following your content, I refrained from clicking on the link. Instead, I called the bank, and they informed me that there were no transactions associated with Pizza Hut, long story short, I have a new credit card regardless, just to be on the safe side of things.

Thank you for keeping us safe, not only in title, but in life in general, I appreciate you very much.

------------------------------
Mary Enzi CAA
Tax Solutions – FIRPTA Consulting
[email protected]
+1 (281) 578-1040
Katy TX
------------------------------

Original Message:
Sent: 06-06-2025 09:22
From: Genady Vishnevetsky
Subject: Security BUZZ - The "Fast Food" of Cybercrime

Imagine you're going about your day-checking emails and paying bills-when you receive a message that appears to be from your bank. It warns of an issue with your account and prompts you to click a link to fix it. The site looks exactly like your bank's, leading you to enter your login information and personal details. Just like that, a scammer gains access to your account.

Phishing is a common online scam, and what's alarming is that you don't need to be a tech expert to carry it out. Criminal groups are selling easy-to-use phishing kits for anyone, regardless of experience.

A recent investigation by Netcraft revealed a group called the Haozi Gang, which runs an online storefront that's basically the Amazon of cybercrime tools. For $2,000, buyers can purchase a complete "phishing-as-a-service" kit, including fake websites that mimic banks, login pages, and payment systems. The group has been in business since at least 2021. Researchers estimate that their operation has helped facilitate thousands of phishing campaigns targeting victims across more than 50 brands, including PayPal, Apple, Wells Fargo, and Bank of America. Even more chilling: their phishing kits can support multilingual scams in 30+ languages, which means they're going global, fast. And if the scammer runs into trouble? The Haozi Gang offers customer support via Telegram and WhatsApp. These scams aren't just targeting large companies; they are aimed at everyday people, and they are proving effective. With convincing fake messages and cloned websites, phishing scams are tricking individuals into providing sensitive information, such as bank account details, passwords, and credit card numbers. 

To give you a sense of scale:

• The Haozi Gang's tools have helped run tens of thousands of phishing pages
• Over 7,000 unique phishing domains were linked directly to the group
• These pages target everything from banks and payment services to mobile carriers and online stores

Takeaways:

• Be suspicious of urgency. If a message tells you to act fast, especially when money or personal info is involved, pause
• Don't click links in messages. If you get an email or text from your bank or a service you use, don't click the link. Type the web address yourself or use a trusted app
• Look closely at who sent it. Scammers often use email addresses that look almost right-but have extra letters or small changes. Always double-check
• Use two-factor authentication (2FA). It's one of the most effective defenses you can use

What makes the Haozi Gang so dangerous isn't just the tools they sell. They've taken something that used to require skill and turned it into an online shopping experience. That's why these scams are exploding in number and getting harder to spot.

#ALTACyber

------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------