Recently I found two Chinese phishing/scam sites: a site about stocks from Shanghai Huaer Securities, and a government lottery. These two types of sites use a large number of pages with an IFRAME displaying the main site, and both follow a similar layout. The domain names are registered to different people, so the phishers may not be affiliated.
Shanghai Huaer Securities
This site claims to be a stock trading company for the Shanghai Securities market.
|Shanghai Securities trading site.|
The main sites is hosted on huaerzq.com. The "Add to Favorite" links do not use the same domain, rather they leverage short links (http://www.goo.gl/YebPW) which redirect to huaer88997766.now.to, which is simply an IFRAME to huaerzq.com.
There are many now.to sub-domains which display this website:
soso112233.now.to huaer88997766.now.to hua123567000.now.to hua88899900.now.to gugu99889988.now.to gugu001122.now.to lang123123.now.to gugu6677.now.to 168.hua8899.now.to soso9988.now.to gugu8899.now.to 33223388.now.to
The second type of site claims to be a Government lottery. Proceeds are purported to help the kids you see on the right side. I found two slightly different versions of this site.
|Fake government lottery|
www.330069.com 55882.co.cc 55571.co.cc
And the following domains contain an IFRAME to one of the sites above:
797.feels3.de 90.ezpagez.com www.66797.co.cc
These sites are not blocked by any popular phishing blacklist that I am aware of, and will therefore likely stay up for some time.