71 Fake Websites Impersonating German Retailer to Steal Payment Information
Recorded Future Payment Fraud Intelligence has uncovered a sprawling network of 71 fraudulent e-commerce domains designed to impersonate a prominent German international discount retailer, with lidlorg[.]com identified as the central node of this scam operation.
First detected on April 19, 2025, these websites employ advanced brand impersonation tactics, such as typosquatting and the unauthorized use of brand logos, to deceive users into making purchases for goods that will never be delivered.
Sophisticated Scam Network
Beyond mere deception, the primary goal of these sites is to harvest personal and financial data from victims, enabling downstream fraud and card compromise.
As of May 8, 2025, this network has been linked to 12 shared merchant accounts, all of which are deemed highly likely to facilitate fraudulent transactions, posing significant financial and compliance risks to card issuers and merchant acquirers alike.
The technical sophistication of this scam network is evident in its operational structure.
These domains, active since at least February 2025, are interconnected through overlapping use of merchant accounts like AKRU KERAMIK GMBH, YSP*QHWLKJSHOP, and CLOTHWEARABLY, which process payments while masking illicit activities through potential transaction laundering.
Transaction laundering, a method where illegal transactions are disguised as legitimate purchases, is suggested by discrepancies in merchant URL data such as PETHOUSEN LLC being tied to unrelated scam domains instead of its purported legitimate site.
Fraudulent Merchant Accounts
Many of these fraudulent sites also propagate through malicious online ad campaigns on platforms like Facebook, often under advertiser names such as “EU STORE” and “L Clearance.”
These ads have frequently been flagged and removed for violating policies on unacceptable business practices, yet the scam persists, with new domains continuously emerging to replace those taken offline.
The average age of these domains is 65 days, and their malicious nature is underscored by a DomainTools risk score of 88/100.
Adding to the complexity, Recorded Future notes uncertainty regarding the attribution of this network whether it is orchestrated by a single threat actor or multiple actors collaborating via dark web services like “cash-out” offerings, fraud-based malvertising, and traffic boosting.
Commonalities in merchant registration data could provide clues for card issuers and acquirers to trace the operator(s), though scam domains themselves are less reliable for attribution due to their ephemeral nature.
Mitigation remains critical: card issuers are advised to block transactions with identified merchant accounts, escalate fraud risk scores for affected customer accounts, and consider card reissuance if fraud thresholds are exceeded.
Merchant acquirers, meanwhile, should flag suspicious accounts for enhanced due diligence or termination using BIN and MCC data lookups via card network APIs.
As this scam operation shows no signs of abating, with new domains and ad campaigns expected to proliferate, the urgency for robust fraud prevention measures cannot be overstated.
Indicators of Compromise (IOCs)
| Merchant Name | Acquirer BIN | MCC | Date First Seen | Date Last Seen | Linked Scam Domains |
|---|---|---|---|---|---|
| AKRU KERAMIK GMBH | 264431 | 5719 | 2025-04-30 | 2025-04-30 | 1 |
| ANT*ONLINE E-COMMERCE STO | 270514 | 5631 | 2025-04-09 | 2025-04-09 | 1 |
| BALSAMIC | 270522 | 5661 | 2025-04-01 | 2025-04-09 | 2 |
| CLOTHWEARABLY | 271109, 024440 | 5691 | 2025-02-25 | 2025-03-07 | 11 |
| YSP*QHWLKJSHOP | 020608 | 5621 | 2025-02-25 | 2025-04-26 | 25 |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
