Fake web stores are fraudulent websites created by threat actors to mislead consumers into providing “personal information” and making purchases for “non-existent products.” These sites often mimic the appearance of legitimate retailers, making them difficult to identify.
HUMAN’s Satori Threat Intelligence and Research team recently discovered that hackers have created 100+ fake web stores to steal millions of dollars from customers.
100+ Fake Web Stores to Steal Data
A sophisticated cybercrime operation dubbed “Phish ‘n’ Ships” was uncovered recently. It operated through a network of fraudulent e-commerce platforms (“fake web shops”) exploiting digital payment processing systems.
Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs
The threat actors, using tools with Simplified Chinese interfaces, implemented a multi-layered attack strategy in which they compromised legitimate websites via “vulnerability exploitation” by injecting malicious code (payload) that generated fake product listings.
These listings were enhanced with “SEO metadata” by manipulating search algorithms to achieve premium positioning in search results.
.webp)
When users clicked these listings, they were redirected via a sophisticated “traffic forwarding” system to threat actor-controlled domains featuring fraudulent storefronts.
These stores integrated with four specifically targeted third-party payment processors to capture consumers’ “credit card information” and “PII” via a seemingly legitimate checkout process.
The operation’s infrastructure included over “1,000 compromised legitimate websites” and “121 fabricated e-commerce platforms,” resulting in estimated financial losses exceeding tens of millions of dollars since its inception in 2019.
The threat actors employed “advanced web injection” techniques, “SSL certificate spoofing,” and “dynamic content generation” to create convincing fake product listings and reviews that automatically updated to maintain authenticity.
.webp)
Through Satori’s intervention and collaboration with payment processors, the cybersecurity communities and law enforcement agencies managed to disrupt the operation’s primary infrastructure. While this forced the threat actors to seek alternative attack vectors.
This case illustrates the intersection of cybercrime with digital advertising ecosystems by highlighting the vulnerabilities in “e-commerce security frameworks” and the sophisticated nature of “modern financial fraud operations.”
The Phish ‘n’ Ships attack is a complex, multi-stage scheme that begins with the infection of legitimate websites and allows the threat actors to upload “malicious scripts” and “create fake product listings.”
These scripts use “malicious SEO tactics” to boost the rankings of the fake listings in search results, including “image search.”
When unsuspecting users click on these listings, they are redirected to websites controlled by the threat actors.
.webp)
These scripts redirect the user to one of several “hundred fake web stores” that use specific URL patterns to identify the associated stores like:-
- product.aspx?cname=
- product_details/
.html
At the final stage, the users are forwarded to a checkout page on a “semi-legitimate website” affiliated with the threat actors, where they are instructed to complete the order via a “real payment provider.”
This enables the threat actors to capture the users’ payment card information, either by abusing the “payment processor gateway” or by “collecting it directly.”
The threat actors have used a variety of tools to facilitate this scheme as well as diversified cashout methods across multiple payment providers.
While collaborative efforts have partially disrupted the operation, the threat actors may adapt their tactics, requiring ongoing vigilance to fully combat the Phish ‘n’ Ships attack.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!