As the holiday shopping season intensifies, cybersecurity researchers have uncovered a massive threat targeting unsuspecting online consumers. Over 2,000 fake holiday-themed online stores have been registered in a coordinated campaign aimed at stealing user payment information and personal data. These fraudulent websites are designed to mimic legitimate retailers, luring shoppers with enticing discounts and promises of great deals during peak shopping periods like Black Friday and Cyber Monday.
The discovery, made by security firm CloudSEK, reveals a large-scale operation involving two distinct clusters of fraudulent storefronts. One cluster focuses on typosquatted domains that closely resemble Amazon, while the second utilizes a wide range of “.shop” domains to impersonate popular brands such as Apple, Samsung, and Ray-Ban. The sheer volume and sophisticated tactics employed suggest a well-organized and resourced threat actor.
Hackers Register Over 2,000 Fake Holiday Stores for Payment Theft
The extensive network of fake holiday-themed online stores represents a significant risk to consumers worldwide. Researchers identified that these malicious sites are part of an automated campaign, carefully timed to coincide with periods of high online shopping activity. Threat actors are leveraging the urgency and excitement of holiday shopping to their advantage, hoping that consumers will be less vigilant when searching for bargains.
CloudSEK’s analysis highlighted the coordinated nature of these scams, pointing to the consistent use of identical phishing kits, recurring website templates, and shared infrastructure across the network of fake stores. This level of standardization indicates a centralized operation, making it easier for attackers to deploy and manage a large number of fraudulent sites simultaneously. The potential impact on consumers ranges from direct financial losses to the longer-term threat of identity theft.
Infection and Deception Tactics of Fake Online Stores
The modus operandi of these fake online stores relies on a combination of social engineering and technical evasion techniques to deceive users and avoid detection by security systems. The websites are crafted to appear professional and legitimate, often incorporating holiday-themed banners, countdown timers to create a false sense of urgency, and fake “trust badges” to build credibility with visitors. Additionally, fabricated “recent purchase” pop-ups are employed to generate social proof, pressuring shoppers into making a purchase decision quickly.
When a user attempts to complete a purchase, they are typically redirected to a shell checkout page. This page is specifically designed to harvest the buyer’s billing and payment details. To bypass fraud detection systems, these shell websites often operate on unflagged domains, making them harder to identify and block. The investigation revealed that a shared Content Delivery Network (CDN), specifically ‘cdn.cloud360.top,’ was used to serve assets to over 750 of these fraudulent stores, further underscoring the centralized nature of this operation.
Furthermore, a recurring JavaScript file, identifiable by its unique SHA-256 hash, was found across numerous malicious “.shop” domains. This script plays a crucial role in controlling the fraudulent checkout process, ensuring that the collected payment information is systematically sent to the attackers. The use of a consistent script across multiple domains simplifies the attack process for the perpetrators and allows for efficient data exfiltration.
Impersonating Domains and Infrastructure
The fake and impersonating domains identified in this campaign are categorized into two main clusters, each employing specific tactics. Cluster A focuses on mimicking Amazon through typosquatted domain names. Examples include variations like ‘amaboxhub.com,’ ‘amawarehousesale.com,’ and ‘amaznshop.com.’ These slight misspellings are often overlooked by casual shoppers, leading them to fraudulent sites.
Cluster B is characterized by the use of “.shop” domains to impersonate a wide array of well-known brands. While the article mentions specific examples like ‘xiaomidea.shop,’ ‘Jomalonesafe.shop,’ ‘Fujifilmsafe.shop,’ and ‘Samsungsafe.shop,’ researchers also noted a pattern of using generic suffixes like ‘safe.shop’ or ‘fast.shop’ appended to brand names. This suggests a scalable approach where attackers can quickly generate new fraudulent domains by substituting brand names.
The reliance on shared infrastructure, such as the CDN and the recurring JavaScript file, indicates a high degree of organization among the threat actors. This central control allows for the rapid deployment of new fraudulent sites and the efficient management of existing ones. The discovery of this extensive network of fake holiday stores serves as a stark reminder for consumers to exercise caution and vigilance when shopping online, especially during high-traffic shopping seasons.
The ongoing investigation into this large-scale phishing operation is expected to continue as cybersecurity firms work to identify and dismantle the full extent of the network. Consumers are advised to remain alert for suspicious websites, verify the legitimacy of online retailers, and utilize secure payment methods to protect themselves from potential scams during the holiday shopping period. Further updates are anticipated as more information becomes available regarding the takedown of these fraudulent sites and potential repercussions for the perpetrators.