Attention online users, a large-scale attack campaign that targets online stores of popular brands is underway. The campaign mainly relies on SEO poisoning tactics to target users all over the world.
About the campaign
Active since 2020, the campaign is a work of cybercriminal gangs from China.
According to Seguranca Informatica, the campaign has targeted around 617 online stores located in Portugal, France, Spain, Italy, Chile, Mexico, Columbia, among others.
Out of the 617 active shopping platforms, 562 are created only in 2022.
The servers are located in three countries: the U.S, the Netherlands, and Turkey.
Modus operandi
A campaign typically starts with threat actors hijacking Google search results and setting up their malicious domain to be shown at the top through Google Ads.
In some cases, social media platforms such as Facebook and Instagram were also observed being used to boost their ads.
Once users land on these fake pages, they are asked to share their personal details which can be utilized later by criminals to launch other kinds of campaigns.
Among the data that is stolen from victims includes full names, complete addresses, phone numbers, email addresses, passwords, credit card information, and details about the order and tracking code of the package.
Other noteworthy points
Researchers note that the content in the malicious websites - clones of the official stores - are based on a static Content Management System (CMS) and a PHP API that connects with a MySQL cluster in the background.
Each website is made on a generic platform where small tweaks of images and templates would allow the reuse of code for different online stores.
The middleware systems are used for establishing communication between the online store and the payment gateway (where victims add credit card numbers, expiry dates, and CVV codes).
In addition, the package tracking platform is created in such a manner that users will be able to track the status of their placed order but in the end, will receive nothing.
Final thoughts
Online scams targeting e-commerce sites are on the rise since the end of 2020, a trend probably related to the Covid-19 situation. Therefore, it is necessary to cross-check the URL addresses, before visiting the online stores. It is a key to the early detection of such threats.