121 Fake Web Shops and 1,000 Infected Websites: Inside the Phish ‘n’ Ships Scam
In a sophisticated operation, HUMAN’s Satori Threat Intelligence and Research team uncovered a network of fraudulent online stores, collectively dubbed “Phish ‘n’ Ships.” The operation, active since 2019, has exploited the digital advertising ecosystem and consumer trust to steal tens of millions of dollars from unsuspecting shoppers worldwide.
The Phish ‘n’ Ships scheme began by targeting consumers on the hunt for popular, niche items. Threat actors set up hundreds of fake online stores, promoting hard-to-find products at attractive prices. “The threat actors, whose internal tools used Simplified Chinese, drove traffic to these fake web shops by infecting legitimate websites with a malicious payload,” Satori’s report explains. This malicious payload not only created fake product listings but also employed sophisticated search engine optimization (SEO) techniques, placing these bogus items at the top of search engine results.
Image: Satori Threat Intelligence and Research
The scam is designed to seem as legitimate as possible. When users clicked on these enticing search results, they were directed to one of the fake web shops, where the checkout process looked real but was rigged to capture personal and payment information. Victims unwittingly provided credit card information through third-party payment processors controlled by the threat actors, completing a purchase that would never be delivered. “When a consumer clicks on the item link, they’re redirected to another website, this one controlled by the threat actor,” the report notes. “On this website, one of four targeted third-party payment processors collects credit card info and confirms a ‘purchase,’ but the product never arrives.”
The scale of the operation is vast. HUMAN researchers estimate that over 1,000 legitimate websites were infected to support these fake listings, with at least 121 fake web shops created to facilitate the fraud. “Researchers estimate losses of tens of millions of dollars over the past five years, with hundreds of thousands of consumers victimized,” Satori’s report states, underscoring the significant financial damage caused by the scheme.
While Phish ‘n’ Ships remains an active threat, significant disruption efforts have been made. Satori researchers debriefed impacted payment processors, who swiftly removed the fraudulent accounts from their platforms. Additionally, law enforcement and the threat intelligence community have been notified, bolstering efforts to dismantle the network. “The fake product listings, which made up a key source of traffic to the fake web stores, have disappeared from search results,” according to Satori, suggesting that the threat actors now face greater difficulty in deceiving new victims.
Phish ‘n’ Ships exemplifies how digital advertising and online shopping can be manipulated to exploit consumer trust. As the report aptly puts it, “If something seems too good to be true… it very likely is.”
