Global E-commerce Fraud Ring Uncovered: Fake Apple, Nordstrom, Brooks Brothers Sites Steal Credit Cards

A sprawling network of fake e-commerce websites—masquerading as legitimate retailers like Apple, Brooks Brothers, and Nordstrom—has been uncovered by Silent Push Threat Analysts following a tip from Mexican journalist Ignacio Gómez Villaseñor. What began as a localized phishing scam timed around Mexico’s “Hot Sale 2025” event quickly unraveled into a sophisticated, global fraud campaign with roots tied to China.

“Our team has uncovered thousands of domains spoofing various payment and retail brands,” Silent Push reports, “including (but not limited to): PayPal, Apple, Wayfair, Lane Bryant, Brooks Brothers, Taylor Made, Hermes, REI, Duluth Trading, Omaha Steaks, Michael Kors, and many, many more.”

Originally targeting Spanish-speaking shoppers in Mexico, the threat actor exploited the popularity of the Hot Sale—a major shopping event akin to Black Friday. Victims were lured to fake retail sites designed to harvest credit card data and personal information under the guise of legitimate online stores.

“In tests carried out by Publimetro México, by entering false bank card data into these portals, the system reacts as if you were actually processing a payment,” revealing a “reserved cart” timer and logos like Visa, MasterCard, and PayPal—classic tactics to foster trust.

As Silent Push analysts expanded their investigation, a technical fingerprint embedded in the infrastructure—containing Chinese language markers—indicated high confidence that the network’s developers originate from China.

“We identified a private technical fingerprint associated with this infrastructure, which contains Chinese words and characters to strongly indicate that the developers of this network are from China.”

Beyond spoofed domains, the attackers exploited legitimate payment methods. Some sites even embedded real Google Pay widgets to process payments using virtual cards, enabling them to receive funds without delivering any goods.

“Even when accepting payments made via [Google Pay], a threat actor can still successfully orchestrate its online scam by simply failing to deliver the ordered products after payment.”

Additionally, domains like harborfrieght[.]shop (a misspelled version of Harbor Freight) featured clones of unrelated brands such as Wrangler Jeans—exposing the actors’ carelessness in deploying fraudulent infrastructure.

The spoofed sites don’t stop at big-name retailers. Domains such as:

guitarcentersale[.]com (spoofing Guitar Center)

nordstromltems[.]com (using an “l” instead of “i” in “items”)

brooksbrothersofficial[.]com

josbankofficial[.]com

tommyilfigershop[.]com (missing the “h” in Hilfiger)

…highlight the attackers’ strategy of small visual deceptions to bypass detection and fool casual shoppers.

Despite takedown efforts, the campaign persists. Silent Push notes that thousands of domains remain live as of June 2025, stressing the limitations of traditional takedown efforts.

“In the face of these types of scaled-up, persistent threats, traditional methods appear unable to hold back the tide.”

Related Posts:

• India plans to require e-commerce, social media companies such as Google Facebook to store data locally
• SEO Poisoning: Unmasking the Malware Networks Behind Fake E-Commerce
• “Aggressive Inventory Zombies”: Unmasking a Massive Phishing and Pig-Butchering Network