A phishing campaign known as “Phish n’ Ships,” operational since 2019, has targeted over 1,000 legitimate online stores to advertise counterfeit products, particularly hard-to-find items.

Users are often unsuspecting when clicking on these products, only to be redirected to hundreds of fraudulent online stores. The goal of these stores is to steal personal information and money from victims without delivering any goods.

According to the Satori Threat Intelligence team at HUMAN, this campaign has impacted hundreds of thousands of consumers, causing estimated damages in the tens of millions of dollars.

The attack begins when perpetrators infiltrate legitimate websites by exploiting n-day security vulnerabilities, subsequently uploading scripts with inconspicuous names such as “zenb.php” and “khyo.php” to create listings for counterfeit products.

These products are optimized for search engines, making them easily appear in Google search results and attracting victims. When a victim clicks on the link, they are led through a series of steps to phony pages that often mimic the interface of actual stores.

All of these fraudulent stores are linked to a network consisting of 14 IP addresses, with URLs containing distinctive character strings for identification. When attempting to purchase a product from a fake store, victims encounter a counterfeit checkout process.

The malicious websites steal the information victims input, including credit card details, and complete transactions through payment accounts controlled by the attackers. As a result, the products never reach the buyers, leading to losses of both money and personal information.

Over five years of operation, the attackers exploited multiple payment service providers to withdraw funds from this scam. Recently, they have implemented payment methods on some fraudulent sites to directly steal credit card information from victims.

HUMAN and its partners have collaborated to address the Phish n’ Ships campaign, notifying affected organizations and reporting the fraudulent sites to Google for removal. To date, most of the malicious search results have been taken down, and nearly all fraudulent stores have ceased operations.

Payment processors have been informed and have closed violating accounts, disrupting the attackers’ campaign. However, these fraudsters may seek to circumvent preventive actions and resume operations, establishing a new network of shopping scams.

Consumers are advised to remain vigilant for unusual redirects while shopping online, ensure they are on the correct store website, and report any signs of fraud to their bank and authorities as soon as possible.

Source: Bleeping Computer