More than 1,000 legitimate shopping sites have been compromised to promote fake product listings in a credit card phishing scheme dubbed “Phish ‘n’ Ships,” HUMAN’s Satori Threat Intelligence and Research team revealed Thursday.
Researchers believe that the scheme, which has been ongoing since 2019, has affected hundreds of thousands of online shoppers and raked in tens of millions of dollars in stolen funds.
The threat actors behind Phish ‘n’ Ships have built 121 fake online stores that receive traffic through both search engines and listings on compromised sites, and have abused four different third-party payment processors in the scam campaign.
Online shopping scammers do their research
The threat actors use the lure of rare and high-demand items paired with bargain prices and the offer of free shipping to entice victims – for example, one site listed a novelty oven mitt designed to look like Nintendo Power Glove, which gained popularity through a successful IndieGoGo campaign but has out of stock for years.
The Satori researchers’ investigation of the attacker’s IP addresses and infrastructure revealed they used tools to track search term trend data from a major retailer; this research was likely used to select items to create listings for as well as to set the listing’s metadata using search engine optimization (SEO) methods to ensure the fake listings would appear at the top of search results.
The Phish ‘n’ Ships operation also has a simple automated system for both SEO monitoring and retrieving product images online to use for their listings.
‘Bait and switch’ scheme redirects shoppers to malicious website
The infection of legitimate shopping sites by Phish ‘n’ Ships means shoppers could be redirected from a seemingly safe and trusted online store to an attacker-controlled site by clicking on an injected listing.
The infected sites were most likely compromised through vulnerabilities that enable unauthorized file uploads; the researchers noted that many of the affected WordPress sites used the plugin Divi Sumo Lite, which is affected by a cross site scripting (XSS) bug that has no official fix, according to PatchStack.
Once redirected to the new, fake store, consumers attempting to purchase a product would be brought to a checkout page to submit their payment information, either through a legitimate payment provider or directly to the threat actor. In the former case, an order is created using a POST request that includes malicious instructions to collect the payment information prior to relaying it to the legitimate payment processor.
After the purchase is complete, the attacker would have both the consumer’s money and their payment information, while the consumer would be left empty-handed with no item ever being shipped.
“This sort of bait-and-switch scheme has been going on for decades, as long as online stores have been online,” Roger Grimes, data-driven defense evangelist at KnowBe4, told SC Media. “The ultimate defense is that online stores need to be better protected against being hacked themselves, and that usually means better anti social-engineering training, better patching, use of phishing-resistant MFA for all logons, and better configuration management.”
Phish ‘n’ Ships disrupted, but still an active threat
HUMAN reported that it has worked with partners, including impacted websites and payment processors, to disrupt the Phish ‘n’ Ships operation with some success. The Satori research group found that some of the most popular fake product listings driving traffic from Google searches had disappeared from Google search results as of October 2024.
Payment processors whose services were abused in the campaign, both to receive funds and make the checkout process appear more legitimate, were also notified and removed the threat actors’ accounts from their platforms. The Satori researchers also shared their findings about the campaign with law enforcement officials and the threat intelligence community.
Despite this progress, HUMAN notes that the Phish ‘n’ Ships threat actors are not likely to “pull the plug on their work” after these setbacks and warns shoppers to be vigilant about offers that are “too good to be true” while browsing online stores.
“All users should be made aware of these bait & switch schemes, and be told that if the domain name on the URL of the online store you are visiting changes, be careful about feeding in your personal and credit card information,” Grimes added.
