Fake Sale, Wallet Stale

In one of the largest active phishing campaigns of 2025, cybersecurity firm Silent Push has uncovered thousands of fake e-commerce websites mimicking global brands like Apple, Michael Kors, Wayfair, and REI. Operated from China and exposed with help from Mexican journalist Ignacio Gómez Villaseñor, the scam was especially active during Mexico’s Hot Sale 2025 (May 26–June 3), but remained live in June—and many malicious domains are still online.

The victims? English and Spanish-speaking online shoppers, deceived by hyper-realistic storefronts designed to simulate legitimate retail experiences. These sites include “reserved cart” countdowns, official logos of Visa, PayPal, Oxxo, and SPEI, and even live Google Pay integration. Victims, thinking they’re getting a great deal, unknowingly submit their payment details—only to receive nothing in return or be charged fraudulently.

Websites Laced with SEO Poison

This operation relies on typo-squatting and SEO poisoning to bait unsuspecting users. Domains like harborfrieghtshop[.]com (a typo of Harbor Freight) and nordstromltems[.]com (note the “l” in place of “i”) were crafted to confuse shoppers. Some even displayed cloned content from unrelated sites like Wrangler Jeans or Guitar Center, intensifying the illusion.

Entry vectors included:

• Malicious SEO (manipulated Google search results).

• Ads with deceptive URLs (malvertising).

• Phishing links shared via messages or social platforms.

Once a victim lands on one of these sites, they may provide:

• Credit card numbers.

• Full names.

• Billing addresses.

• Transaction metadata.

Despite the presence of Google Pay—which usually employs virtual card numbers—the attackers simply never ship products, resulting in financial loss even when credentials aren’t directly stolen. Silent Push identified Chinese-language code, server infrastructure, and control patterns, tying the network firmly to China.

Defense for Admins and Users

To combat such widespread fraud, both administrators and users must adopt layered security practices:

For website administrators:

• DNS monitoring and takedown coordination help detect and remove spoofed domains before they cause harm.

• Securing payment gateways with merchant verification deters fake stores from mimicking legitimate checkout processes.

• Real-time transaction monitoring allows brands to detect unusual payment behavior and protect their customers.

For users:

• Check URLs carefully, especially during major sales events. Look for spelling errors, misplaced characters, and irregular domain names.

• Avoid unsolicited offers, especially those received via message or suspicious ad links.

• Use virtual credit cards with spending limits to prevent major financial loss, even if a scam succeeds.

While takedowns are ongoing, the resilience and scope of this infrastructure reflect the maturity of phishing-as-a-service operations—now tailored to retail and consumer manipulation.

https://hackread.com/china-fake-marketplace-mimics-top-retail-brands-fraud/