Malicious schemas linked to online stores are on the rise in 2022. Criminal gangs from China have been using copies of online stores of popular brands to target users all over the world and thereby trick victims. The targets of this massive campaign are online stores geolocated in different countries, including Portugal, France, Spain, Italy, Chile, Mexico, Columbia, among others. The campaign has been active since late 2020 but gained momentum in early 2022, with thousands of victims affected.
Active domains behind the malicious online stores at the time of analysis (21-03-2022). The shopping platforms are available on servers geolocated in the USA, The Netherlands, and Turkey (ZoomEye).
As observed in Figure 1, 617 active shopping platforms were identified worldwide, 562 created in 2022. The servers are located in three countries: the USA, The Netherlands, and Turkey. However, other servers and online stores were also identified during the research. The complete list of IoCs with more than 1k malicious entries is provided at the end of the article.
The high-level diagram of this campaign is presented below, with a graphical representation of the different steps and actions carried out by criminals.
A new campaign typically starts with the authors setting up the malicious domain at the top of Google search through digital ads (Google ads) – as shown above referring to the Lefties clothing store disseminated in Portugal in 2022. After some days, users are hit as the malicious URL appears at the top of searches. In specific cases, social Ads were also found on Instagram and Facebook social media platforms.
The content of the malicious websites – clones of the official stores – are based on a static Content Management System (CMS) and a PHP API that communicates with a MySQL cluster in the background. Some artifacts related to the static CMS can be found on a GitHub repository from criminals. In detail, criminals put some effort into developing a generic platform that could serve a mega operation at a large scale, where small tweaks of images and templates would allow the reuse of code for different online stores. Then, all the observed stores use the same code with different templates according to the target brand. As mentioned, the store is also equipped with an API that communicates with a MySQL database cluster where all the victims’ data is stored, including:
As usual, this Personally Identifiable Information (PII) can be utilized later by criminals to leverage other kinds of campaigns. In order to prevent this type of scenario, we provide a tool that allows you to validate if victims’ information is now in the wrong hands.
In addition, the middleware websites hosted on another domain receive the payment data during the payment process and try to complete the online transaction on several online payment systems such as Stripe. If the transaction is successfully completed, the response message from the payment system is sent to the middleware platform responsible for sending the “HTTP-response” back to the online store that is executing the payment transaction. After that, a tracking code is sent to the victims’ side in order to follow the package.
The package tracking platform is also created by criminals and it is embedded part of a legitimate platform: 17track.net. This whole process is aimed at creating a fully controlled scenario and very close to a legitimate system, but in the end, the victim will actually receive the package, not with clothes, but garbage.
More details about this research can be found in the original publication here.
About the author Pedro Tavares:
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.
(SecurityAffairs – hacking, Shopping trap)