With “tens of millions of dollars” stolen from “hundreds of thousands” of web users, a serious warning has just been issued for the billions of users of the most popular web browsers. Google has removed known websites from search results, but that will not eradicate links elsewhere, on social media and messaging platforms. It is critical all users know what to look for. Put very simply—you must not use these websites.
Human Security’s Satori researchers warn that threat actors “drove traffic to fake web shops by infecting legitimate websites with a malicious payload. This payload creates fake product listings and adds metadata that puts these fake listings near the top of search engine rankings for the items, making them an appealing offer for an unsuspecting consumer. When a consumer clicks on the item link, they’re redirected to another website, this one controlled by the threat actor.”
On the dangerous website itself, users would be directed to a legitimate payment processing platform to buy their chosen product. That product would never arrive, of course, but the money would certainly be taken. While many consumers may be protected from the ultimate financial cost through credit card chargebacks, that’s never guaranteed until a claim is investigated.
In the campaign most recently outed, bad actors “infected more than 1,000 websites to create and promote fake product listings and built 121 fake web stores to trick consumers… estimating losses of tens of millions of dollars over the past five years, with hundreds of thousands of consumers victimized.”
So, what can you look for to avoid seeing your money disappear into a black hole:
- Product deals that look too good to be true usually are, if a bargain is being offered below market rates, do not proceed unless you can verify the site
- Check consistency between website names and the names that appear in popups, payment processing windows and the URL. This specific campaign infected legitimate websites and then redirected elsewhere
- Does the ordering process feel fully legitimate—does it have the autofill address details for example, does it check, the quality if data you enter
- If this is a website you have not used before, check reviews carefully—remember they can be fake, and look for known website reviews of the site
- Can you find the product on a known website, even if more expensive
This campaign, dubbed “phish and ships” by the research team, included a number of sophisticated touches—metadata to hit the top of search results, albeit Google has removed those known to be fraudulent. By infecting legitimate websites, in this instance users would be lulled into a false sense of security initially, but the redirect to a fake web store is when alarm bells should start to ring.
A list of all known fake websites can be found here, some of which remain active despite the known treats per this latest report.
“This operation underscores the relationship between the digital advertising ecosystem and fraud,” Satori says. “Without the threat actors’ staged fake organic and sponsored product listings, there would have been no traffic to the fake web stores and therefore, no fraud. A key takeaway from Phish ‘n’ Ships is that digital advertising can be dangerous, and consumers should exercise caution when clicking through to the next step in a digital journey.”
Users of all major browsers fall victim to such attacks. The research team warns that “Phish ’n’ Ships remains an active threat,” albeit Google’s takedown has “partially disrupted” its threat. “It’s unlikely the threat actors will pull the plug on their work without trying to find a new way to perpetuate their fraud.”