Online shopping
Image: Getty Images / Unsplash

Shopping scam sprawled across thousands of websites, bilked ‘tens of millions of dollars’

Crooks potentially defrauded hundreds of thousands of consumers by hacking legitimate shopping websites and redirecting people to fake online shops that sold hard-to-find items but never shipped them, according to cybersecurity researchers.

The long-running scheme involved malicious code that “creates fake product listings and adds metadata that puts these fake listings near the top of search engine rankings for the items, making them an appealing offer for an unsuspecting consumer,” Satori Threat Intelligence said Thursday.

Clicking on one of those links sent victims to another website, controlled by the cybercriminals, where “one of four targeted third-party payment processors collects credit card info and confirms a ‘purchase’, but the product never arrives.”

The researchers — a unit of cybersecurity company HUMAN — said they were able to largely disrupt the operation by notifying the affected payment processors and law enforcement. The scheme, labeled “Phish ‘n’ Ships,” dates back to at least 2019, and the threat actors used Simplified Chinese in their internal tools, the report said.

Authorities have been warning consumers about such scams for years. Earlier in 2024 a German company, Security Research Labs, reported on a similarly large operation, dubbed BogusBazaar. Phish ‘n’ Ships has some elements in common with that one, Satori’s analysts said. Security Research Labs said BogusBazaar appeared to have China as its main operating hub.

The Phish ‘n’ Ships scammers “infected more than 1,000 websites to create and promote fake product listings and built 121 fake web stores to trick consumers,” the Satori researchers said. The damage tallies up to “losses of tens of millions of dollars over the past five years, with hundreds of thousands of consumers victimized.”

The researchers say that despite the current disruptions, the operation is an active and ongoing threat, although the fraudsters appear to “have been forced to hunt for new methods.”

The affected consumers often are searching for niche items with limited supplies, the researchers said, citing oven mitts that look like Nintendo’s Power Glove video game accessory from the 1980s. One sham website listed them for about $60.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Joe Warminsky

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.