With tens of millions of dollars stolen from hundreds of thousands of web users, a serious warning has been issued for billions of users of popular web browsers. Google has removed known malicious websites from search results, but this will not eliminate links on social media and messaging platforms. It is essential that all users know what to look out for.
The Threat: Fake Websites with Malicious Payloads
Human Security’s Satori researchers have warned about a threat where attackers “infected legitimate websites with a malicious payload” to drive traffic to fake web shops. This payload creates fake product listings and adds metadata to make these listings appear near the top of search engine rankings, making them attractive to unsuspecting consumers.
How the Attack Works
When a consumer clicks on a fake item link, they are redirected to another website controlled by the threat actor. On this dangerous website, users are directed to a legitimate payment processing platform to purchase their chosen product. However, the product never arrives, and the money is taken. While credit card chargebacks may protect some consumers from financial loss, this is not always guaranteed until a claim is investigated.
The Scope of the Attack
In the latest campaign, bad actors “infected over 1,000 websites to create and promote fake product listings” and built 121 fake web stores to trick consumers. Estimated losses over the past five years amount to tens of millions of dollars, with hundreds of thousands of victims.
How to Avoid Falling Victim
To avoid losing money to these scams:
1. Be wary of extremely low prices: If a deal seems too good to be true, it probably is.
2. Verify website consistency: Check if the website name matches the names in popups, payment processing windows, and the URL.
3. Look for legitimate ordering processes: Ensure that the process has autofill address details and checks the quality of entered data.
4. Check reviews carefully: Be aware that fake reviews may exist, and look for known website reviews of the site.
5. Verify product availability on reputable websites: Even if a product is cheaper on the suspicious site, check if it’s available at a higher price on a trusted website.
The Campaign: “Phish ‘n’ Ships”
This campaign, dubbed “phish and ships” by the research team, involved sophisticated tactics, including metadata to hit top search results. Google has removed known fraudulent websites, but users should still be cautious.
A List of Known Fake Websites
Find a list of all known fake websites here, some of which remain active despite the latest report.
“This operation highlights the relationship between digital advertising and fraud,” says Satori. “Without the threat actors’ staged fake organic and sponsored product listings, there would have been no traffic to the fake web stores and therefore, no fraud.”
Users of all major browsers fall victim to such attacks. The research team warns that “Phish ‘n’ Ships remains an active threat” despite Google’s takedown, which has partially disrupted its activity. It is unlikely that the threat actors will stop their work without finding a new way to perpetuate their fraud.
Source: Forbes
