A sophisticated network of fraudulent e-commerce websites has been uncovered, targeting unsuspecting online shoppers by impersonating renowned brands such as Apple and Wrangler Jeans. This operation, traced back to Chinese cybercriminals, employs thousands of convincingly designed storefronts to harvest payment credentials and personal information.
Discovery and Expansion of the Fraudulent Network
The campaign first came to light during Latin America’s Hot Sale 2025, a major online shopping event. Mexican journalist Ignacio Gómez Villaseñor identified suspicious domains hosted on a single IP address, leading to the revelation of a vast network of fake online stores. These fraudulent sites rapidly expanded their reach, cloning product catalogs from brands like Apple and Wrangler Jeans to deceive English-speaking consumers.
Deceptive Tactics and Payment Processing Abuse
Victims are lured through polished checkout pages that accept major payment methods, including Visa, MasterCard, PayPal, and Google Pay. These pages feature authentic logos and even display countdown timers to simulate legitimate order processing, effectively masking the theft of payment information. The fraudulent network’s infrastructure was identified by Silent Push analysts, who discovered an obfuscated /cn/模板.css path embedded in every template—a clear indicator that the kit’s developer left debugging comments in Mandarin.
Technical Evasion Strategies
The operators employ advanced evasion techniques to maintain their fraudulent activities:
– Domain Rotation: Registering 40 to 50 look-alike domains daily, they rotate these behind reverse proxies that dynamically rewrite HTTP headers, making detection and takedown efforts challenging.
– Widget Obfuscation: Each store’s checkout widget includes scripts that conceal their true origin. For instance, a script may execute only on domains ending in .shop, preventing analysts from replicating the malicious behavior in controlled environments.
– Dynamic Content Delivery: By base64-encoding timestamps, the path to malicious scripts changes with every page load, defeating signature-based web filters that rely on static indicators of compromise.
Impact on Consumers and Payment Processors
The fraudulent activities have led to a surge in disputed transactions associated with virtual card numbers, indicating that even tokenization methods like those used by Google Pay cannot fully protect users if the goods are never delivered. Chargeback ratios have exceeded acceptable thresholds at several acquiring banks, temporarily blacklisting legitimate merchants whose Bank Identification Numbers (BINs) overlapped with those used by the rogue gateways.
Challenges in Detection and Prevention
Traditional antivirus tools have struggled to detect these fraudulent sites because no executable payload is delivered; all malicious logic resides in JavaScript served from the same Content Delivery Network (CDN) that hosts legitimate Shopify plugins. To stay operational, the fraudsters register numerous look-alike domains daily and rotate them behind reverse proxies that rewrite HTTP headers dynamically. Each store’s checkout widget includes scripts that conceal their true origin, executing only on domains ending in .shop, which prevents analysts from replicating the malicious behavior in controlled environments. By base64-encoding timestamps, the path to malicious scripts changes with every page load, defeating signature-based web filters that rely on static indicators of compromise.
Recommendations for Online Shoppers
To protect themselves from such sophisticated scams, consumers are advised to:
– Verify Website Authenticity: Always check the URL for misspellings or unusual domain extensions. Official brand websites typically use standard domains like .com or .net.
– Be Cautious of Unbelievable Deals: If an offer seems too good to be true, it likely is. Extremely low prices can be a red flag for fraudulent activity.
– Use Secure Payment Methods: Opt for payment options that offer buyer protection and avoid entering payment details on unfamiliar sites.
– Monitor Financial Statements: Regularly review bank and credit card statements for unauthorized transactions and report any suspicious activity immediately.
Conclusion
The emergence of this extensive network of fake e-commerce websites underscores the evolving tactics of cybercriminals and the importance of vigilance in online shopping. By staying informed and cautious, consumers can better protect themselves against such deceptive schemes.
