As the holiday season approaches, the following investigation becomes all the more significant. As consumers approach the Black Friday/CyberMonday period, it’s instructive to note that malicious actors have identified myriad ways to capture consumers’ attention and defraud them.
And, as we noted in the 2023 Bot Friday report, malicious bot activity is not exclusive to the Black Friday/Cyber Monday period. Threat actors may lay the foundation for fraudulent activity well before the holiday shopping season begins.
Phish ‘n’ Ships, the latest investigation from the Satori Threat Intelligence and Research team, embodies one of the classic rules of the internet: if it seems too good to be true, it probably is.
The fake product listings have disappeared from search results, and payment processors have removed the threat actors’ accounts from their platforms. So, Phish ‘n’ Ships has been disrupted through the breaking down of its supply of traffic, but it isn’t dead. The threat actors have adapted their tactics over the years this operation has been under way, and Satori researchers and the targeted payment processors are carefully monitoring for new evolutions.
To (mis)quote another axiom: it takes a village to disrupt cybercrime. HUMAN couldn’t have stopped Phish ‘n’ Ships on its own. Only with the active participation of HUMAN’s partners could a scheme like Phish ‘n’ Ships be curtailed. And efforts like those needed to stop Phish ‘n’ Ships demonstrate the value of responsible disclosure.
Briefly, responsible disclosure is the idea that cybersecurity researchers should share details of an investigation only after any organizations affected by the scheme have been debriefed and given an opportunity to respond. In the case of Phish ‘n’ Ships, Satori researchers took these actions:
The benefit of this approach is twofold: not only is no one blindsided by HUMAN’s research, but the force multiplier effect of joining forces with partners to eliminate threats makes the internet safer for consumers.
One final pearl of wisdom to take from the Phish ‘n’ Ships story: don’t believe everything you see. The bulk of the traffic to the fake web stores operated by the threat actors in this operation came from fake product listings that popped up on image searches. Glancing at the search results might suggest that all the items were of equal realness, and it was merely a choice of which web store had the item in stock.
But as we’ve seen, not all search results are created equal. In the Phish ‘n’ Ships example, the fake product listings were boosted by SEO tactics that take advantage of the long legacy and legitimacy of the infected websites on which the listings were staged. Search results—even sponsored or paid ones—can be misleading or even dangerous if their provenance is unclear or suspicious.
As a general rule, consumers should remain quietly skeptical of too-good-to-be-true offers like those pushed by the Phish ‘n’ Ships actors. If it seems strange, don’t click.