Researchers: Gabi Cirlig, Inna Vasilyeva, Vikas Parthasarathy, Lindsay Kaye, Maor Elizen, Adam Sell
MITRE ATT&CK Framework: T1598, T1195, T1071/001, T1557, T1189
HUMAN’s Satori Threat Intelligence and Research team recently uncovered and disrupted a sprawling fraud operation centered on fake web shops that abuse digital payment providers to steal consumers’ money and credit card information. The threat, dubbed Phish ’n’ Ships, is made up of hundreds of fake web shops offering in-demand items.
The threat actors, whose internal tools used Simplified Chinese, drove traffic to these fake web shops by infecting legitimate websites with a malicious payload. This payload creates fake product listings and adds metadata that puts these fake listings near the top of search engine rankings for the items, making them an appealing offer for an unsuspecting consumer. When a consumer clicks on the item link, they’re redirected to another website, this one controlled by the threat actor. On this website, one of four targeted third-party payment processors collects credit card info and confirms a “purchase”, but the product never arrives.
This scheme, which Satori researchers trace back to 2019, has a massive impact; the threat actors infected more than 1,000 websites to create and promote fake product listings and built 121 fake web stores to trick consumers. Researchers estimate losses of tens of millions of dollars over the past five years, with hundreds of thousands of consumers victimized.
Phish ’n’ Ships remains an active and ongoing threat, but has been mostly disrupted through Satori’s disclosures and partners’ efforts:
This operation underscores the relationship between the digital advertising ecosystem and fraud. Without the threat actors’ staged fake organic and sponsored product listings, there would have been no traffic to the fake web stores and therefore, no fraud. A key takeaway from Phish ‘n’ Ships is that digital advertising can be dangerous, and consumers should exercise caution when clicking through to the next step in a digital journey.
Satori researchers proactively hunt for threats like Phish ‘n’ Ships to enhance the feedback loop between HUMAN’s threat intelligence capabilities and the Human Defense Platform. Identifying and exposing operations helps targeted industries, like financial services, grow their awareness of new and emerging fraud tactics and take appropriate countermeasures.
Phish ’n’ Ships is a complex fraud scheme that exploits websites, digital payment processors, and consumers hunting for in-demand items. The threat actors used multiple well-known vulnerabilities to infect a wide variety of websites and stage fake product listings that rose to the top of search results. Unsuspecting consumers who click on these fake product listings and get redirected to a fake web store featuring the searched-for product, among others. The checkout process then runs through a different web store, which integrates with one of four payment processors to complete the checkout. And though the consumer’s money will move to the threat actor, the item will never arrive.
HUMAN has identified more than 1,000 infected websites hosting fake product listings and 121 fake web stores set up to defraud consumers and payment processors. Through consultations with the affected payment processors, Phish ’n’ Ships has been disrupted: the fake product listings which made up a key source of traffic to the fake web stores have disappeared from search results, and the threat actors’ accounts have been removed from the payment processor platforms.
The easiest way to understand the Phish ’n’ Ships threat is to take the part of a consumer. This scheme is at its most effective when the fake product listings feature items that are popular, but for a niche audience.
Here’s a diagram of the attack from the consumer’s perspective:
The attack begins with a consumer searching for a hard-to-get item. They click on a search result that was staged on a website infected by the threat actors, and wind up on a fake web store. Then, when they go to purchase the item, their payment card information is stolen by the threat actors, and the item never arrives.
Our example for this exercise is an oven mitt designed to resemble a wearable video game controller from the late 1980s.
In 2014, a designer launched a crowdfunding project to create and sell a silicone “Power Mitt Oven Glove,” with an aesthetic reminiscent of the much-maligned (but perhaps ahead of its time) Nintendo Power Glove from the late 1980s. The project performed well for a crowdfunding project of the era, reaching 167% of its fundraising goal, getting covered in mainstream tech media, and garnering numerous positive comments from satisfied purchasers. The product was reminiscent of—and inspired—similar offerings, all of which have been out of stock for years.
But those similar offerings suggest a continued demand for such a product, and home cooks who remember obscure video game controllers from the 1980s are still on the hunt for these mitts.
Various products presented on Google image search
Searching for them turns up several links about the original crowdfunding project, and delving deeper uncovers a search result that purports to have (a version of) the mitts on sale with free shipping.
One product listing pointing to an uncommon result
(Notice the watermarks on the image - one is for the designer of this version of the mitts and the other for a popular web store, neither of which correspond to the link for the item.)
It seems too good to be true: here’s the mitt, it’s on sale, and it’s got free shipping.
The natural next step is for the consumer to click through to the website to see if it’s legitimate. And on its face, the site seems a little off, but it’s not obviously fake:
Product listing for a power mitt on a fake web store
(Notice the website URL is different from the one presented in the search image.)
There are even customer reviews that would seem to suggest the shop is real:
Product reviews on the fake web store
These reviews would change from visit to visit, updating their publish dates and content to suggest frequent and recent buyer activity.
So if everything seems on the up and up, the item goes into the shopping cart and the checkout process begins. But here is where things get even fishier:
Shipping info collection without data validation (observe the phone number field)
The shipping information fields don’t have any data validation - that’s a common feature on e-commerce platforms, so for this website not to check that the data entered for a phone number is in the correct format is suspicious.
After completing the shipping info, the checkout process brings the consumer to a page for payment card entry.
Payment processor-powered checkout on fake web store
(Notice the LLC name at the top doesn’t correspond with either the website for the web store or the name of the company from the search image.)
Payment confirmed, money gone from the account… but no oven mitt. And what’s worse, depending on how the checkout was configured on that particular fake web store, the credit card information might have been captured, misused, or sold by the threat actors, too.
From a consumer’s perspective, it’s a case of stolen money, stolen payment card info (and PII, once you factor in the shipping information), and stolen dreams of taking cookies out of the oven with a niche video game controller-themed mitt.
Following that, many consumers will pursue a chargeback with the payment processor, shifting some of the financial impact of the fraud.
Satori researchers describe the Phish ’n’ Ships attack as occurring in four stages:
Infecting legitimate websites to stage fake product listings and using malicious search engine optimization (SEO) poisoning tactics to promote those listings
Redirecting search-based clicks on those listings
Transitioning to a fake web store controlled by the threat actors
Abusing payment processors during checkout (and/or capturing payment card information directly) via a distinct, registered web store operated by the threat actor
Here’s a diagram of the attack from the attacker’s perspective:
We’ll examine each stage in turn.
The threat actors behind Phish ’n’ Ships have infected thousands of legitimate websites with malicious scripts, with random names such as zenb.php or khyo.php. Satori researchers believe these infections are the result of various n-day vulnerabilities that enable the threat actors to upload files to the victimized websites. Several of the websites were found to contain a specific plugin, which had a vulnerability disclosed in 2023 and may have been the vulnerability used to launch the attack.
With this file, the threat actors can poison the infected website, creating fake product listings and appending metadata that helps these fake listings—which are really malicious files pretending to be product listings—rank highly on search results.
A collection of search results showing fake product listings on infected websites
As seen above, the infections also create image search results:
Image search result of fake product listing
An unsuspecting user who clicks on the link (either in the image search or on the web search) will trigger a script injection that redirects the user to a site controlled by the threat actors:
Injected script (note: this example references a different item)
Redirection to fake web store
Satori researchers believe the domains for these threat actor-controlled websites are randomly generated by a command-and-control (C2) server in an effort to avoid takedowns and other interruptions in the scheme.
The redirect script lands the user on one of several hundred fake web stores controlled by the threat actors. (A list of the domains for these fake web stores is available in the Indicators of Compromise section below.)
Fake web store
Each of the landing pages observed in this campaign contained a particular string in the URL: “product.aspx?cname=<ID>“. (This URL string is visible in both the log data image and the web store screenshot above) or “product_details/<ID>.html”. This was a key pivot point for Satori researchers, who were able to uncover numerous associated fake web stores as a result. The fake web shops all point back to one of fourteen IP addresses, which are available in the Indicators of Compromise section below.
In the final step of the attack, the threat actors forward the consumers to a checkout page on a semi-legitimate website they own, creating an order using a POST submission:
Requests when an order is created
The order—on drewgiless[.]com in the screenshot above—is set up through a real payment provider. The web store hosting the order is associated with a registered company, underpinning the legitimacy of the web store with payment providers.
CreateOrder, one of the packets in the screenshot above, gives instructions to a payment processor gateway that collects the payment card information and relays it to the processor:
Packet comms associated with CreateOrder
This intermediate gateway step allows the threat actors to capture the user’s payment card information and log it on a central server under their control for later use. The user is then redirected to the final checkout screen managed by the payment processor:
Redirection to final checkout location
As noted above, the threat actors targeted several payment processors, and Satori researchers estimate the scheme racked up tens of millions of dollars in losses over the past five years.
The threat actors behind Phish ’n’ Ships had a variety of tools at their disposal to facilitate the operation. Some of the tools reflect the sophistication of the threat actors and their ability to wiggle through defenses to gain information. Others reflect legitimate tools used for malicious ends.
For instance, one of the IPs associated with the fake web shops exposed a list of items and their respective search volumes on a major retail website:
Trend data from major retailer, found on threat actor infrastructure
Satori researchers believe this list reflects product search trends and informs which products—like the power mitt from the example above—are used to create the fake listings. Researchers also believe this list is used to create the metadata that sends the fake product listings to the top of the search results.
Since the threat actors don’t actually have the items for which the fake listings are created, they also need corresponding images. For these, the threat actors use a simple bot to retrieve product images and monitor SEO data:
Simple SEO monitoring and image capture bot
The threat actors also diversified their cashout tools. In addition to the provider shown above, the threat actors abused multiple other payment providers:
Other examples of targeted payment processors
Finally, as the threat actors have adapted their approach over the years, they’ve begun collecting payment card information directly, skipping over the payment processors entirely:
Direct payment mechanism on some Phish ‘n’ Ships fake web stores
This approach allows the threat actors to capture the payment card info very easily:
Payment card information captured by Phish ‘n’ Ships threat actors
Researchers believe this is in response to payment processors removing threat actors from their ecosystems.
Though Phish ’n’ Ships remains an active threat, the operation has been partially disrupted through the work of HUMAN and its partners. Satori’s research and the independent research of some impacted organizations have led to specialized alerting that identifies schemes like Phish ‘n’ Ships before they can take root.
The fake product listings that make up a major source of traffic to the fake web stores have disappeared from Google’s search results as of October 2024. Researchers continue to monitor search results for new fake listings of several items which were used as bait in the scheme, and also continue to monitor the threat actors for new adaptations.
Satori researchers also debriefed payment processors that were targeted by the threat actors. These organizations have removed the Phish ’n’ Ships threat actors’ accounts from their respective platforms, limiting the scheme’s ability to cash out.
Finally, Satori researchers shared information about Phish ‘n’ Ships with select law enforcement agencies and the threat intelligence community.
These collaborative and private disruption efforts reflect the importance Satori places on responsible disclosure: before HUMAN publishes the details of any threat research, all the parties impacted by the threat receive a full debrief and the opportunity to contribute to the research and/or to the dismantling of the operation. Insights from Satori investigations are incorporated into the Human Defense Platform, protecting HUMAN customers from the impact of digital fraud and abuse throughout the customer journey.
The Phish ’n’ Ships operation was—and is—a complex series of interconnected attacks designed to exploit websites, search engines, payment processors, and the humans who simply want to get a good deal on a hard-to-find item. It’s also a cautionary tale reminiscent of one of the original “rules of the internet”: if something seems too good to be true (like finding a Power Mitt at 65% off with free shipping from a company you’ve never heard of), it very likely is.
The community’s collaborative efforts to disrupt the scheme are positive and meaningful, but they are not the final word on Phish ’n’ Ships. This threat may yet evolve again; its earliest iterations date back five years, and it’s unlikely the threat actors will pull the plug on their work without trying to find a new way to perpetuate their fraud. Vigilance will be required to scuttle Phish ’n’ Ships fully.
The Satori Threat Intelligence and Research team would like to acknowledge the work of Security Research Labs, whose BogusBazaar findings from May 2024 share some common infrastructure design and TTPs with Phish ’n’ Ships.
Satori would also like to thank the payment processors that worked closely with the researchers to identify and take action against the threat actors.