Multiple E-commerce Stores Found Being Targeted Since 2020

About the campaign

• Active since 2020, the campaign is a work of cybercriminal gangs from China.
• According to Seguranca Informatica, the campaign has targeted around 617 online stores located in Portugal, France, Spain, Italy, Chile, Mexico, Columbia, among others.
• Out of the 617 active shopping platforms, 562 are created only in 2022. 
• The servers are located in three countries: the U.S, the Netherlands, and Turkey.

Modus operandi

• A campaign typically starts with threat actors hijacking Google search results and setting up their malicious domain to be shown at the top through Google Ads.  
• In some cases, social media platforms such as Facebook and Instagram were also observed being used to boost their ads. 
• Once users land on these fake pages, they are asked to share their personal details which can be utilized later by criminals to launch other kinds of campaigns.
• Among the data that is stolen from victims includes full names, complete addresses, phone numbers, email addresses, passwords, credit card information, and details about the order and tracking code of the package.

Other noteworthy points

• Researchers note that the content in the malicious websites - clones of the official stores - are based on a static Content Management System (CMS) and a PHP API that connects with a MySQL cluster in the background. 
• Each website is made on a generic platform where small tweaks of images and templates would allow the reuse of code for different online stores. 
• The middleware systems are used for establishing communication between the online store and the payment gateway (where victims add credit card numbers, expiry dates, and CVV codes).
• In addition, the package tracking platform is created in such a manner that users will be able to track the status of their placed order but in the end, will receive nothing.

Final thoughts