Full Report
The campaign uses thousands of phishing websites that mimic the design and product listings of retailers like Apple, Nordstrom and Hermes to trick people into entering their credit card information.
Analysis Summary
# Tool/Technique: Retail Phishing/Fake Marketplace Infrastructure
## Overview
A sprawling network of fraudulent retail websites impersonating major global brands (e.g., Apple, PayPal, Nordstrom, Hermes, Michael Kors) designed to steal payment card data from online shoppers. This operation uses convincing, scraped content and malicious checkout processes to trick victims into submitting credit card details that are never fulfilled.
## Technical Details
- Type: Technique (Phishing/Fraudulent E-commerce)
- Platform: Web/E-commerce Platforms (targeting English and Spanish-speaking users globally)
- Capabilities: Website impersonation, payment data harvesting, integration of legitimate third-party widgets (like Google Pay) to enhance perceived legitimacy.
- First Seen: Flagged in May (of the current reporting period).
## MITRE ATT&CK Mapping
No specific TTPs are detailed for the *infrastructure*, but the primary activity maps to **Collection** and **Impact**.
- **TA0009 - Collection**
- T1588 - Obtain Capabilities (If the infrastructure was purchased or built via external means)
- **TA0011 - Collection** (More relevant for data exfiltration, though implied)
- T1560 - Archive Collected Data (Implied data storage before exfiltration)
- **TA0001 - Initial Access** (If users are actively directed via malicious links/SEO manipulation)
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Less likely, but possible via direct communication)
*Note: The technique of building fraudulent sites primarily matches T1583.001 (Acquire Infrastructure: Domains) and T1583.003 (Acquire Infrastructure: Websites) under the Adversary Infrastructure tactic, focused on setting up the front-end operation.*
## Functionality
### Core Capabilities
- **Brand Impersonation:** Creating highly convincing visual copies of legitimate retailer websites using scraped product listings.
- **Payment Data Harvesting:** Capturing credit card information entered by users during the fake checkout process.
- **Credibility Enhancement:** Utilizing legitimate elements, such as integrated Google Pay widgets, to convince users the transaction is real.
### Advanced Features
- **Scale and Persistence:** Maintaining thousands of active phishing sites across multiple countries simultaneously, despite ongoing takedowns.
- **Language Support:** Targeting both English and Spanish-speaking demographics.
- **Infrastructure Clues:** Technical indicators (like code containing Chinese-language terms) suggest the involvement of sophisticated actors, possibly based in China.
## Indicators of Compromise
- File Hashes: [N/A - Infrastructure/Website focused]
- File Names: [N/A - Focus is on live web pages]
- Registry Keys: [N/A]
- Network Indicators: [N/A - Specific domains/servers are not listed, but are implied to change frequently]
- Behavioral Indicators: Users being unexpectedly redirected to third-party retail sites; use of seemingly genuine checkout flows that result in non-delivery of goods post-payment submission.
## Associated Threat Actors
- Unattributed.
- Technical indicators suggest potential involvement of cybercriminals based in **China**.
## Detection Methods
- Signature-based detection: [Not detailed, typically handled via domain/URL blacklisting.]
- Behavioral detection: [Monitoring for new domains using high-value brand names in their paths or subdomains. Observing unusual checkout processes that lack proper secure connection validation or redirect patterns post-submission.]
- YARA rules: [N/A]
## Mitigation Strategies
- **User Education:** Training users to verify domain authenticity, especially when submitting financial details, by checking SSL certificates and using trusted bookmarks.
- **Proactive Takedowns:** Collaboration between brands, hosting providers, and security firms to quickly identify and remove fraudulent domains.
- **Brand Monitoring:** Continuous monitoring for cybersquatting and lookalike domains targeting the brand name.
- **Payment System Hardening:** Utilizing additional authentication layers (like 3D Secure) for online payments where possible.
## Related Tools/Techniques
- Traditional Phishing Campaigns
- E-Skimming / Magecart operations (as the data is harvested at the point of entry)
- Domain Generation Algorithms (Implied for rapidly standing up new sites)