Thousands of E-Stores Hacked to Show Fake Product Listings

In a major discovery, cybersecurity firm HUMAN Security has uncovered a sophisticated phishing campaign, dubbed “Phish n' Ships”. This elaborate scheme targeted over 1,000 legitimate e-commerce websites, leading to estimated losses of tens of millions of dollars. Active since at least 2019, it has impacted hundreds of thousands of online shoppers, especially those seeking niche or hard-to-find products.

The scam, revealed by HUMAN’s Satori Threat Intelligence and Research team, exploits known vulnerabilities, misconfigurations, or compromised admin credentials to insert malicious scripts into legitimate sites. These scripts create deceptive product listings that rank prominently in search engine results, a tactic known as SEO poisoning.

Clicking on these links redirects unsuspecting consumers to counterfeit stores under the attackers' control. “Phish n’ Ships is especially devious because it stole tens of millions of dollars from unsuspecting consumers hunting for hard-to-find items,” noted Gavin Reid, Chief Information Security Officer at HUMAN.

The malicious web stores replicate legitimate shopping experiences, complete with a checkout process that collects payment card details. However, no products are ever shipped despite payment, and consumers’ sensitive financial data is captured. According to the report by BleepingComputer, the campaign used multiple payment processors to rake in profits.

Adding to the complexity, the cybercriminals used Simplified Chinese in their internal tools, indicating possible links to actors operating from mainland China.

HUMAN and partners have since collaborated with payment processors and law enforcement, notifying them to disrupt the scheme. This joint effort led to the removal of fraudulent listings from search engines and the suspension of malicious payment accounts, yet the Phish n’ Ships operation still remains a persistent threat.

“Phish ‘n’ Ships underscores the value across the entire customer journey of a unified approach to digital fraud and abuse,” said Lindsay Kaye, Vice President of Threat Intelligence at HUMAN. Though authorities have made headway, the attackers will likely continue searching for new vulnerabilities.

Cybersecurity experts urge consumers to stay vigilant when shopping online, especially during the holiday season. Shoppers should verify URLs, scrutinize unfamiliar redirects, and report suspicious transactions promptly.