A phishing initiative known as ‘Phish n’ Ships’ has been active since at least 2019, compromising more than a thousand legitimate online retailers to advertise counterfeit product listings for rare items. Users who unknowingly click on these listings are redirected to a vast network of fraudulent websites that illicitly gather their personal information and financial resources without delivering any products. The Satori Threat Intelligence team at HUMAN, which identified the Phish n’ Ships campaign, reports that it has affected hundreds of thousands of consumers, resulting in estimated financial losses amounting to tens of millions of dollars.
The Phish n’ Ships operation
The attack initiates by compromising legitimate websites through the injection of malicious scripts, taking advantage of known vulnerabilities (n-days), misconfigurations, or compromised administrative credentials. Once a website is breached, the attackers discreetly upload scripts with innocuous names such as “zenb.php” and “khyo.php,” which facilitate the creation of counterfeit product listings. These listings are equipped with SEO-optimized metadata to enhance their visibility in Google search results, thereby attracting potential victims.
When individuals click on these deceptive links, they are redirected through a series of steps that ultimately lead to fraudulent websites, which often replicate the appearance of the compromised online store or employ a similar design aesthetic. According to Satori researchers, all these counterfeit shops are linked to a network of fourteen IP addresses, each containing a specific string in the URL that allows for identification.
Attempting to purchase an item from these fraudulent shops leads victims through a counterfeit checkout process that is designed to seem legitimate but lacks any data verification, indicating a high risk of fraud. The malicious websites capture the information that victims input into the order fields, including credit card details, and process the payment using a semi-legitimate payment processor account controlled by the attackers. Consequently, the purchased items are never delivered, resulting in victims losing both their money and personal information.
Satori has reported that over the five years of operation for Phish n’ Ships, the threat actors have exploited multiple payment providers to withdraw the proceeds from their scam. More recently, they have adapted their tactics by implementing a payment mechanism on some of the counterfeit e-shop sites, allowing them to directly capture victims’ credit card information.
Campaign disrupted
HUMAN, in collaboration with its partners, orchestrated a response to the Phish n’ Ships incident, notifying numerous affected organizations and reporting the fraudulent listings to Google for removal.
As of this writing, the majority of harmful search results have been eliminated, and nearly all identified fraudulent shops have been taken offline. Additionally, payment processors that enabled cashouts for the perpetrators have been duly informed and have removed the offending accounts from their platforms, thereby significantly hindering the threat actors’ capacity to generate revenue.
Nevertheless, these threat actors may adapt to the disruption caused. While Satori continues to monitor for any resurgence in activity, it is improbable that they will cease their efforts to establish a new network for defrauding shoppers.
Consumers are advised to remain vigilant for any unusual redirects while browsing e-commerce sites, ensure they are on the correct shop URL when making purchases, and promptly report any fraudulent charges to their banks and relevant authorities.
