Man
Professional
- Messages
- 3,090
- Reaction score
- 631
- Points
- 113
Satori researchers have uncovered a major phishing campaign called Phish n' Ships, which has been active since at least 2019 and has resulted in the theft of tens of millions of dollars from users among the customers of more than 1000 infected and 120 fake online stores.
The fraudulent scheme involved attracting and further divorcing buyers who made payments for non-existent goods, as well as collecting their financial data.
Unsuspecting users, falling for bait ads, were redirected to a network of hundreds of fictitious online stores, which actually stole their personal data and money without paying anywhere.
According to the Satori group, hundreds of thousands of consumers were affected, and the damage could reach tens of millions of dollars.
The attack begins by infecting legitimate sites with malicious scripts using known vulnerabilities (n-days), misconfigurations, or compromised administrator credentials.
After hacking the site, attackers download scripts with inconspicuous names such as "zenb.php" and "khyo.php", with the help of which they create non-existent categories of products, which are also promoted in Google search through SEO optimization.
When victims click on links, they are redirected to fraudulent sites, often mimicking the interface of a compromised online store or using a similar design.
According to Satori researchers, all of these fake stores are connected to a network of fourteen IP addresses, and all contain a specific string in the URL that allows them to be identified.
An attempt to purchase the product of interest leads to the theft of information that the victim enters into the order fields and the payment is made through a semi-legal payment processor account controlled by the attacker.
As a result, no product is purchased, and the victim loses both money and financial data.
In turn, over the past five years, Phish n' Ships has used several payment service providers to cash out, and more recently they have learned how to implement a payment mechanism and directly steal the victim's credit card details.
HUMAN, together with partners, cleaned up all links of Phish n' Ships, from Google search results to cash-out, but this is unlikely to stop the sophisticated attacker for long.
Source
The fraudulent scheme involved attracting and further divorcing buyers who made payments for non-existent goods, as well as collecting their financial data.
Unsuspecting users, falling for bait ads, were redirected to a network of hundreds of fictitious online stores, which actually stole their personal data and money without paying anywhere.
According to the Satori group, hundreds of thousands of consumers were affected, and the damage could reach tens of millions of dollars.
The attack begins by infecting legitimate sites with malicious scripts using known vulnerabilities (n-days), misconfigurations, or compromised administrator credentials.
After hacking the site, attackers download scripts with inconspicuous names such as "zenb.php" and "khyo.php", with the help of which they create non-existent categories of products, which are also promoted in Google search through SEO optimization.
When victims click on links, they are redirected to fraudulent sites, often mimicking the interface of a compromised online store or using a similar design.
According to Satori researchers, all of these fake stores are connected to a network of fourteen IP addresses, and all contain a specific string in the URL that allows them to be identified.
An attempt to purchase the product of interest leads to the theft of information that the victim enters into the order fields and the payment is made through a semi-legal payment processor account controlled by the attacker.
As a result, no product is purchased, and the victim loses both money and financial data.
In turn, over the past five years, Phish n' Ships has used several payment service providers to cash out, and more recently they have learned how to implement a payment mechanism and directly steal the victim's credit card details.
HUMAN, together with partners, cleaned up all links of Phish n' Ships, from Google search results to cash-out, but this is unlikely to stop the sophisticated attacker for long.
Source
