This 'Phish 'N' Ships' Steals 'Tens Of Millions Of Dollars” From Unsuspecting Online Shoppers

Fish and chips, skull

Who knew that a hot dish consisting of fried fish in batter, served with chips, could be so famous?

What's not to love? Fish 'n' Chips is a UK-origin cuisine that managed to sustain its popularity since the late 19th century. And since the government that managed to safeguard the supply of the main ingredients during the World War I, and later, making it one of the few foods not subject to rationing during World War II, these made the dish even more popular.

But on the internet, 'Phish 'n' Ships' is also gaining popularity, but because it infamously scammed millions of dollars from unsuspecting online shoppers.

Discovered by researchers at HUMAN Security, the blog post detailed that the campaign "fakes online shops to steal money and credit card information."

"HUMAN’s Satori Threat Intelligence and Research team recently uncovered and disrupted a sprawling fraud operation centered on fake web shops that abuse digital payment providers to steal consumers’ money and credit card information. The threat, dubbed Phish ’n’ Ships, is made up of hundreds of fake web shops offering in-demand items."
Phish 'n' Ships
A diagram of the Phish 'n' Ships campaign, seen from the consumer's perspective.

The method of attack involves creating fake web ships by infecting legitimate websites with a malicious payload.

It's this malicious payload that makes it possible for the threat actors to create fake product listings and adds metadata that puts these fake listings near the top of search engine rankings for the items, making them an appealing offer for an unsuspecting consumer.

Then, when unsuspecting web shoppers click on the item, they will be redirected to another website, the website which the malicious actors have control of.

On that fake website, one of four targeted third-party payment processors collects credit card info and confirms a "purchase."

Since the aim is to collect money and credit card details without offering any actual goods, unsuspecting shoppers will never receive the product they thought they purchased.

This scheme, according to the researchers, can be traced back to 2019, and has been infecting more than 1,000 websites to create and promote fake product listings and built 121 fake web stores to trick consumers.

The researchers estimated that the loss is a staggering tens of millions of dollars over the past five years, with hundreds of thousands of consumers victimized.

Phish 'n' Ships
A diagram of the Phish 'n' Ships campaign, seen from the attacker's perspective.

Phish 'n' Ships is a complex fraud scheme that exploits websites, digital payment processors, and consumers hunting for in-demand items, and that it remains an active and ongoing threat.

This happens because the threat actors used multiple well-known vulnerabilities to infect a wide variety of websites and stage fake product listings that rose to the top of search results.

Fortunately, the campaign has been mostly disrupted.

Efforts that have been done, include debriefing payment processors impacted by Phish 'n' Ships, and the threat actors’ accounts have been removed from the platforms. As threat actors are forced to look for new methods, their fake product listing have slowly disappeared from internet search results.

Researchers have also debriefed the threat intelligence community and shared information about the threat actors that architected the scheme with law enforcement.

"This operation underscores the relationship between the digital advertising ecosystem and fraud. Without the threat actors’ staged fake organic and sponsored product listings, there would have been no traffic to the fake web stores and therefore, no fraud. A key takeaway from Phish 'n' Ships is that digital advertising can be dangerous, and consumers should exercise caution when clicking through to the next step in a digital journey," the researchers said.

Published: 
05/11/2024