Mass registration of fake online shops originates from China

A new campaign uses mass registration of fake online shop domains to impersonate legitimate retailers, facilitate financial fraud, and in certain instances, distribute malware through counterfeit checkout systems and redirect payloads.

Identified by the research division of BforeAI, analysis of the campaign’s registration and DNS telemetry indicates a well-structured operation with distinct clusters, primarily originating from Chinese infrastructure providers and utilizing domain privacy services to obscure attribution.

The research analyzed 244 domains registered this year and finds over 50 percent of the WHOIS entries use privacy-protection or redacted fields. West263 and Dynadot dominate among China-based registrants, both being previously flagged for recurring abuse in similar retail-themed phishing operations. There’s a subset of domains that lists US or EU locations but resolves to Chinese ASNs, revealing fraudulent WHOIS entries.

Analysis also shows clear subnet overlaps, indicating the same hosting blocks being reused for new clusters every few weeks. While some use Cloudflare fronting to hide real origin IPs, backend ASN metadata consistently leads to Chinese or Hong Kong infrastructure.

Well-known brands being impersonated include fashion site Mango, with promotion of fake sales designed to trick unsuspecting shoppers.

The report’s authors conclude, “This campaign demonstrates a highly organized infrastructure-as-a-service model supporting fake online stores at scale. The coordination across registrars, DNS providers, and hosting ASNs suggests a dedicated operation with financial and possibly state-linked fraud motives.”

BforeAI has engaged with registries and hosting networks to ensure the bulk of these domains are now suspended or non-resolving, but vigilance remains essential given th epersistence of the attackers.

You can find out more on the BforeAI site.

Image credit: champlifezy/depositphotos.com