How the Scam Works
The sophisticated operation, first detected in October 2024, primarily targets customers of major retailers including IKEA, L.L.Bean, North Face, and Wayfare. The fraudsters create deceptive domains using common shopping-related extensions like .shop, .store, and .vip, often incorporating slight misspellings of legitimate brand names to trick unsuspecting consumers.
- Automatic language adaptation using Google Translate based on visitor location
- Implementation of tracking tools including OpenReplay and social media pixels
- Integration with Stripe payment processing to appear legitimate
- Collection of phone numbers for potential follow-up scam attempts via SMS or voice calls
The Broader Threat Landscape
This campaign isn’t operating in isolation. Security firms have identified another major fraud operation dubbed “Phish ‘n’ Ships” that has been active since 2019. This separate scheme has compromised over 1,000 legitimate websites, using black hat SEO techniques to promote fake product listings and steal financial information.
Warning Signs and Impact
The phishing websites typically advertise unusually steep discounts to lure shoppers. While appearing to process payments through legitimate channels, these sites actually harvest sensitive information including:
- Credit card details
- Personal identification information
- Two-factor authentication codes
- Phone numbers for future scam attempts
Protecting Yourself
To avoid falling victim to these scams, shoppers should:
- Verify website URLs carefully, especially during major shopping events
- Be suspicious of unrealistic discounts
- Double-check the domain extension (.com vs .shop, .store, etc.)
- Use official retailer apps or bookmark legitimate websites
- Never provide 2FA codes to shopping websites
