Security awareness

Fake shopping stores: A real and dangerous threat

Pedro Tavares
May 26, 2022 by
Pedro Tavares

Nowadays, fake websites that impersonate popular brands are a dangerous threat in this modern digital era. These fake shopping stores are tricking users into visiting and buying products promoted with ridiculous and unreal discounts. 

According to the Segurança-Informática publication, fake online stores impact internet end-users from different countries, including Portugal, France, Spain, Italy, Chile, Mexico and Columbia.

Although several campaigns of this line are ongoing, the one described in this article has been active since 2020 and gained momentum in early 2022.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

As observed in Figure 1, a new campaign typically starts with social media ads such as Google ads, Facebook and Instagram. Criminals abuse specific keywords to trick victims into visiting fake shopping stores hosted on specific URLs impersonating legitimate ones. [CLICK IMAGES TO ENLARGE]

Figure 1: High-level diagram of fake shopping stores threat (source).

Technical details

Criminals use a static CMS, and part of the source code is available on GitHub. As can be seen, many pages can be identified and matched with the pages of the online stores. The code and page names are the same — a clear sign this template is used to spawn massive campaigns in the wild.

Figure 2: Part of static code available on GitHub repository (source).

The platform relies on a PHP API that communicates with a MySQL cluster in the background. The databases are populated according to the target audience and their native language and keep the entire process, from the moment the user puts the item on the basket until the package’s tracking and payment validation. In detail, the user can also contact the page support, consult its order status, change personal data, address and so on; a process very similar to the legitimate ones.

Figure 3 presents a screenshot of a specific brand targeted and disseminated in Portugal by criminals. As highlighted, the discount on the products is up 79% — undoubtedly fake.

Figure 3: Fake template with discount until 79% and part of the PHP API used to communicate with the MySQL cluster in the background (source).

An exciting part of this malicious scheme is that the criminals have developed their own tracking system. This platform is powered through the API of a legitimate application, which means a real package is actually carried out to the victim’s address.

A specific and malicious platform ( is created to control all the tracking processes. This fake platform takes advantage of the legitimate API to exhibit the tracking details presented below,” says Segurança-Informática.

Figure 4: Tracking system developed by criminals and sent to the victim email when the payment process is completed (source).

The analyzed orders are always sent from China, maybe revealing the origin of the cybercriminals behind the scam. 

According to the victims’ complaints, a package often arrives at the victim’s address, but no clothes inside, only a lot of junk.

Figure 5: Emails sent by victims to the fake online stores complaining about the orders and received packages (source).

Scam by numbers

From the analysis of 227 stores, it is observed a total of 1,511,674 euros was spent by victims from different countries such as Italy, France, Portugal, Mexico, Chile, Spain, Columbia, USA and more. Italy is the most affected country, with a total of 1,033,011 euros. This reveals a significant amount of money compared to other countries — which denotes the motivation of the criminals behind the massive campaign worldwide. 

Figure 6: Total money spent and grouped by country (source).

Segurança-Informática mentioned that criminals had captured sensitive data from thousands of users in the 227 stores under analysis. In addition to full names and addresses, their phone numbers, emails and passwords were observed.

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

In that way, a leak checker tool was developed. This tool can be used by the victims of this scam and users, in general, to validate if their secrets have fallen into the criminals’ tentacles. Also, pointing out criminals are using data collected in these campaigns to conduct spearphishing waves and, thus, exposing real data (PII) in the messages to lure victims.

Staying safe while shopping online 

Online scams and social engineering schemas are an emerging threat and part of our digital life these days. Although there is no magic formula to fight cyber threats in general, the starting point to mitigate the risk and impact of a well-succeeded campaign is related to the users’ awareness.

In this sense, suspicious links and promotions that are not comparable with other brands of the same line are the reason to put the victim on alert. Therefore, empowering users with specific training for online threats, including phishing and malware, is a step ahead of decreasing the impact of these malicious schemas in this digital era.

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.