Keypoints
- Phish ’n’ Ships staged fake product listings on compromised legitimate websites to capture search traffic for in-demand items.
- Researchers attribute infections of more than 1,000 websites and the creation of 121 fake web stores to the operation.
- Threat actors redirected users from poisoned search results to attacker-controlled stores and abused multiple payment processors during checkout.
- Satori’s disclosures and partner actions removed many fake listings from search results and led to the removal of attacker accounts from payment platforms.
- Estimated losses over five years total tens of millions of dollars, with hundreds of thousands of consumers affected.
- Key indicators include malicious PHP files (e.g., zenb.php), URL patterns like product.aspx?cname=, and infrastructure tied to multiple C2 IP addresses.
MITRE Techniques
- [T1071/001] Command and Control (Web Protocol) – Threat actors used randomly generated domains and C2 infrastructure to host and rotate attacker-controlled sites (‘domains for these threat actor-controlled websites are randomly generated by a command-and-control (C2) server’).
- [T1598] Phishing – Deceptive product listings and fake web shops were used to lure consumers into entering payment data (‘fake web shops … to steal consumers’ money and credit card information’).
- [T1195] Malicious Code – Malicious payloads and scripts were injected into legitimate websites to create fake product listings and manipulate search metadata (‘infecting legitimate websites with a malicious payload’).
- [T1557] Credential Dumping – The campaign captured payment and checkout credentials via intermediary gateways or direct collection during the checkout process (‘one of four targeted third-party payment processors collects credit card info and confirms a “purchase”’).
- [T1189] Exploitation of Public-Facing Applications – Actors exploited known n-day vulnerabilities in web plugins and other public-facing apps to upload malicious files and stage listings (‘using multiple well-known vulnerabilities to infect a wide variety of websites’).
Indicators of Compromise
- [File names] Infection artifacts on compromised sites – zenb.php, khyo.php
- [URL patterns] Fake listing/page identifiers used for discovery – product.aspx?cname=<ID>, product_details/<ID>.html
- [Domains] Example fake/cashout domain observed – drewgiless[.]com, and dozens more across 121 fake web stores
- [IP addresses] C2 and hosting infrastructure – campaign infrastructure pointed to 14 IP addresses (not enumerated in the article)
Researchers from HUMAN’s Satori team — Gabi Cirlig, Inna Vasilyeva, Vikas Parthasarathy, Lindsay Kaye, Maor Elizen, and Adam Sell — identified and helped disrupt a multi-year fraud campaign that fabricated entire shopping experiences to steal payments and payment data. Branded Phish ’n’ Ships by the investigators, the operation combined website compromise, search-result manipulation, and the misuse of legitimate payment processors to convert search traffic into cashouts.
The campaign worked by injecting malicious payloads into thousands of otherwise legitimate websites. Those payloads generated fake product pages and associated metadata engineered to push those pages high in both web and image search results. When a shopper searched for a hard-to-find or niche item, the manipulated search results often surfaced one of these poisoned listings, which redirected the user to a fake web store controlled by the attackers.
Once on the fake storefront, the site presented plausible product images, changing customer reviews, and typical checkout flows that appeared legitimate. The checkout step, however, diverted payments through one of several provider gateways the attackers had registered or abused. In some cases the threat actors used an intermediary gateway that captured card details before forwarding the user to a genuine payment processor; in other cases they began collecting card data directly on the hostile store after payment providers began removing their accounts.
Satori traces the operation back to at least 2019. Over that period the threat actors infected more than 1,000 websites and established 121 fake web stores. The researchers estimate the group’s actions have victimized hundreds of thousands of consumers and generated financial losses in the tens of millions of dollars. The campaign evolved over time: early phases relied heavily on abused payment processor integrations, while later adaptations included direct card-data capture when payment platforms intervened.
From the defender’s perspective the attack can be broken into four stages. First, actors exploited public-facing application vulnerabilities to upload malicious files and plant fake product listings across many domains. Next, the malicious scripts poisoned search engine results and, upon clicks, redirected users to randomly generated attacker domains. Third, those redirects brought visitors to the fake web shops where product pages and reviews were dynamically presented. Finally, the checkout flow pushed transactions through semi-legitimate stores or payment gateways the actors controlled, allowing them to cash out and log payment data.
Technical artifacts observed by Satori include random-named PHP files used for site compromise, URL patterns that helped identify many of the fake stores (‘product.aspx?cname=<ID>’ and ‘product_details/<ID>.html’), and centralized infrastructure that resolved to a set of IP addresses. The attackers also used simple bots to harvest retail images and monitor SEO results, and they kept trend lists and search-volume data on their infrastructure to decide which niche products to fake.
Disruption came through coordinated disclosure and partner action. Satori briefed the impacted payment processors, which removed the threat actors’ accounts and limited their ability to cash out. Google search results no longer display many of the fake listings as of October 2024, cutting a primary source of traffic to the fraud sites. Satori also shared technical details with law enforcement and the broader threat intelligence community so defenders can watch for reuse of the same infrastructure and techniques.
Despite these gains, Phish ’n’ Ships remains an active threat with the potential to reappear in adapted forms. The campaign’s longevity and ability to pivot between cashout methods underscore the ongoing risk posed by the intersection of compromised web infrastructure and the digital advertising/search ecosystem. The researchers emphasize that staged organic and sponsored listings were central to the fraud: without manipulated search visibility there would have been far fewer victims.
Satori’s investigation highlights the value of proactive hunting and responsible disclosure. Findings from this research have been integrated into HUMAN’s Human Defense Platform to strengthen protections for customers and industries that are frequently targeted by online payment fraud, such as financial services and e-commerce.
The report acknowledges related research from Security Research Labs (their BogusBazaar findings) and thanks the payment processors that cooperated in identifying and shutting down actor accounts. The Satori team continues to monitor search results and threat infrastructure for new fake listings and adaptations.
In short, Phish ’n’ Ships is a sophisticated, multi-stage fraud operation that exploited website vulnerabilities, search-engine visibility, and payment integrations to steal money and payment card data. The collaborative disruption efforts to date have meaningfully reduced the campaign’s reach, but vigilance and continued coordination across platforms, providers, and law enforcement will be necessary to prevent its return.