By Contributor Zak Doffman
Be careful before you shop.
If you shop online, then you will be inundated with special offers, discounts and seasonal sales. Clicking through will take you to websites where you can buy with ease. But this is a scammer鈥檚 paradise as bargain hunters search out the best prices. And now organized criminal gangs have a global ecosystem that鈥檚 ready to steal your money.
This attack works through thousands of dangerous websites, stealing credit card or PayPal details as soon as they鈥檙e entered. Worse, these websites look like they鈥檙e from major brands, including Apple, Wayfair, Michael Kors, Wrangler Jeans and others.
ForbesNever Ask Your AI App This One Question鈥擨t鈥檚 DangerousBy Zak Doffman
The warning comes from Silent Push, which says attacks likely originate from Chinese cybercriminals, which have built 鈥渕ultiple phishing websites spoofing well-known retailers,鈥 and have abused 鈥渙nline payment services such as MasterCard, PayPal, and Visa, as well as payment security techniques such as Google Pay.鈥
Just as with the text message attacks now sweeping across the U.S., Chinese organized criminal gangs haver built an entire attack ecosystem and infrastructure which they can either operate themselves or sell or rent to others to target different geographies.
MORE FOR YOU
鈥淥ur team has found thousands of domains spoofing various payment and retail brands in connection to this campaign, including: PayPal, Apple, Wayfair, Lane Bryant, Brooks Brothers, Taylor Made, Hermes, REI, Duluth Trading, Omaha Steaks, Michael Kors, and many, many more peddling everything from luxury watches to garage doors.鈥
Fake website 鈥渂rooksbrothersofficial[.]com鈥
Silent Push
Unlike other attacks, these websites 鈥渄on鈥檛 appear to actually process transactions or purchases, but instead steal credit card information entered on a (fake) payment page.鈥
You will be pushed to these websites through marketplace ads or links in social media, but it could just as easily leverage SEO poisoning for specific product searches.
These are examples of the kind of website that could be included in these attacks:
cotswoldoutdoor-euro[.]shop
harborfrieght[.]shop
portal[.]oemsaas[.]shop
rizzingupcart[.]com
brooksbrothersofficial[.]com
josbankofficial[.]com
nordstromltems[.]com
guitarcentersale[.]com
tommyilfigershop[]com
tumioutlets[.]com
But there are many thousands of domains, with similarly crafted URLs that include enough of the keywords you might expect, or use subtle misspellings or special characters to look like a genuine .com website address.
It鈥檚 always dangerous to shop on any websites accessed via a link, unless you鈥檙e very sure where that link had come from. Recent reports have shown how easy it is to fake marketplace ads, so they鈥檙e certainly best avoided.
Fake website 鈥渙mahasteaksb ox[.]com鈥
Silent Push
If you do shop from a link, then check two things:
First, the domain should be within one of the brand鈥檚 primary websites. It should not have a special domain of its own. If that鈥檚 not the case, do not shop there.
Second, check the spelling of the domain. Look for subtle mistakes. This is especially true where it appears at first glance to be a brand鈥檚 main website.
It鈥檚 harder now to check website imagery and wording for mistakes 鈥 you can blame AI. Perfect replicas of websites, products, wording and imagery are now easy to create. These threat actors can also scrape legitimate websites for actual content.
ForbesChange Your Browser Settings Now鈥斺楳assive Security Risk鈥橞y Zak Doffman
The FBI says 鈥渃heck each website鈥檚 URL to make sure it鈥檚 legitimate and secure. A site you鈥檙e buying from should have https in the web address.鈥
鈥淒espite many sites being taken down by both hosts and defenders,” Silent Push says, “thousands remain active as of June 2025. In the face of these types of scaled-up, persistent threats, traditional methods appear unable to hold back the tide.鈥
Editorial StandardsReprints & Permissions