In recent months, cybersecurity experts have issued an urgent warning for internet users to be cautious when using popular browsers like Chrome, Safari, Edge, and Firefox. A rising wave of fraudulent websites has been designed to appear legitimate, but in reality, these sites are sophisticated scams created to steal sensitive data, including login credentials and payment information. With phishing tactics and deceptive layouts, these fake sites aim to trick users into revealing personal information and drain their accounts. Here’s what you need to know to protect yourself and avoid seeing your money vanish.
Updated on November 7 with new government cybersecurity agency guidance on malware infecting legitimate online ad campaigns.
With “tens of millions of dollars” stolen from “hundreds of thousands” of web users, a serious warning has just been issued for the billions of users of the most popular web browsers. Google has removed known websites from search results, but that will not eradicate links elsewhere, on social media and messaging platforms. It is critical all users know what to look for. Put very simply—you must not use these websites.
According to Human Security’s Satori researchers who warn that threat actors “drove traffic to fake web shops by infecting legitimate websites with a malicious payload. This payload creates fake product listings and adds metadata that puts these fake listings near the top of search engine rankings for the items, making them an appealing offer for an unsuspecting consumer. When a consumer clicks on the item link, they’re redirected to another website, this one controlled by the threat actor.”
Then on the dangerous website itself, users would be directed to a legitimate payment processing platform to buy their chosen product. That product would never arrive, of course, but the money would certainly be taken. While many consumers may be protected from the ultimate financial cost through credit card chargebacks, that’s never guaranteed until a claim is investigated.
In the campaign most recently exposed, bad actors “infected more than 1,000 websites to create and promote fake product listings and built 121 fake web stores to trick consumers… estimating losses of tens of millions of dollars over the past five years, with hundreds of thousands of consumers victimized.”
Here are Common Red Flags on How to Spot Fraudulent Websites
*Too-Good-To-Be-True Deals: Scammers lure users with extremely low prices or high discounts that seem too good to be true. If a website advertises a deal that seems unrealistic, approach it with caution.
*If this is a website you have not used before, check reviews carefully—remember they can be fake, and look for known website reviews of the site.
* No Contact Information or Vague Business Information: Legitimate companies usually provide contact information, including an address and phone number. Websites without clear contact details could be trying to hide their identity.
*Unusual URL Patterns or Misspellings: One of the easiest ways to detect a scam site is by examining the URL. Fake websites often use slight misspellings, additional characters, or unusual domain extensions (e.g., “.biz” or “.xyz”) to mimic legitimate sites.
* Does the ordering process feel fully legitimate—does it have the autofill address details for example, does it check, the quality if data you enter.
* Can you find the product on a known website, even if more expensive.
“This operation underscores the relationship between the digital advertising ecosystem and fraud,” Satori says. “Without the threat actors’ staged fake organic and sponsored product listings, there would have been no traffic to the fake web stores and therefore, no fraud. A key takeaway from Phish ‘n’ Ships is that digital advertising can be dangerous, and consumers should exercise caution when clicking through to the next step in a digital journey.”
Users of all major browsers fall victim to such attacks. The research team warns that “Phish ’n’ Ships remains an active threat,” albeit Google’s takedown has “partially disrupted” its threat. “It’s unlikely the threat actors will pull the plug on their work without trying to find a new way to perpetuate their fraud.”
Also, since Google has begun to fish them out , Malwarebytes warns that “a new wave of phishing for banking credentials [is] targeting consumers via Microsoft’s search engine.
Here’s a list of fraudulent websites that Google has brought down from its platform and of course there will be more still lurking on the web. Be careful out there!
