Researchers have uncovered a sprawling network of fraudulent retail websites impersonating major global brands in an effort to steal payment data from online shoppers.

The campaign, which has been active for months, uses thousands of phishing websites that mimic the design and product listings of well-known retailers — including Apple, PayPal, Nordstrom, Hermes, and Michael Kors — to trick users into entering their credit card information.

The scheme was first flagged in May by Mexican journalist Ignacio Gómez Villaseñor during the country’s national sales week. Further investigation by cybersecurity firm Silent Push revealed a much broader fake marketplace operation targeting English and Spanish-speaking users across multiple countries beyond Mexico.

The campaign has not been attributed to a specific threat actor, but Silent Push said technical indicators within the hackers' infrastructure, including code containing Chinese-language terms, suggest the involvement of cybercriminals based in China.

Some of the spoofed sites appear convincing, featuring scraped product listings and fake checkout pages. Others raise suspicion, such as a fake Guitar Center site offering children’s accessories instead of musical instruments.

When customers enter their card details on these sites, the system behaves as if it’s processing a real payment. Some pages even include legitimate Google Pay widgets to enhance credibility. The products are never delivered, however.

It remains unclear how many people have fallen victim to the scams or how much money the hackers have stolen. Many of the fraudulent websites have been taken down by hosting providers, but as of last month thousands remained active, Silent Push said.

Researchers previously uncovered a similar campaign in which cybercriminals allegedly defrauded hundreds of thousands of consumers by compromising legitimate shopping websites and redirecting users to fake online stores. 

These fraudulent sites promoted hard-to-find items that were never delivered. The scheme relied on malicious code to generate fake product listings and manipulate search engine rankings, increasing the visibility of scam pages and attracting unsuspecting shoppers.

Retail-themed phishing scams are a common tactic used by cybercriminals to target online brands and shoppers, and in recent months several high-end fashion companies have reported cybersecurity incidents. 

Victoria’s Secret said a breach in May disrupted internal systems and delayed the release of its quarterly financial results. Cartier, Adidas, Tiffany & Co., and Dior have also reported data breaches or security incidents that exposed customer and employee data.