嗯,用户让我用中文总结一下这篇文章的内容,控制在一百个字以内,而且不需要以“文章内容总结”或“这篇文章”这样的开头,直接写描述即可。首先,我需要仔细阅读文章,抓住主要信息。 文章标题是“Threat Research Advisory: Mass Fake-Shop Campaign Targeting Retail Customers”,看起来是关于大规模虚假网店攻击零售客户的威胁报告。执行摘要部分提到PreCrime™ Labs在2025年11月识别了一个利用虚假网店域名的大规模活动,目的是冒充合法零售商进行金融欺诈和分发恶意软件。 分析了244个自年初以来被注册的域名,显示多个注册商、主机提供商和自治系统的基础设施滥用。注册和DNS数据表明这是一个结构良好的操作,主要来自中国的基础设施提供商,并使用域名隐私服务来掩盖归属。 接下来,文章详细列出了各种指标,比如总虚假商店域名数量、唯一注册商数量、顶级注册商、顶级注册人国家、最滥用的名称服务器、峰值注册月份等。这些数据表明这是一个持续的、工业化的操作,专注于零售品牌冒充,并与全球购物活动如黑色星期五和双十一相吻合。 报告还讨论了注册商指标和分析,包括排名前五的注册商及其观察结果。国家注册情况显示中国占主导地位。DNS/基础设施部分提到共享名称服务器和ASN重叠,表明基础设施的重复使用和潜在相关域的关联。 趋势分析指出活动与主要零售时期同步,如Prime Day、返校季和黑色星期五。WHOIS及归属模式显示超过50%的条目使用隐私保护或红acted字段,并指出某些域列表使用美国或欧盟位置但解析到中国的ASN。 跨参考OSINT显示集群之间的强相关性,如重复使用的JavaScript库、结账模板和像素ID。技术亮点包括品牌模仿、自动化域名轮换、隐私屏蔽等。案例部分提到一些特定的虚假网站如何模仿品牌并进行钓鱼活动。 最后,报告提到已经采取了措施如向注册商和 registry 提交保留请求、服务器关闭以及共享IOC到PreCrime™ Watchlist,并计划持续监测新顶级域的重新注册情况。 总结起来,文章主要描述了一个大规模的虚假网店活动,涉及大量域名滥用和基础设施协调,目的是进行金融欺诈和恶意软件分发,并提到了一些应对措施。 </think> 文章揭示了一项针对零售客户的大型虚假网店诈骗活动。该活动利用大量仿冒合法零售商的虚假网店域名进行金融欺诈,并通过伪造结账系统分发恶意软件。分析显示涉及244个域名,主要来自中国基础设施提供商,并通过隐私服务掩盖归属。该活动与全球购物节同步展开,并利用社交媒体广告吸引用户。 2025-12-17 12:2:45 Author: bfore.ai(查看原文) 阅读量:9 收藏
Threat Research Advisory: Mass Fake-Shop Campaign Targeting Retail Customers
Executive Summary: Mass Fake-Shop Campaign Targeting Retail Customers
Date: November 2025
Source: PreCrime™ Labs
In November 2025, PreCrime™ Labs, the research division of BforeAI, identified a campaign that leverages mass registration of fake online shop domains to impersonate legitimate retailers, facilitate financial fraud, and in certain instances, distribute malware through counterfeit checkout systems and redirect payloads.
Analysis covers 244 domains actively being registered since the start of the year, revealing coordinated infrastructure abuse spanning multiple registrars, hosting providers, and autonomous systems. Registration and DNS telemetry indicate a well-structured operation with distinct clusters, primarily originating from Chinese infrastructure providers and utilizing domain privacy services to obscure attribution.
Emerging Tech Gartner® Report
Get complimentary access to the Gartner report, Emerging Tech: Tech Innovators in Preemptive Cybersecurity
|
Metric |
Value |
|---|---|
|
Total fake shop domains |
244 |
|
Unique registrars |
43 |
|
Top registrar |
West263 International Limited (46 domains) |
|
Top registrant country |
China (79 domains) |
|
Most abused nameserver |
ns1.dyna-ns.net (33 domains) |
|
Peak registration month |
October (78 domains) |
The overall trend indicates an ongoing, industrialized operation focusing on retail brand impersonation, coinciding with global shopping events like Black Friday and Singles’ Day.
Registrar Metrics & Analysis
|
Rank |
Registrar |
Domains |
Observations |
|---|---|---|---|
|
1 |
West263 International Limited |
46 |
Predominantly Chinese infrastructure, recurring abuse history |
|
2 |
Dynadot Inc |
41 |
Common abuse registrar, recurring in retail phishing |
|
3 |
NameSilo, LLC |
16 |
Fast acquisition cycles, often with privacy masking |
|
4 |
Alibaba Cloud / HiChina |
13 |
Consistent Chinese origin, obfuscated WHOIS |
|
5 |
Sav.com, LLC |
11 |
US-based, increasingly leveraged in global campaigns |
Top 10 Domain Registrars by Campaign Domain Count
Registrars in this set demonstrate repeat exposure to large-scale abuse, likely due to weak screening or automated acceptance pipelines that facilitate high-volume registrations from scripted actors.
|
Country of Registration |
Domains |
|---|---|
|
China |
79 |
|
United States |
30 |
|
Iceland |
8 |
|
Spain |
2 |
|
Others (Mixed) |
Remaining |
Top Registrant Countries (Fake Shop Domains)
China remains the dominant operational base, with several fake registrant addresses mimicking European retailers but mapping back to Chinese providers through IP WHOIS lookups and ASN correlation.
DNS / Infrastructure (ASN Overview)
|
Nameserver |
Domains |
Observation |
|---|---|---|
|
ns1.dyna-ns.net |
33 |
Common across multiple fake shops |
|
dns1.registrar-servers.com |
15 |
Shared by clusters hosted on NameSilo |
|
ns1.dnsip.com |
14 |
Consistent among parked/redirected domains |
|
ns1.dnsowl.com |
10 |
Frequently linked to cloned storefronts |
|
ns1.alidns.com |
8 |
Indicative of Alibaba-backed infrastructure |
|
augustus.ns.cloudflare.com |
7 |
Used for proxy obfuscation and DDoS cover |
Pivot Observation:
Shared nameservers indicate mass parking and infrastructure recycling, with potential to correlate related domains via urlscan.io, DNSlytics, and PassiveTotal ASN mapping.
Peak registration months:
- October (78 domains)
- July–August (~27–28 each)
- Sharp rise beginning June, coinciding with global sale events.
Trend Analysis:
Campaign actors synchronize domain creation with major retail periods—Prime Day, back-to-school, Black Friday—maximizing user engagement and ad visibility through social and paid promotion platforms.
WHOIS & Attribution Patterns
- Over 50% of WHOIS entries use privacy-protection or redacted fields.
- West263 and Dynadot dominate among China-based registrants, both previously flagged for recurring abuse in similar retail-themed phishing operations.
- A subset of domains lists U.S. or EU locations but resolves to Chinese ASNs, revealing fraudulent WHOIS entries.
Pivoting across DNSlytics and ASN records reveals clear subnet overlaps, indicating the same hosting blocks being reused for new clusters every few weeks. While some use Cloudflare fronting to hide real origin IPs, backend ASN metadata consistently leads to Chinese or Hong Kong infrastructure.
Cross-referencing campaign domains through OSINT exposes strong correlation between clusters:
- Reuse of identical JavaScript libraries, checkout templates, and meta pixel IDs.
- Common patterns of Shopify-like checkout URLs (e.g., /collections/all, /products/item123).
- Identical tracking and analytics endpoints, linking domains across multiple brand impersonations.
These elements confirm the use of automated site-generation tools or template-based kits to mass-produce fake retail shops.
Campaign Technique Highlights
|
Technique |
Description |
|---|---|
|
Brand mimicry |
Fake stores cloned from major global retailers (Zalando, Birkenstock, Lululemon, Dr. Martens, IKEA, etc.) |
|
Automated domain churn |
Dozens registered daily to evade blacklisting |
|
Privacy shielding |
Heavy use of privacy-protected WHOIS data |
|
DNS park & deploy |
Fast DNS setup, quick redirect changes |
|
Social lure vectors |
Promotion via TikTok, Facebook, and Google Shopping ads |
|
Pivot potential |
Shared infrastructure enables expansion tracking |
Agenda-oriented campaigns
Certain e-commerce websites, for example, “peaceforsecurity[.]com” were being leveraged as a high-end fashion clothing store under the guise of selling “Women Dresses 2025.” The domain is not affiliated with any known legitimate clothing brands and could be part of a phishing or agenda-oriented campaign.
For example, ‘PeaceForSecurity’ is an oddly placed domain name for a fashion site, likely to evade detection or to align with Uniqlo’s recent campaign, where donations were announced for international organizations supporting those affected by violence, discrimination, armed conflict, and poverty.
Ambiguous cross-branding campaigns
In one case, we observed overlapping brands where the fake domain “lululemonsalehub[.]com” was set up to promote hair products, which is not directly related to Lululemon. Additionally, a page title mentioning “Shein”, appeared to support a multi-brand impersonation campaign, strategically placed to create ambiguity.
Obvious signs of phishing websites include spelling errors and irrelevant keyword placements. For instance, sites like “www[.]gymclothes980[.]store” use generic online store templates with nonsensical names, such as “adsdsa34243234,” with lure elements like “free shipping” to facilitate financial fraud or and/or personally identifiable information (PII) harvesting.
Domain list:
- motionsport352.store
- runningsport541.store
- gymclothes980.store
- sportwears307.store
- wearsport075.store
- runningtrack679.site
Seasonal sale lures to create urgency
A recently created domain titled “mango-flashsale[.]com” was found to be impersonating the Mango brand by promoting fake “flash sales” designed to deceive users into submitting payment or personal information. The use of the term “Spring Sale” in the page title further exploits seasonal shopping behavior to increase the likelihood of engagement.
- Registry-Level Hold: All confirmed domains were escalated to registrars and registries (notably GMO and Dynadot) for immediate lock/hold.
- Server Takedowns: Hosting providers contacted; several clusters now non-resolving.
- PreCrime™ Watchlist: Indicators of Compromise (IOCs) shared internally for ongoing auto-detection in onboarding scans.
- Next Steps:
- Continuous monitoring for re-registrations on .xyz, .shop, .top, and .store.
- Correlation with ongoing TikTok/Meta ad scams targeting retail consumers.
- Pivot expansion toward .asia and .vip TLDs, which show emerging overlaps.
This campaign demonstrates a highly organized infrastructure-as-a-service model supporting fake online stores at scale. The coordination across registrars, DNS providers, and hosting ASNs suggests a dedicated operation with financial and possibly state-linked fraud motives.
Thanks to proactive engagement with registries and hosting networks, the bulk of these domains are now suspended or non-resolving, but monitoring remains crucial given the operators’ demonstrated resilience and automation capabilities.
Explore our latest PreCrime™ Labs report:
Suspicious Domain Activity in Lead up to 2026 FIFA World Cup Tournament
Phishing Campaign Imitating U.S. Department of Education G5
Ready to see BforeAI in action?
Get a personalized demo
Talk to one of our experts and deploy in minutes.
No implementation needed. Works right out of the box!
如有侵权请联系:admin#unsafe.sh