Large-Scale Online Scam Operations and Cross-Platform Fraud Tactics
Researchers and industry reporting highlighted a sharp rise in online scam infrastructure, including a network of more than 20,000 fake shopping sites built to steal payment data and personal information, and phishing campaigns that use LiveChat-style customer support impersonation to extract credit card details, PII, and even MFA codes. The fake-shop ecosystem uses polished storefronts, shared infrastructure, and rapid rebranding to mimic legitimate retailers at industrial scale, while the LiveChat campaigns begin with deceptive emails and move victims into real-time conversations with fake support agents posing as brands such as Amazon and PayPal.
Separately, Google, Meta, Amazon, and other companies announced a voluntary intelligence-sharing pact to combat online scams across social media, marketplaces, messaging, and payments platforms. That agreement is related to the broader rise in fraud, but it is not about the same specific scam operations described in the threat reports. The combined reporting shows that scam activity is increasingly coordinated, multi-platform, and enabled by reusable infrastructure and social engineering techniques that make fraudulent interactions appear legitimate to victims.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers map a 20,000-domain fake shop network
Researchers identified a coordinated fraud operation spanning more than 20,000 domains that used polished e-commerce storefronts to steal payment details and personal information. The network shared common traits including WordPress deployments, Sellvia-based templates, the browser tab title "Unrivaled selection only for you," and infrastructure concentrated on 36 IP addresses.
Cofense identifies LiveChat brand-impersonation phishing campaign
Cofense researchers uncovered a phishing campaign that used deceptive emails, including fake PayPal refund notices and order confirmations, to lure victims to fraudulent live chat pages impersonating brands such as Amazon and PayPal. Attackers posing as support agents then used real-time chat to solicit PII, payment card data, CVC codes, and multi-factor authentication codes.
Fake e-shop scams surge during 2025
Malwarebytes reported that fake online shop scams grew sharply in 2025, with social media platforms such as Facebook and YouTube helping drive traffic to fraudulent storefronts. This broader rise provides context for the larger fake-shop operation later mapped by researchers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and Financial Fraud Campaigns Targeting Online Accounts and Payment Data
Threat researchers reported multiple financially motivated social-engineering operations designed to steal credentials and enable downstream fraud. Malwarebytes documented a **job-themed phishing** campaign impersonating *Google Forms* via the lookalike domain `forms.google.ss-o[.]com`, using a `generation_form.php` script to generate personalized lure URLs and redirecting victims through a fake form to a credential-harvesting login flow (e.g., `id-v4[.]com`). The infrastructure also used redirection to local Google search pages as an anti-analysis tactic to reduce link sharing and researcher visibility. Separately, Bridewell-reported activity described a **Booking.com-themed, multi-stage phishing and fraud scheme** targeting both hotel partners and guests: initial “complaint”/reservation lures drive staff to attacker-controlled portals using lookalike domains (including **IDN homograph** tricks) to harvest partner credentials, followed by account takeover and guest-facing fraud (including WhatsApp outreach using real booking details). A third report described the broader rise of **Carding-as-a-Service (CaaS)** marketplaces (e.g., “fullz” bundling and platforms such as Findsome and UltimateShop) and the supply chain feeding them (PhaaS credential theft, skimming, and malware), but it did not describe the same specific phishing incidents and should be treated as related background rather than part of the same event.
Mar 21, 2026
Industrialized Automated Fraud in Digital Identity and Online Retail
Security researchers have observed a significant evolution in digital identity fraud, with threat actors increasingly leveraging automation, AI, and coordinated infrastructures to perpetrate large-scale attacks. Fraudulent activities now include the use of synthetic personas, credential replay, and high-speed onboarding attempts, all orchestrated through systems that learn and adapt over time. Deepfake experimentation and document spoofing have become part of connected ecosystems, where machine-driven agents iterate on attack methods using feedback from failed attempts. This shift means that fraud is less reliant on skilled human operators and more on scalable, automated workflows, making detection and prevention more challenging for security teams. In parallel, the 2025 holiday shopping season has seen a surge in industrialized online retail fraud, with threat actors registering hundreds of fake domains to impersonate major brands and deceive consumers. These campaigns utilize automated tools to mass-produce convincing counterfeit websites, often promoted via social media, to harvest sensitive financial data and distribute malware. The infrastructure supporting these attacks is highly organized, allowing rapid deployment and evasion as domains are taken down. The convergence of these trends highlights the growing sophistication and scale of automated fraud, posing significant risks to both organizations and individuals.
Apr 30, 2026
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
Mar 21, 2026