Large-Scale Online Scam Operations and Cross-Platform Fraud Tactics
Researchers and industry reporting highlighted a sharp rise in online scam infrastructure, including a network of more than 20,000 fake shopping sites built to steal payment data and personal information, and phishing campaigns that use LiveChat-style customer support impersonation to extract credit card details, PII, and even MFA codes. The fake-shop ecosystem uses polished storefronts, shared infrastructure, and rapid rebranding to mimic legitimate retailers at industrial scale, while the LiveChat campaigns begin with deceptive emails and move victims into real-time conversations with fake support agents posing as brands such as Amazon and PayPal.
Separately, Google, Meta, Amazon, and other companies announced a voluntary intelligence-sharing pact to combat online scams across social media, marketplaces, messaging, and payments platforms. That agreement is related to the broader rise in fraud, but it is not about the same specific scam operations described in the threat reports. The combined reporting shows that scam activity is increasingly coordinated, multi-platform, and enabled by reusable infrastructure and social engineering techniques that make fraudulent interactions appear legitimate to victims.
Sources
Related Stories
Phishing and Financial Fraud Campaigns Targeting Online Accounts and Payment Data
Threat researchers reported multiple financially motivated social-engineering operations designed to steal credentials and enable downstream fraud. Malwarebytes documented a **job-themed phishing** campaign impersonating *Google Forms* via the lookalike domain `forms.google.ss-o[.]com`, using a `generation_form.php` script to generate personalized lure URLs and redirecting victims through a fake form to a credential-harvesting login flow (e.g., `id-v4[.]com`). The infrastructure also used redirection to local Google search pages as an anti-analysis tactic to reduce link sharing and researcher visibility. Separately, Bridewell-reported activity described a **Booking.com-themed, multi-stage phishing and fraud scheme** targeting both hotel partners and guests: initial “complaint”/reservation lures drive staff to attacker-controlled portals using lookalike domains (including **IDN homograph** tricks) to harvest partner credentials, followed by account takeover and guest-facing fraud (including WhatsApp outreach using real booking details). A third report described the broader rise of **Carding-as-a-Service (CaaS)** marketplaces (e.g., “fullz” bundling and platforms such as Findsome and UltimateShop) and the supply chain feeding them (PhaaS credential theft, skimming, and malware), but it did not describe the same specific phishing incidents and should be treated as related background rather than part of the same event.
3 weeks agoIndustrialized Automated Fraud in Digital Identity and Online Retail
Security researchers have observed a significant evolution in digital identity fraud, with threat actors increasingly leveraging automation, AI, and coordinated infrastructures to perpetrate large-scale attacks. Fraudulent activities now include the use of synthetic personas, credential replay, and high-speed onboarding attempts, all orchestrated through systems that learn and adapt over time. Deepfake experimentation and document spoofing have become part of connected ecosystems, where machine-driven agents iterate on attack methods using feedback from failed attempts. This shift means that fraud is less reliant on skilled human operators and more on scalable, automated workflows, making detection and prevention more challenging for security teams. In parallel, the 2025 holiday shopping season has seen a surge in industrialized online retail fraud, with threat actors registering hundreds of fake domains to impersonate major brands and deceive consumers. These campaigns utilize automated tools to mass-produce convincing counterfeit websites, often promoted via social media, to harvest sensitive financial data and distribute malware. The infrastructure supporting these attacks is highly organized, allowing rapid deployment and evasion as domains are taken down. The convergence of these trends highlights the growing sophistication and scale of automated fraud, posing significant risks to both organizations and individuals.
2 months ago
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
Yesterday