Fake Shop Networks Harvest Payment Data from Millions of Shoppers Across 20,000+ Domains
What Happened — Researchers mapped a coordinated network of over 20,000 fraudulent e‑commerce sites that mimic legitimate retailers. The sites collect payment credentials, billing addresses and personal data, then resell the information or use it for identity fraud. The operation is industrialized, using shared infrastructure, WordPress templates and the cheap “.shop” TLD.
Why It Matters for TPRM —
- Third‑party e‑commerce platforms and payment gateways may become inadvertent conduits for credential harvesting.
- Massive exposure of consumer payment data raises downstream fraud risk for partners, insurers and downstream supply‑chain entities.
- Rapid re‑branding of sites defeats static blacklists, requiring continuous monitoring of vendor‑hosted storefronts.
Who Is Affected — Retail & e‑commerce merchants, payment processors, advertising platforms, affiliate networks, and any organization that integrates third‑party storefronts or links.
Recommended Actions —
- Review contracts with e‑commerce and payment service providers for anti‑fraud and data‑protection clauses.
- Verify that vendors employ real‑time URL reputation, checkout security (e.g., 3‑DS), and anti‑phishing controls.
- Deploy continuous monitoring for .shop TLD activity, shared WordPress footprints, and anomalous checkout page behavior.
Technical Notes — The campaign leverages WordPress themes, shared IP ranges, and the inexpensive “.shop” TLD to host phishing‑style checkout pages. No specific CVE is cited; the threat is operational rather than software‑vulnerability driven. Stolen data includes credit‑card numbers, CVV, billing address and personally identifiable information. Source: https://www.malwarebytes.com/blog/scams/2026/03/inside-a-network-of-20000-fake-shops