The deluge of bargain-priced ads that flooded social networks during Latin America’s “Hot Sale 2025” has now been traced to a sprawling Chinese-built malware operation that weaponizes thousands of convincingly branded storefronts to harvest payment credentials. First noticed by Mexican journalist Ignacio Gómez Villaseñor while monitoring suspicious domains hosted on a single IP, the campaign rapidly expanded beyond Spanish-speaking audiences, cloning Apple’s accessories catalogue in English one day and Wrangler Jeans the next. Silent Push analysts identified the infrastructure after discovering an obfuscated “/cn/模板.css” path embedded in every template, a giveaway that the kit’s developer left debugging comments in Mandarin. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. For now, vigilant URL inspection—look for subtle misspellings and mismatched TLS certificates—remains the most reliable defence until issuers can integrate Silent Push’s feed of Indicators of Future Attack into real-time fraud scoring. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Victims are funnelled through glossy checkout pages that accept Visa, MasterCard, PayPal and even Google Pay, masking the theft with authentic logos and a working countdown timer that simulates order processing. Within weeks, payment processors were reporting spikes in disputed transactions tied to virtual card numbers, an indication that Google Pay’s tokenisation alone cannot shield users if goods are never shipped. Silent Push researchers note that once a domain is reported, DNS records switch to a fresh IP and the widget rewrites itself with a new CDN stub, preserving the merchant façade while nullifying blacklists. Pivoting on that fingerprint exposed more than 9 000 domains registered since March—typos like “harborfrieght.shop” and “tommyilfigershop.com”—all resolving to a rotating pool of Alibaba-hosted servers. The fake website shows the same Wrangler layout reused under “harborfrieght.shop”, illustrating how the kit simply substitutes brand logos and colour palettes during deployment. Because no malware binary is installed, endpoint detection must instead correlate rapid domain churn with payment-form exfiltration, a task better suited to network-level anomaly engines than to traditional AV. The group keeps overhead low by scraping genuine product imagery directly from the real retailers each time a shopper opens the page, ensuring that takedowns of one brand have no effect on the others. Meanwhile, consumer-grade antivirus tools remained silent because no executable payload is ever dropped; all malicious logic lives in JavaScript delivered from the same CDN that hosts legitimate Shopify plug-ins. The conditional ensures the malware only executes on domains ending in “.shop”, preventing analysts who copy HTML to a lab VM. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. To stay online, the operators register forty to fifty look-alike domains per day and rotate them behind reverse proxies that rewrite HTTP headers on the fly. By base-64-encoding a timestamp, the path changes every page load, defeating signature-based web-filters that rely on fixed IOC lists.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Jul 2025 11:25:15 +0000