news
2025.07.24
Large-Scale Fake Brand Phishing Campaign Targets Consumer Payment Data
Share:
A recent campaign has deployed thousands of phishing sites impersonating major brands, using realistic pages to trick users into entering credit card and Google Pay details.
The operation is highly automated and rapidly scalable, making it difficult to detect through conventional security filters. Its stealth and effectiveness pose an ongoing threat to end users and online commerce platforms.
Attack Details
- Mass registration of deceptive domains: Threat actors registered thousands of domains with minor typos or character swaps that closely mimic official brand URLs. These domains are designed to bypass casual detection.
- High-fidelity website cloning: The attackers cloned legitimate websites using stolen assets—logos, product images, CSS styles, and fonts—creating convincing replicas that appear authentic to users.
- Use of HTTPS and SSL certificates: All phishing pages are served over HTTPS, complete with valid SSL certificates, allowing the sites to display the padlock icon. This adds an illusion of trust and security.
- Realistic payment workflows: Fake checkout pages offer options like Visa, Mastercard, PayPal, and Google Pay. Once users enter their information, the data is harvested directly by the attackers. In some cases, even virtual Google Pay amounts are siphoned.
Mitigation Recommendations
- Enhance DNS & Web Filtering: Implement filtering to block known malicious and typosquatting domains. Use threat feeds to proactively flag phishing indicators.
- Deploy Anti-Phishing Solutions: Use browser and email-based phishing detection tools that can identify and block spoofed brand assets and scam checkout flows.
- Educate End Users: Conduct awareness training on phishing tactics, emphasizing how to recognize fake websites, suspicious payment pages, and minor domain typos.
- Monitor External Payment Traffic: Review logs for unusual traffic toward known phishing infrastructure, especially in relation to payment gateways.
- Report & Collaborate: Share IOCs and suspicious URLs with threat intelligence communities and domain registrars to support takedown efforts.