A sophisticated phishing campaign, initially spotlighted by Mexican journalist Ignacio Gómez Villaseñor, has evolved into a sprawling global threat, as revealed by Silent Push Threat Analysts.
What began as a targeted attack on Spanish-language audiences during Mexico’s “Hot Sale 2025” an annual sales event akin to Black Friday has expanded into a massive fake marketplace scam affecting English and Spanish-speaking users worldwide.
Global Phishing Campaign Targeting Shoppers
Silent Push’s deep dive into this operation uncovered thousands of fraudulent websites spoofing major retailers such as Apple, Harbor Freight Tools, Wrangler Jeans, REI, Wayfair, and Michael Kors, among others.
Even more alarmingly, these scam sites abuse trusted payment services like MasterCard, Visa, PayPal, and Google Pay to steal user data and payments under the guise of legitimate transactions.
A critical technical fingerprint, embedded with Chinese words and characters within the infrastructure, strongly suggests that the developers behind this network hail from China, pointing to a coordinated and well-resourced threat actor group.
The scale and cunning of this campaign are evident in the meticulous replication of well-known brand identities and the exploitation of secure payment mechanisms to build user trust.
Exploiting Trust in Payment Systems
Silent Push analysts observed that many of these phishing sites, such as “rizzingupcart[.]com,” integrate authentic Google Pay widgets, which typically safeguard users by using virtual card numbers instead of exposing real credit card details.
However, the threat actors bypass this security by accepting payments and failing to deliver products, effectively pocketing funds without fulfilling orders.
Additionally, sloppy implementations such as “harborfrieght[.]shop” (a misspelling of Harbor Freight) cloning the Wrangler Jeans website reveal the rushed yet expansive nature of this operation.
Other domains, like “guitarcentersale[.]com” and “nordstromltems[.]com,” inconsistently mimic their targets by displaying unrelated products, a clear red flag for attentive users.
Despite many sites being taken down by hosts after detection, thousands remain active as of June 2025, highlighting the limitations of traditional reactive cybersecurity measures against such persistent, large-scale threats.
According to the Report, Silent Push emphasizes proactive defense through their Indicators of Future Attack (IOFA) feeds, designed to preemptively identify and mitigate these risks before they impact consumers or organizations.
This campaign not only jeopardizes individual shoppers but also undermines trust in major brands and online payment ecosystems.
Silent Push continues to track this evolving threat, urging users and organizations to remain vigilant and report suspicious activity.
Below is a sample of Indicators of Compromise (IOCs) associated with this phishing network to aid in community defense efforts.
Sample Indicators of Compromise (IOCs)
| Domain Name | Description |
|---|---|
| cotswoldoutdoor-euro[.]shop | Fake marketplace site |
| harborfrieght[.]shop | Spoofs Harbor Freight Tools |
| portal[.]oemsaas[.]shop | Part of phishing network |
| rizzingupcart[.]com | Integrates Google Pay widget |
| brooksbrothersofficial[.]com | Spoofs Brooks Brothers |
| josbankofficial[.]com | Spoofs Jos. A. Bank |
| nordstromltems[.]com | Spoofs Nordstrom |
| guitarcentersale[.]com | Spoofs Guitar Center |
| tommyilfigershop[.]com | Spoofs Tommy Hilfiger |
| tumioutlets[.]com | Fake outlet site |
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
