Cybersecurity firm Silent Push has exposed a massive phishing scam originating from China, which has created thousands of fake e-commerce websites designed to trick online shoppers. These fraudulent sites mimic well-known brands and aim to steal sensitive financial information, impacting both English and Spanish-speaking consumers worldwide.
According to Silent Push’s research, shared with Hackread.com ahead of its publishing on July 2nd, 2025, the investigation began after a crucial tip from Mexican journalist Ignacio Gómez Villaseñor.
Villaseñor’s May 26, 2025, X/Twitter post highlighted a threat actor specifically targeting Hot Sale 2025, a major annual sales event in Mexico, similar to Black Friday in the United States. It ran from May 26 to June 3, 2025, and is sponsored by the Asociación Mexicana de Ventas Online (AMVO).
How the Scam Works
The scammers create convincing fake versions of popular retail websites, including those of Apple, Harbor Freight Tools, Michael Kors, REI, Wayfair, and Wrangler Jeans. While these sites appear to offer products, they do not process actual purchases. Instead, they are designed to capture credit card details entered by unsuspecting users.
A key finding from tests carried out by Publimetro México, as reported by Gómez Villaseñor, was that “by entering false bank card data into these portals, the system reacts as if you were actually processing a payment.”
This includes displaying “reserved cart” timers and logos of legitimate payment services like Visa, MasterCard, PayPal, Oxxo, and SPEI. This elaborate simulation is intended to build trust and allow the criminals to steal information without immediate suspicion.
Credit Card Theft and More
Silent Push also found that some of these fake websites, such as rizzingupcartcom, integrated real Google Pay purchase widgets. While Google Pay typically offers enhanced security by using virtual card numbers, the threat actors still exploit this by simply not delivering the “purchased” goods after payment, researchers noted. This means even payments made through Google Pay are at risk of leading to financial loss, even if the direct credit card details are not compromised.
Silent Push has high confidence in the Chinese origin of this network, based on a private technical fingerprint found within the scam’s infrastructure, which includes Chinese words and characters. The sheer scale of the operation is significant, with thousands of fraudulent domains identified.
Many of these sites show sloppy errors, like harborfrieghtshop (a misspelling of Harbor Freight) which strangely displayed a cloned version of the Wrangler Jeans site. Other examples include guitarcentersalecom, which offered children’s accessories instead of musical instruments, and nordstromltemscom (note the “l” instead of an “i” in “items”) which was a direct copy of the fake Guitar Center site.
Despite some of these sites being taken down, thousands were still active as of June 2025, highlighting the persistent nature of this threat. Silent Push continues to track this widespread phishing campaign and urges consumers to be cautious when shopping online.
