Source photo by freestocks.org on Unsplash

The Dark Water Journal: Phashionista

Published in

The Dark Water Journal

8 min readDec 25, 2019

The following article presents an independent investigation into the world of online shopping scams using counterfeit fashion goods. During the last few weeks I tracked three campaigns designed to scam users into making payments for fake (and often bogus) fashion items while revealing sensitive financial and personal information about themselves. The attackers used several domains to host the e-commerce websites, and changed them frequently whenever these domains were flagged and blacklisted.

Chapter 1: Michael Kors Store Scam

The first campaign that I uncovered was against the Michael Kors fashion brand. The attacker deployed a full e-commerce website with a Zend Cart back-end to deliver an authentic shopping experience to unsuspecting users. The websites featured heavily discounted Michael Kors leather goods and accessories which could be shipped anywhere in the world. Once the order was placed the user was requested to make the payment via PayPal. So far the narrative was in line with what I expected to see in a small e-commerce website (in terms of basic functionality), regardless of the type/origin of goods sold through it. But in this case there was one exception: I found exact replicas of the website under several domain names which were named using the following syntax <xx>mks.com . Using BlackShark and a number of threat intelligence feeds I discovered several instances of the e-commerce website. The next step was to analyze them and see what was their purpose, and if they were deployed by the same entity.

TZMKS.COM

Domain Name: tzmks.com
Registry Domain ID: 2466184547_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com/
Updated Date: 2019–12–24 T07:00:00Z
Creation Date: 2019–12–11 T07:00:00Z
Registrar Registration Expiration Date: 2020–12–11T07:00:00Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Phone: +1.4805240066
Name Server: ns-a1.conoha.io
Name Server: ns-a2.conoha.io
Name Server: ns-a3.conoha.io
DNSSEC: unsigned

TZMK was the first discovered website. From the WHOIS data it was registered on December 12, 2019 and the owner’s identity is protected.

The main page of the website looks decent enough to fool unsuspecting users. It features heavily discounted products, vivid imagery and all the functionalities that an average user would expect from an e-commerce website. I placed an order while analyzing what was happening in the background with an interception proxy.

The checkout page allows users to either register/login to their client profiles or checkout as guests without registering for an account. I used the guest checkout, and filled in all the billing and shipping information. The last step in the checkout process requires the user to make the payment via PayPal. If the user agrees then the order is processed and the user is redirected to the PayPal payment page where the user can fill in the credit card data for the transaction. Nothing unusual so far, at least not from the user’s perspective. There is just a split second glitch when the user submits the order for payment where the website domain address is changed briefly before the PayPal page is loaded. In the background two things are happening when the user submits the order:

the user data is sent to the ajawright17195@gmail.com email address
the tzmks.com website loads the PayPal payment mechanism through another website, in this case mpoks.top

TZMKS.COM back-end action which sends user data to the attacker email address

The same workflow was seen across all three campaigns. TZMKS.COM was still online when this article was written.

2. HEMKS.COM

Domain Name: hemks.com
Registry Domain ID: 2427583407_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com/
Updated Date: 2019–12–19 T07:00:00Z
Creation Date: 2019–08–27 T07:00:00Z
Registrar Registration Expiration Date: 2020–08–27T07:00:00Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Phone: +1.4805240066
Name Server: isaac.ns.cloudflare.com
Name Server: roxy.ns.cloudflare.com
DNSSEC: unsigned

HEMKS.COM back-end action which sends user data to the attacker email address

HEMKS.COM was the second website analyzed. The WHOIS data revealed that the domain was registered on December 19, 2019.

The main page of the website looks identical with the TZMKS.COM website. The same order workflow was followed and the payment was processed through PayPal. In the background the same actions were identified as in the case of TZMKS.COM:

the user data is sent to the joannacadlandry@gmail.com email address
the hemks.com website loads the PayPal payment mechanism through another website, in this case mioks.top

While there is a difference between the email addresses and back-end websites used by TZMKS and HEMKS, the HEMKS website shares the same email address and back-end website with WLMKS.COM and VQMKS.COM.

3. WLMKS.COM

Domain Name: wlmks.com
Registry Domain ID: 2458673456_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com/
Updated Date: 2019–12–25 T07:00:00Z
Creation Date: 2019–11–22 T07:00:00Z
Registrar Registration Expiration Date: 2020–11–22T07:00:00Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Phone: +1.4805240066
Name Server: george.ns.cloudflare.com
Name Server: lorna.ns.cloudflare.com
DNSSEC: unsigned

WLMKS.COM back-end action which sends user data to the attacker email address

WLMKS.COM was registered on December 25, 2019, a few days after HEMKS. WLMKS.COM is an exact replica of the HEMKS.COM website. And, WLMKS.COM is sharing with HEMKS.COM the same email address and back-end website to facilitate the payment for counterfeit goods.

The three websites which were still active at the moment when this article was written were not deployed at the start of the campaign. More domain names were identified but several were suspended or blacklisted. This campaign is several months old and one of the websites which remained active for more than one month, VQMKS.COM, is presented below:

4. VQMKS.COM

Domain Name: vqmks.com
Registry Domain ID: 2458673459_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: http://www.namesilo.com
Updated Date: 2019–11–23 T01:18:12Z
Creation Date: 2019–11–23 T01:08:03Z
Registry Expiry Date: 2020–11–23 T01:08:03Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Name Server: COBY.NS.CLOUDFLARE.COM
Name Server: JOCELYN.NS.CLOUDFLARE.COM
DNSSEC: unsigned

VQMKS.COM back-end action which sends user data to the attacker email address

WQMKS.COM is the oldest active website in the Michael Kors scam/phishing campaign, being registered on November 23, 2019. Like HEMKS, WLMKS and TZMKS it is an exact replica of the online store which is supposed to sell Michael Kors leather goods at highly discounted prices. Like the previously two websites, VQMKS shares the same checkout process, attacker email address and back-end website to facilitate the payment of purchased goods.

Chapter 2: Louis Vuitton Outlet Scam

The discovery of Michael Kors campaign made me curious to discover similar scams. There are numerous e-commerce website which are selling counterfeit goods, numerous scams and phishing sites but they are not deployed at scale. The “xxMKS” campaign used more than 40 domains in the last 2 months and was still active when the article was written.

Fortunately I discovered a similar campaign which was targeting the high-end luxury brand Louis Vuitton. The two examples presented bellow share the same checkout workflow like the Michael Kors campaign but the email address and back-end websites are different.

LUXURYBAGSHUT.COM and LVWISH.COM

Domain Name: luxurybagshut.com
Registry Domain ID: 2452397877_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2019–11–07 T14:25:09Z
Creation Date: 2019–11–07 T14:25:08Z
Registrar Registration Expiration Date: 2020–11–07T14:25:08Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: 
Registrar Abuse Contact Phone: +1.4806242505
Name Server: CAROL.NS.CLOUDFLARE.COM
Name Server: EVAN.NS.CLOUDFLARE.COM
DNSSEC: unsignedDomain Name: lvwish.com
Registry Domain ID: 2466590945_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2019–12–13 T07:04:43Z
Creation Date: 2019–12–13 T05:27:45Z
Registrar Registration Expiration Date: 2020–12–13T05:27:45Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: 
Registrar Abuse Contact Phone: +1.4806242505
Name Server: GINA.NS.CLOUDFLARE.COM
Name Server: LOGAN.NS.CLOUDFLARE.COM
DNSSEC: unsigned

Louis Vuitton scam store LUXURYBAGSHUT.COM

LUXURYBAGSHUT.COM back-end action which sends user data to the attacker email address

LVWISH.COM back-end action which sends user data to the attacker email address

Both LUXURYBAGSHUT.COM and LVWISH.COM share the same checkout workflow together with the same back-end website for payment initiation, and the same email address where the user sensitive information is sent to. In both cases the user data is sent to the kerry32@yeah.com email address and the back-end website used to call the PayPal API is lurrcty.network.

Chapter 3: MirrorPurse Shopping Scam

Domain Name: MIRRORPURSE.COM
Registry Domain ID: 2324254257_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.paycenter.com.cn
Registrar URL: http://www.xinnet.com
Updated Date: 2019–09–22T 05:00:51Z
Creation Date: 2018–10–22 T06:21:16Z
Registry Expiry Date: 2021–10–22T06:21:16Z
Registrar: Xin Net Technology Corporation
Registrar IANA ID: 120
Registrar Abuse Contact Email: supervision@xinnet.com
Registrar Abuse Contact Phone: +86.1087127926
Domain Status: ok https://icann.org/epp#ok
Name Server: ARA.NS.CLOUDFLARE.COM
Name Server: GEORGE.NS.CLOUDFLARE.COM
DNSSEC: unsigned

Scam fashion and high-end luxury store MIRRORPURSE.COM

MIRRORPURSE.COM back-end action which sends user data to the attacker email address

The MIRRORPURSE.COM website is using the same TTPs (tools, techniques, procedures) like the Michael Kors and Louis Vuitton shopping scams. But unlike the first two campaigns, which were targeting single brands, MIRRORPURSE.COM is a full fledged online shopping mall, offering products from numerous luxury brands like Rolex, Dior, Chanel, Gucci, Versace, Balenciaga, Saint Laurent etc. It looks like the attacker put more effort in the design of the website, but it doesn’t look as professional as some of the legitimate shopping websites which are selling high-end luxury products.

The checkout workflow is more or less identical with the one presented in the other two campaigns. The user data is sent to the mrhuangproject@gmail.com email address, while the website used to call the PayPal API is febagshop.top.

Both febagshop.top and the lurrcty.network (used by the Louis Vuitton scams) have virtually the same front-end as it can be seen bellow:

Conclusions

Whitout making any attribution it appears that all three campaigns originated in the APAC area. The attacker is using website templates which he can deploy with ease on several domains with the intent to sell high-end luxury goods of questionable origin while also gathering personal identifiable information from users.

The anatomy of the scam is presented in the following diagram. The use of different back-end websites to initiate the payment process offers a strong indication that the attacker is trying to add layers of complexity between himself and the operation and hinder the forensic analysis.

All campaigns were still active at the moment when the article was published.