Uncovering Black-hat SEO based fake E-commerce scam groups from their redirectors and websites

TL;DR

This paper analyzes a large dataset of nearly 700,000 fake e-commerce sites to identify and track threat actor groups using black-hat SEO and redirectors, revealing 17 active groups over two and a half years.

Contribution

It introduces a comprehensive analysis of threat groups behind fake e-commerce scams using extensive data and link analysis tools, expanding understanding of their infrastructure and activity patterns.

Findings

Identified 17 active threat groups during the dataset period.

Tracked group activity over two and a half years using time series analysis.

Analyzed links between fake sites and redirectors with Maltego and custom programs.

Abstract

While law enforcements agencies and cybercrime researchers are working hard, fake E-commerce scam is still a big threat to Internet users. One of the major techniques to victimize users is luring them by black-hat search-engine-optimization (SEO); making search engines display their lure pages as if these were placed on compromised websites and then redirecting visitors to malicious sites. In this study, we focus on the threat actors conduct fake E-commerce scam with this strategy. Our previous study looked at the connection between some malware families used for black-hat SEO to enlighten threat actors and their infrastructures, however it shows only a limited part of the whole picture because we could not find all SEO malware samples from limited sources. In this paper, we aim to identify and analyze threat actor groups using a large dataset of fake E-commerce sites collected by Japan Cybercrime Control Center, which we believe is of higher quality. It includes 692,865 fake EC sites gathered from redirectors over two and a half years, from May 20, 2022 to Dec. 31, 2024. We analyzed the links between these sites using Maltego, a well-known link analysis tool, and tailored programs. We also conducted time series analysis to track group changes in the groups. According to the analysis, we estimate that 17 relatively large groups were active during the dataset period and some of them were active throughout the period.