Bitdefender researchers have uncovered an alarming escalation in subscription-based scam operations, marked by a sprawling campaign leveraging hundreds of fraudulent websites.
These scams are no longer limited to amateurish phishing; threat actors now deploy meticulously designed platforms that mimic legitimate e-commerce portals, offering everything from apparel and electronics to beauty products.
The goal remains singular-to extract credit card data and personal information from unsuspecting users worldwide.
Surge in Sophisticated Subscription Scams Targets Consumers Globally
Unlike classic phishing campaigns relying on suspicious emails or crude messages, these new scams harness advanced social engineering and professional design tactics.
Fraudsters have invested heavily in web development, social media marketing, and advertising-particularly on platforms like Facebook-to drive traffic to their bogus sites.
The campaign, which was traced to a nexus of more than 200 interconnected websites, frequently references a single Cyprus address, suggesting that operations may be routed through offshore entities to obscure accountability and complicate law enforcement efforts.
A particularly insidious variant is the “mystery box” scam, where users are lured by the promise of purchasing a box of valuable, unspecified goods at a seemingly bargain price.
However, in the fine print-or through intentionally opaque payment flows-victims unwittingly sign up for recurring subscription charges.
These charges can range from bi-weekly debits to tiered memberships, often disguised as loyalty benefits or exclusive shopping privileges.
Once an individual reaches the payment phase, critical thinking is often suspended, making them susceptible to additional fraudulent up-sells or multi-layered scams.
Mystery Box Racket and Fake Online Shops Drive Personal Data Theft
Enhancing the campaign’s reach, scammers create fake Facebook pages and purchase legitimate-looking ads, sometimes even impersonating real content creators or established brands.
The deception is further masked by technical tricks such as homoglyph domains, ad campaigns with randomized product imagery, and dynamic content delivered from cloud storage services, which aids in bypassing automated security filters.
Some fraudulent accounts are built from scratch with AI-generated names, while others compromise and repurpose legitimate pages to enhance their credibility.
What distinguishes this evolving scam architecture is the convoluted subscription model, interwoven with fake store credits, complex discount structures, and misleading offers of VIP or loyalty perks.
Victims, thinking they are investing in bargains, are actually consenting to regular withdrawals from their accounts, typically with minimal recourse for refunds or cancellation.
Many targets discover their losses only after several billing cycles have lapsed.
The campaign’s infrastructure displays remarkable homogeneity in design and theme, further indicating centralized planning.
Payment pages, such as those referencing “naillr[.]com,” act as gateways between seemingly unrelated cashback clubs or VIP memberships-mechanisms designed to confuse users and security researchers alike.
Notably, Bitdefender found that the Cyprus business address used by these sites also appeared in the ICIJ Offshore Leaks Database, raising suspicions about links to broader criminal or money-laundering networks.
As scam fatigue reduces the effectiveness of traditional mystery box schemes, fraudsters rapidly pivot, expanding into counterfeit goods, fake investments, supplements, and low-quality products.
The digital arms race continues, with scam operators regularly updating ad creatives, rotating domain names, and altering site content to stay ahead of automated defenses and public awareness.
Bitdefender warns that the only way to mitigate risk is through vigilant consumer education, improved detection of deceptive ad campaigns, and coordinated law enforcement action spanning international jurisdictions.
IOCs
| Indicator Type | Value |
|---|---|
| Domain | bestsoundclub[.]com |
| Domain | egadgets[.]club |
| Domain | betrendy[.]site |
| Domain | allbuysport[.]com |
| Domain | alltv[.]store |
| Domain | naillr[.]com |
| Domain | amazitech[.]com |
| Domain | decorstore[.]club |
| Domain | buygadgets[.]site |
| Domain | allfree[.]me |
| IP Address | 185[.]142[.]236[.]187 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
