Executive Summary: Mass Fake-Shop Campaign Targeting Retail Customers
Date: November 2025
Source: PreCrime™ Labs
In November 2025, PreCrime™ Labs, the research division of BforeAI, identified a campaign that leverages mass registration of fake online shop domains to impersonate legitimate retailers, facilitate financial fraud, and in certain instances, distribute malware through counterfeit checkout systems and redirect payloads.
Analysis covers 244 domains actively being registered since the start of the year, revealing coordinated infrastructure abuse spanning multiple registrars, hosting providers, and autonomous systems. Registration and DNS telemetry indicate a well-structured operation with distinct clusters, primarily originating from Chinese infrastructure providers and utilizing domain privacy services to obscure attribution.
Emerging Tech Gartner® Report
Get complimentary access to the Gartner report, Emerging Tech: Tech Innovators in Preemptive Cybersecurity
Key Metrics
Metric | Value |
|---|---|
Total fake shop domains | 244 |
Unique registrars | 43 |
Top registrar | West263 International Limited (46 domains) |
Top registrant country | China (79 domains) |
Most abused nameserver | ns1.dyna-ns.net (33 domains) |
Peak registration month | October (78 domains) |
The overall trend indicates an ongoing, industrialized operation focusing on retail brand impersonation, coinciding with global shopping events like Black Friday and Singles’ Day.
Registrar Metrics & Analysis
Rank | Registrar | Domains | Observations |
|---|---|---|---|
1 | West263 International Limited | 46 | Predominantly Chinese infrastructure, recurring abuse history |
2 | Dynadot Inc | 41 | Common abuse registrar, recurring in retail phishing |
3 | NameSilo, LLC | 16 | Fast acquisition cycles, often with privacy masking |
4 | Alibaba Cloud / HiChina | 13 | Consistent Chinese origin, obfuscated WHOIS |
5 | Sav.com, LLC | 11 | US-based, increasingly leveraged in global campaigns |
Top 10 Domain Registrars by Campaign Domain Count
Registrars in this set demonstrate repeat exposure to large-scale abuse, likely due to weak screening or automated acceptance pipelines that facilitate high-volume registrations from scripted actors.
Country of Registration | Domains |
|---|---|
China | 79 |
United States | 30 |
Iceland | 8 |
Spain | 2 |
Others (Mixed) | Remaining |
Top Registrant Countries (Fake Shop Domains)
China remains the dominant operational base, with several fake registrant addresses mimicking European retailers but mapping back to Chinese providers through IP WHOIS lookups and ASN correlation.
DNS / Infrastructure (ASN Overview)
Nameserver | Domains | Observation |
|---|---|---|
ns1.dyna-ns.net | 33 | Common across multiple fake shops |
dns1.registrar-servers.com | 15 | Shared by clusters hosted on NameSilo |
ns1.dnsip.com | 14 | Consistent among parked/redirected domains |
ns1.dnsowl.com | 10 | Frequently linked to cloned storefronts |
ns1.alidns.com | 8 | Indicative of Alibaba-backed infrastructure |
augustus.ns.cloudflare.com | 7 | Used for proxy obfuscation and DDoS cover |
Pivot Observation:
Shared nameservers indicate mass parking and infrastructure recycling, with potential to correlate related domains via urlscan.io, DNSlytics, and PassiveTotal ASN mapping.
Registration Trends
Peak registration months:
- October (78 domains)
- July–August (~27–28 each)
- Sharp rise beginning June, coinciding with global sale events.
Trend Analysis:
Campaign actors synchronize domain creation with major retail periods—Prime Day, back-to-school, Black Friday—maximizing user engagement and ad visibility through social and paid promotion platforms.
WHOIS & Attribution Patterns
- Over 50% of WHOIS entries use privacy-protection or redacted fields.
- West263 and Dynadot dominate among China-based registrants, both previously flagged for recurring abuse in similar retail-themed phishing operations.
- A subset of domains lists U.S. or EU locations but resolves to Chinese ASNs, revealing fraudulent WHOIS entries.
DNSlytics & ASN Insights
Pivoting across DNSlytics and ASN records reveals clear subnet overlaps, indicating the same hosting blocks being reused for new clusters every few weeks. While some use Cloudflare fronting to hide real origin IPs, backend ASN metadata consistently leads to Chinese or Hong Kong infrastructure.
Pivoting with OSINT
Cross-referencing campaign domains through OSINT exposes strong correlation between clusters:
- Reuse of identical JavaScript libraries, checkout templates, and meta pixel IDs.
- Common patterns of Shopify-like checkout URLs (e.g., /collections/all, /products/item123).
- Identical tracking and analytics endpoints, linking domains across multiple brand impersonations.
These elements confirm the use of automated site-generation tools or template-based kits to mass-produce fake retail shops.
Campaign Technique Highlights
Technique | Description |
|---|---|
Brand mimicry | Fake stores cloned from major global retailers (Zalando, Birkenstock, Lululemon, Dr. Martens, IKEA, etc.) |
Automated domain churn | Dozens registered daily to evade blacklisting |
Privacy shielding | Heavy use of privacy-protected WHOIS data |
DNS park & deploy | Fast DNS setup, quick redirect changes |
Social lure vectors | Promotion via TikTok, Facebook, and Google Shopping ads |
Pivot potential | Shared infrastructure enables expansion tracking |
Interesting Campaigns
Agenda-oriented campaigns
Certain e-commerce websites, for example, “peaceforsecurity[.]com” were being leveraged as a high-end fashion clothing store under the guise of selling “Women Dresses 2025.” The domain is not affiliated with any known legitimate clothing brands and could be part of a phishing or agenda-oriented campaign.
For example, ‘PeaceForSecurity’ is an oddly placed domain name for a fashion site, likely to evade detection or to align with Uniqlo’s recent campaign, where donations were announced for international organizations supporting those affected by violence, discrimination, armed conflict, and poverty.
Ambiguous cross-branding campaigns
In one case, we observed overlapping brands where the fake domain “lululemonsalehub[.]com” was set up to promote hair products, which is not directly related to Lululemon. Additionally, a page title mentioning “Shein”, appeared to support a multi-brand impersonation campaign, strategically placed to create ambiguity.
Generic sale lures
Obvious signs of phishing websites include spelling errors and irrelevant keyword placements. For instance, sites like “www[.]gymclothes980[.]store” use generic online store templates with nonsensical names, such as “adsdsa34243234,” with lure elements like “free shipping” to facilitate financial fraud or and/or personally identifiable information (PII) harvesting.
Domain list:
- motionsport352.store
- runningsport541.store
- gymclothes980.store
- sportwears307.store
- wearsport075.store
- runningtrack679.site
Seasonal sale lures to create urgency
A recently created domain titled “mango-flashsale[.]com” was found to be impersonating the Mango brand by promoting fake “flash sales” designed to deceive users into submitting payment or personal information. The use of the term “Spring Sale” in the page title further exploits seasonal shopping behavior to increase the likelihood of engagement.
Mitigation Summary
- Registry-Level Hold: All confirmed domains were escalated to registrars and registries (notably GMO and Dynadot) for immediate lock/hold.
- Server Takedowns: Hosting providers contacted; several clusters now non-resolving.
- PreCrime™ Watchlist: Indicators of Compromise (IOCs) shared internally for ongoing auto-detection in onboarding scans.
- Next Steps:
- Continuous monitoring for re-registrations on .xyz, .shop, .top, and .store.
- Correlation with ongoing TikTok/Meta ad scams targeting retail consumers.
- Pivot expansion toward .asia and .vip TLDs, which show emerging overlaps.
Conclusion
This campaign demonstrates a highly organized infrastructure-as-a-service model supporting fake online stores at scale. The coordination across registrars, DNS providers, and hosting ASNs suggests a dedicated operation with financial and possibly state-linked fraud motives.
Thanks to proactive engagement with registries and hosting networks, the bulk of these domains are now suspended or non-resolving, but monitoring remains crucial given the operators’ demonstrated resilience and automation capabilities.
