GhostVendors – Over 4,000 Fraudulent Domains Impersonate Major Brands

Silent Push Threat Analysts have uncovered a large-scale and technically sophisticated scam campaign dubbed GhostVendors, involving over 4,000 fraudulent domains impersonating dozens of major retail, apparel, and specialty brands globally.

This fake marketplace scam exploits social media advertising platforms primarily Facebook Marketplace to promote counterfeit or non-existent products through thousands of cloned websites designed to mimic legitimate e-commerce portals.

The GhostVendors campaign stands out due to its extensive use of automated domain generation and rapid ad posting-and-removal tactics that challenge current ad transparency and threat tracking mechanisms.

The campaign mainly targets widely advertised brands, leveraging their popularity to lure unsuspecting consumers with unrealistically low prices on spoofed products such as Milwaukee tool boxes, fashion apparel, luxury watches, and even grocery and farm goods.

Technical Analysis and Tactics

Domain Generation and Cloning

The GhostVendors threat actors use domain-generated algorithms (DGA) to rapidly spawn thousands of suspicious websites.

These domains often contain random letter sequences (e.g., wuurkf.com, wrocxop.com, wesonhz.shop) or are slight variations of trusted brand names, enabling the impersonation of authentic marketplaces while evading quick detection and takedown.

Many websites are clones with nearly identical product pages and metadata, simplifying the threat actors’ infrastructure management while amplifying their scam reach.

For example, products like the “Milwaukee 56-Premium 18-Drawer Tool Box Chest” appear across multiple fraudulent domains with similar URLs:

textwuurkf.com/collections/Tool-Box/products/Milwaukee-56-Premium-18-Drawer-Tool-Box-Chest-and-Cabinet-Combo-with-Electronic-Keypad-Lock

A Google dork query such as:

textinurl:/products/milwaukee-56-premium-18-drawer-tool-box-chest-and-cabinet-combo-with-electronic-keypad-lock/

reveals multiple live scam sites with near-identical product offerings.

Exploiting Meta (Facebook) Ad Policies

One of the most technically clever aspects of GhostVendors’ operation is their exploitation of Facebook’s Meta Ad Library policy.

Facebook only retains ads in the library for “social issues, elections, and politics” for a prolonged period, while all other ads including commercial ads are removed once their campaigns are stopped.

GhostVendors rapidly launch ads promoting their fraudulent domains, gaining visibility in the Ad Library.

After a few days, they abruptly end the campaigns, causing the ads to disappear from Meta’s library and erasing the publicly accessible evidence of their scam activity.

This strategy severely hinders threat analysts and brand defenders from monitoring and responding promptly to these malicious advertisements.

Ad Redirect and Domain Switching Techniques

GhostVendors employ a technique where the visible domain in the ad does not always match the destination website users are redirected to after clicking.

For instance, an ad might show wrocxop.com but redirect to wesonhz.shop.

This redirection is often accompanied by an interstitial page to obscure the actual destination, further complicating efforts to map the attacker infrastructure.

Example ad URL parameters often include UTM campaign tracking values such as:

textutm_medium=paid&utm_source=fb&utm_campaign=120225268056530127

These parameters are typical of legitimate marketing campaigns, indicating a deliberate attempt to blend malicious campaigns into standard advertising analytics.

Examples of Observed Domains and Brands Targeted

The GhostVendors campaign targets hundreds of brand names across sectors:

• Retail Giants: Amazon, Costco, Nordstrom, Saks Fifth Avenue, Dollar General
• Footwear: Birkenstock, Crocs, Skechers, Vionic Shoes
• Apparel & Luxury: Rolex, Tommy Bahama, L.L. Bean, Tom Ford Beauty, Goyard
• Sporting Goods & Outdoors: Duluth Trading, Orvis, Mammut Outdoor Gear
• Food & Grocery: Instacart, Total Wine, Omaha Steaks, Luke’s Lobster
• Home & Garden: Bath & Body Works, Yankee Candle, Fast Growing Trees

Fraudulent domains often incorporate the brand name or a word like “sale,” “clearance,” or “outlet” to appear authentic, e.g.:

textbirkenstockfootwearsale.shop
geappliances.life
tractorsupply-us.com
partycitysupersale.shop
tommybahama-megasale.shop

Impact and Defensive Recommendations

Threat to Consumers and Brands

Consumers are at risk of financial fraud, including stolen payment details or non-delivery of goods.

Brands suffer reputational damage and financial losses due to the misuse of their trademarks and the erosion of trust with customers.

Challenges in Detection and Mitigation

• Rapid domain churn and cloning hinder traditional domain blacklisting.
• Ephemeral ad campaigns challenge defenders’ ability to retain evidence and alert stakeholders.
• Limited public data retention policies by platforms like Facebook reduce transparency.
• Redirects and use of multiple domains complicate mapping the threat infrastructure.

Recommendations

• Continuous Monitoring: Deploy automated systems to scrape and archive active ads from Meta and other platforms in near real-time to capture ephemeral campaigns.
• Domain Clustering: Use metadata and URL fingerprinting to identify clusters of fraudulent domains, even as new domains appear.
• Phishing and Scam Awareness: Educate consumers to verify sellers on official brand websites and avoid deals that seem too good to be true.
• Collaboration: Brands should collaborate with platform operators and cybersecurity agencies to quickly report and takedown fraudulent ads and sites.
• Technical Filters: Use machine learning models trained on known DGA patterns and scam content to flag suspicious advertisements and domains.

The GhostVendors campaign represents a sophisticated evolution of fake marketplace scams, leveraging automation, platform policy loopholes, and brand impersonation to execute widespread fraud.

Tackling this requires enhanced technical vigilance, cross-sector collaboration, and adaptive monitoring strategies to protect consumers and uphold brand integrity in the ever-evolving digital advertising landscape.