Summary
The StrongestLayer Threat Intelligence team has uncovered a global, AI-driven e-commerce scam network that targets enterprise procurement departments and unsuspecting employees involved in purchasing.
Operating under the guise of luxury fashion brands, these websites deliver high-value offers, leveraging AI to create a consistent façade across multiple languages and regions. The sites lure buyers with promises of low-risk transactions like “cash on delivery,” only to engage them through side-channel VoIP calls and pressure tactics to secure advance payments.
This campaign is particularly notable for its sophisticated use of AI to mass-produce website replicas and exploit trust through fabricated brand personas.
Background and Discovery
Our investigation began when the StrongestLayer Zero Day Detection Engine’s Time Machine module flagged a cluster of websites with strikingly similar layouts and design patterns. Using our Time Machine’s Intent Clustering capabilities, we aggregated sites that appeared to have nearly identical structures, yet were localized for different geographic regions.
These sites were marketed as luxury e-commerce sites, specifically targeting procurement agents and corporate buyers. The intent behind these sites was confirmed by StrongestLayer’s generative AI based algorithms, which harvested and clustered each landing page based on linguistic patterns, imagery, and similar structural red flags.
Findings
Further investigation revealed consistent, AI-driven tactics and structural patterns indicative of a large-scale, sophisticated scam operation aimed at high-value enterprise procurement targets:
- Automated Content Replication via AI
- AI-Generated “About” Pages: Each website featured an AI-created “About” page that used filler Latin phrases, likely overlooked by the attacker. These meaningless snippets were used to feign credibility and sophistication to non-English speaking targets, creating a subtle appeal to enterprise buyers who might find an exotic brand desirable.
- Template-Based Code Replication: Across all sites, identical code snippets and comments—produced by AI—appeared in the source, with comments mirrored precisely across every iteration. This repeated pattern indicated that the code was copied en masse through AI, reducing the need for manual adjustment and enabling rapid website cloning.
- Identical Media and File Structures
- Image Duplication: The websites utilized identical images with matching MD5 checksums and file names, suggesting a centralized repository. These same images were used across all replicas to build a consistent, recognizable “brand.”
- Consistent File Paths: Image files were stored using the same directory structures on all sites, indicating uniform AI-driven template generation.
- Unified Website Framework: Each site operated on an identical backend framework, with only the language and minor visual elements altered to suit different geographic regions. This consistent template was likely powered by an AI capable of cloning and translating site components for each targeted region.
- Deceptive E-Commerce Tactics Aimed at Enterprise Buyers
- “Low-Risk” Transaction Promises: All sites prominently offered cash-on-delivery options, appealing to procurement departments and companies with strict payment policies. While these options minimized upfront risk, they primed the buyer for a follow-up scam.
- VoIP-Based Payment Scams: Once a purchase was initiated, the buyers received calls from VoIP numbers, attempting to convince them to make advance payments. In certain regions, these calls required buyers to “register” a payment method, which routed to the same operator behind the scenes.
- Bogus Stock Indicators and Social Media Links: Inventory was manipulated to create urgency (e.g., showing items as “1 piece remaining”), and social links led to inactive profiles or generic placeholders, designed to mimic legitimate social presence without functional contact.
- “Low-Risk” Transaction Promises: All sites prominently offered cash-on-delivery options, appealing to procurement departments and companies with strict payment policies. While these options minimized upfront risk, they primed the buyer for a follow-up scam.
- Sophisticated AI-Driven Brand Creation
- Fictitious Designer Personas: The sites consistently referenced a fictional “fashion designer” named Cynthia Knight, positioned as a renowned luxury designer to increase brand appeal. This persona did not exist outside the scam ecosystem, though the illusion of a celebrity designer gave the sites a sense of credibility.
- Localized Language Tactics: The campaigns used multilingual AI models to translate site content into various languages. This approach allowed for seamless replication across global markets, reducing scrutiny from local users and making the sites appear tailored to regional audiences.
- Fictitious Designer Personas: The sites consistently referenced a fictional “fashion designer” named Cynthia Knight, positioned as a renowned luxury designer to increase brand appeal. This persona did not exist outside the scam ecosystem, though the illusion of a celebrity designer gave the sites a sense of credibility.
Detection Methods
This campaign remained undetected by others, but StrongestLayer’s unique capabilities revealed the threat. Our Time Machine’s Intent Clustering Module isolated sites with similar intent signatures, categorizing them based on language, layout, and transactional elements.
Generative AI models then grouped the sites by structural and linguistic patterns, identifying an anomaly within our retro data archive. Using Suricata hunting rules, we expanded our data set to capture further variants in real time, confirming the network’s breadth and the AI’s integral role in replication.
Attacker Tactics and Techniques Unveiled
- AI generated, duplicate “About” pages with nonsensical Latin or generic multilingual text.
- Consistent MD5 hash values for identical images across multiple domains.
- AI generated, shared source code with identical comments and variable naming.
- Centralized file paths for image storage.
- VoIP-based contact methods for high-value or international transactions.
- AI generated, fabricated personas and fake social links, often using identical images and “designer” references.
Recommendations
- Increased Vigilance for Enterprise Procurement: Educate procurement departments on red flags, including “foreign” brands with inconsistent language or incoherent content, cash-on-delivery without limits, and follow-up calls from unverifiable numbers.
- Advanced Threat Detection for Zero-Day AI Threats: Enterprises should implement tooling with rigorous analysis to identify AI created threats designed to bypass signature based detection methods.
- Follow Best Practices for Validated VoIP-Based Scam Detection: Enterprise security teams should consider flagging VoIP numbers used for high-value transactions, especially those claiming to represent luxury brands.
Key Takeaway
This campaign leverages generative AI to scale a global fraud operation targeting enterprise buyers. The fraudulent sites provide high-value goods at enticingly low risk but employ complex side-channel tactics and VoIP follow-ups to extract payment.
The use of AI in content and code replication across multiple languages and regions signals a trend in fraud techniques that bypass traditional detection methods and require AI-based countermeasures for identification.
Indicators of Compromise (IOCs) & Indicators of Future Attack (IOFA)
Safwan Khan
Head of StrongestLayer Threat Intelligence