'Cybercriminals are industrializing deception': new report reveals how major global cybercrime syndicates have infiltrated trusted domains with millions now at risk - here's what you need to know

News
By published

Outdated software, crypto fraud, and fake ecommerce sites are running rampant

Cyber-security
(Image credit: Getty Images)
  • NordVPN & TechRadar uncover three global cybercrime campaigns
  • Legacy FCKeditor flaw exploited to hijack 1,300+ domains; crypto deposit scam tricks victims into fake “fees”
  • Chinese-speaking actor runs 800+ fraudulent e-commerce sites with urgent, too-good-to-be-true offers

A number of large, interconnected, global cybercriminal operations have been found abusing legacy software, people’s trust in digital platforms, and the desire to get rich fast, to target people with malware and wire fraud.

A new research report, published jointly by NordVPN’s Threat Intelligence research unit, and TechRadar’s security team, found the first campaign revolves around legacy software called FCKeditor, an old web-based rich text editor that works inside a browser.

It is like a mini version of Microsoft Word embedded in a website, and it was widely used in early CMS platforms, forums, and admin panels, back in the early 2000’s and 2010’s.

Article continues below

Even though FCKeditor is no longer maintained, many important websites still actively use it, and are hunted by cybercriminals for it. Back in February 2024, TechRadar reported of “dozens of educational websites” being abused this way to poison search engine results, deliver phishing sites to victims, and engage in all kinds of fraudulent activity.

Back then, a security researcher alias @g0njxa found the websites of MIT, Columbia University, Universitat de Barcelona, Auburn University, University of Washington, Purdue, Tulane, Universidad Central del Ecuador, and the University of Hawaiʻi, all being targeted. Besides university sites, the campaign also targeted government and corporate websites, such as the site of the Government of Virginia, Austin, Texas, the website of the Government of Spain, and Yellow Pages Canada.

FCKeditor is no longer maintained, and is vulnerable to CVE-2009-2265, a group of directory traversal flaws that allow remote attackers to create executable files in arbitrary directories. According to NordVPN and TechRadar, threat actors have used this flaw in recent times to compromise more than 1,300 high-value domains, including government, public, corporate websites, high-value brands, and research institutions.

After taking over the sites, the crooks would use them as launchpads to distribute malware or redirect traffic to fake e-commerce sites and phishing pages.

Crypto phishing

The second threat is a “highly organized” phishing and fraud campaign that tricks people into making fraudulent payments. It starts with an email alerting the victim about a large crypto deposit (usually 15 bitcoin) to a new wallet on an exchange. The victim is given a link and login credentials which, if they used, lead to a fake wallet or exchange website showing the “funds”.

The victim is then tricked into paying “gas fees” (transaction costs) or “taxes” in order to withdraw the crypto. The money they give this way is then lost to the attackers, likely forever.

NordVPN’s investigation uncovered more than 100 active domains being used in this campaign.

“This is social engineering at an elite scale,” said Domininkas Virbickas, Product Director at NordVPN. “Criminals are leveraging the allure – and confusion – of cryptocurrency to reinvent old scams in new digital forms.”

Hundreds of fake e-commerce sites

Someone typing at a keyboard, with an ecommerce shopping cart symbol floating in the air.

Hundreds of fake e-commerce sites are making promises they can't keep. (Image credit: Song_About_Summer / Shutterstoc)

The third campaign is even bigger - more than 800 fraudulent e-commerce domains, in all sorts of categories - from fashion, to automotive, to health products.

Traced to a single Chinese-speaking threat actor, the network is built using WordPress, WooCommerce, and Elementor, and offers time-limited, too-good-to-be-true offers. Victims, eager not to miss this once-in-a-lifetime opportunity, lower their guard and end up making payments without ever getting what they paid for.

“These “shops” lure victims with unrealistic offers, creating urgency and bypassing consumer skepticism. Indicators of Chinese origin include untranslated Chinese characters and localized file artifacts across the network. NordVPN linked the sites through shared digital fingerprints and discovered consistent hosting under the registrar Spaceship, Inc.” says Domininkas Virbickas.

“This network demonstrates the industrialization of online fraud,” added Virbickas. “Automation and template-based site creation now allow single actors to manage entire fraudulent ecosystems that mimic legitimate online retail.”

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.