From Bazooka to Fake Nikes
Threat actors are increasingly utilizing business impersonation to exploit ecosystem gaps in the financial and retail sectors. By creating copycat corporate entities and AI-generated fake storefronts, fraudsters successfully bypass traditional security controls like Positive Pay and 3D Secure authentication to conduct commercial check fraud and card-not-present scams.
Authors: Recorded Future Fraud Intelligence Team
Source:
Recorded Future
- domaincheckoutdirectpulse[.]comDomain used for a fake online shopping checkout page capturing payment card data (identified via article imagery).
- urlcheckoutdirectpulse.com/ppw2susFLp/?guid=cpOvCtaLmG1ZyCDWSpecific checkout URL observed in a garden soil online shopping scam capturing PII and credit card details.
Key Takeaways
- Business impersonation is the core tactic connecting traditional commercial check fraud and modern AI-powered online shopping scams.
- Fraudsters bypass Payee Positive Pay controls by registering copycat businesses in different states to cash intercepted commercial checks.
- Online shopping scams bypass 3D Secure authentication because victims actively authorize the transactions on fake merchant sites.
- Ecosystem gaps and assumed trust between social media platforms, card networks, merchant onboarders, and local registries enable these frauds.
- A CTI-fraud fusion model is recommended to correlate cyber threat intelligence with traditional fraud alerts to combat these schemes.
Affected Systems
- Financial Institutions
- Merchant Onboarding Systems
- Social Media Advertising Platforms
- Commercial Business Payment Processes
Attack Chain
Fraudsters intercept high-value commercial checks or create fake online storefronts using AI. For checks, they register a similarly named business in a different state and open a corporate bank account to deposit the funds, bypassing Positive Pay controls. For online scams, they purchase social media ads to drive traffic to fake shops, capturing payment details and processing them through fraudulently obtained merchant accounts, bypassing 3D Secure since the user authorizes the charge.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules are provided in the article, as the focus is on financial fraud mechanisms and ecosystem vulnerabilities rather than endpoint or network cyber threats.
Detection Engineering Assessment
EDR Visibility: None — The described fraud occurs entirely outside the corporate network, relying on external business registrations, bank transactions, and social media platforms. Network Visibility: Low — Network telemetry would only capture corporate users navigating to fake online shops, which is a small subset of the overall fraud activity. Detection Difficulty: Hard — Detecting these schemes requires cross-institutional data sharing, CTI-fraud fusion, and identifying subtle naming discrepancies in legitimate-looking business registrations.
Required Log Sources
- Bank transaction logs
- Merchant onboarding records
- Web proxy logs
- DNS query logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Newly registered businesses with names closely mimicking established corporations are receiving large initial check deposits. | Banking transaction logs, Business registry databases | Exfiltration/Impact | High |
| Users are clicking on social media ad links leading to newly registered, low-reputation e-commerce domains offering unrealistic discounts. | Web proxy logs, DNS logs | Initial Access | Medium |
Control Gaps
- Payee Positive Pay (bypassed by copycat names)
- 3D Secure Authentication (bypassed by user authorization on fake sites)
- State business registration vetting processes
Key Behavioral Indicators
- Slight variations in payee business names (e.g., adding '1 Inc')
- Mismatch between business registration state and expected corporate headquarters
- New merchant accounts with high chargeback rates or rapid transaction volume
False Positive Assessment
- High, as legitimate businesses often have similar names, regional subsidiaries, or holding companies, making automated name-matching prone to false alerts. Legitimate flash sales can also mimic the traffic patterns of online shopping scams.
Recommendations
Immediate Mitigation
- Implement Reverse Positive Pay for high-value commercial checks to require manual sign-off.
- Block known fake e-commerce domains and newly registered domains at the corporate secure web gateway.
Infrastructure Hardening
- Transition from paper checks to alternative electronic payment methods (ACH, wire transfers) where possible.
- Adopt a CTI-fraud fusion model to correlate cyber threat intelligence with traditional fraud alerts.
User Protection
- Deploy browser protections to warn users about newly registered or low-reputation e-commerce sites.
Security Awareness
- Train finance teams to verify payee details meticulously and watch for slight variations in vendor names.
- Educate employees and consumers about the risks of heavily discounted products advertised on social media and AI-generated brand impersonation.
MITRE ATT&CK Mapping
- T1656 - Impersonation
- T1585 - Establish Accounts
- T1566.002 - Phishing: Spearphishing Link
Additional IOCs
- Domains:
checkoutdirectpulse[.]com- Fake online shop checkout domain
- Urls:
checkoutdirectpulse.com/ppw2susFLp/?guid=cpOvCtaLmG1ZyCDW- Fake checkout page URL
- Other:
The Bazooka Companies 1 Inc- Example of a fictitious copycat business name used to bypass Positive Pay in commercial check fraud.