The Purchase Scam Tactic Headed for the World Cup
Recorded Future has identified a purchase scam campaign, dubbed AEGIR, utilizing SEO poisoning on compromised legitimate websites to redirect organic search traffic to unindexed scam domains. The campaign employs referrer-based cloaking to evade detection and leverages transaction laundering across multiple merchant accounts to monetize stolen payment card data, specifically targeting event-driven demand like the 2026 World Cup.
- domainfreeavmhzwr[.]clickScam domain receiving redirected traffic from compromised legitimate websites via SEO poisoning.
- urlhxxps://www[.]flexpix[.]com[.]br/product-similar-imageCompromised legitimate website URL used to host fake product listings and redirect to scam domains.
- urlhxxps://www[.]mtillc[.]com/product-similar-imageCompromised legitimate website URL used to host fake product listings and redirect to scam domains.
- urlhxxps://www[.]villamagia[.]com[.]br/shop/manufacturer-siteCompromised legitimate website URL used to host fake product listings and redirect to scam domains.
Detection / HunterGoogle
What Happened
Cybercriminals are hacking legitimate websites to secretly plant fake product listings that show up in Google search results. When a shopper clicks the link looking for World Cup merchandise, they are secretly redirected to a hidden scam website that steals their money and credit card information. This matters because the scammers are avoiding traditional detection by not buying ads and hiding their tracks, putting consumers and financial institutions at risk. Shoppers should be cautious of unusually high discounts and verify the actual website URL they are purchasing from.
Key Takeaways
- Scammers are utilizing SEO poisoning on compromised legitimate websites to redirect organic search traffic to purchase scam domains.
- The campaign uses referrer-based cloaking, ensuring redirects only trigger for users arriving from search engines with specific tracking parameters.
- A specific cluster named AEGIR involves 41 scam domains and 3 merchant accounts, amassing roughly 26 million web visits.
- The scam domains are intentionally not indexed by search engines, hiding the payment infrastructure from standard security monitoring.
- Fraudsters steal payment card data for resale on dark web marketplaces, leading to downstream unauthorized fraud and transaction laundering.
Affected Systems
- E-commerce websites
- Small-business websites and blogs (compromised for SEO poisoning)
- Consumer payment cards
Attack Chain
Attackers first gain unauthorized access to legitimate websites, such as blogs or small-business pages. They plant fake product listings and metadata to co-opt the site's search engine ranking. When a victim clicks the search result, conditional cloaking code redirects them to an unindexed scam domain. The victim attempts to purchase goods, resulting in the theft of their payment funds and credit card data, which is then laundered or sold on dark web marketplaces.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but notes that defensive signatures include referrer-based cloaking behavior, domain rotation patterns, and merchant descriptor anomalies.
Detection Engineering Assessment
EDR Visibility: None — The attack occurs entirely via web traffic redirection and fraudulent e-commerce transactions, which do not execute malicious payloads on the victim's endpoint. Network Visibility: Medium — Network logs can capture the HTTP redirects from compromised domains to known scam domains, particularly by analyzing HTTP Referer headers. Detection Difficulty: Hard — The use of conditional cloaking means the redirect only triggers for specific search engine traffic, making active scanning and standard monitoring difficult.
Required Log Sources
- Web Proxy Logs
- DNS Logs
- Network Flow Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Hunt for unusual HTTP redirects originating from legitimate but unrelated domains (e.g., small business sites) to newly registered or suspicious domains, especially when the HTTP Referer indicates a search engine. | Web Proxy Logs | Delivery | Medium |
Control Gaps
- Standard search engine monitoring
- Automated web filtering (due to conditional cloaking)
Key Behavioral Indicators
- Referrer-based cloaking behavior
- Domain rotation patterns
- Merchant descriptor anomalies
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider blocking access to known scam domains associated with the AEGIR cluster, such as freeavmhzwr.click.
Infrastructure Hardening
- Evaluate whether public-facing web assets are patched and secured against unauthorized access to prevent them from being co-opted for SEO poisoning.
- Consider implementing integrity monitoring on web servers to detect unauthorized changes to site content or metadata.
User Protection
- If applicable, deploy web filtering solutions that can dynamically analyze and block suspicious redirects from search results.
Security Awareness
- Consider educating employees and consumers about the risks of purchase scams, emphasizing the need to verify the final URL during checkout.
- Advise users to be cautious of unusually steep discounts on high-demand event merchandise.
MITRE ATT&CK Mapping
- T1608.006 - Search Engine Optimization
- T1190 - Exploit Public-Facing Application
- T1583.008 - Malvertising
- T1036 - Masquerading
Additional IOCs
- Urls:
hxxps://www[.]villamagia[.]com[.]br/shop/manufacturer-site- Compromised legitimate website URL used to host fake product listings and redirect to scam domains.hxxps://www[.]flexpix[.]com[.]br/product-similar-image- Compromised legitimate website URL used to host fake product listings and redirect to scam domains.hxxps://www[.]mtillc[.]com/product-similar-image- Compromised legitimate website URL used to host fake product listings and redirect to scam domains.