Luxury Shop Fraud Campaign

    Monday, September 1, 2025 In: Threat Research Print

    Date: 09/01/2025

    Severity: High

    Summary

    We identified an email campaign promoting fake luxury shopping sites via enticing subject lines and links. The sites mimic legitimate stores, redirect to PayPal for payment, and show deep discounts on luxury items. Domains are tied to malicious IPs, mostly in Vietnam (AS 149137, AS 149123, AS 149125), and hosted via US-based cloud providers. Fraudulent sites lack input validation and are registered through "CNOBIN INFORMATION TECHNOLOGY LIMITED". We are tracking this campaign under the name luxury_shop_fraud.

    Indicators of Compromise (IOC) List

    URLs/Domains : 

    hot-lvs.com

    hottest-bags.com

    hottest-rox.com

    hottest-watch.com

    hottest-watches.com

    hottop-watches.com

    hottst-watches.com

    lux-roxs.com

    luxlvs.com

    luxroxclub.com

    luxroxs.com

    lxrox.com

    lzrox.com

    lux-lv.com

    sophialuxbags.com

    IP Address

    103.146.122.54

    103.149.86.145

    103.209.34.205

    Email Address : 

    custom@ppqp.net

    freturbqa@5igy.net

    karly@7eh3q.com

    pcmg@0kvv.net

    tom@t-dom.net

    yhusefourth@lutoneglobal.net

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    domainname like "hottest-rox.com" or url like "hottest-rox.com" or siteurl like "hottest-rox.com" or domainname like "hottest-bags.com" or url like "hottest-bags.com" or siteurl like "hottest-bags.com" or domainname like "lxrox.com" or url like "lxrox.com" or siteurl like "lxrox.com" or domainname like "lzrox.com" or url like "lzrox.com" or siteurl like "lzrox.com" or domainname like "lux-roxs.com" or url like "lux-roxs.com" or siteurl like "lux-roxs.com" or domainname like "luxroxs.com" or url like "luxroxs.com" or siteurl like "luxroxs.com" or domainname like "hottest-watches.com" or url like "hottest-watches.com" or siteurl like "hottest-watches.com" or domainname like "lux-lv.com" or url like "lux-lv.com" or siteurl like "lux-lv.com" or domainname like "hottop-watches.com" or url like "hottop-watches.com" or siteurl like "hottop-watches.com" or domainname like "hot-lvs.com" or url like "hot-lvs.com" or siteurl like "hot-lvs.com" or domainname like "hottst-watches.com" or url like "hottst-watches.com" or siteurl like "hottst-watches.com" or domainname like "hottest-watch.com" or url like "hottest-watch.com" or siteurl like "hottest-watch.com" or domainnname like "luxlvs.com" or url like "luxlvs.com" or siteurl like "luxlvs.com" or domainname like "luxroxclub.com" or url like "luxroxclub.com" or siteurl like "luxroxclub.com" or domainname like "sophialuxbags.com" or url like "sophialuxbags.com" or siteurl like "sophialuxbags.com" 

    IP Address : 

    dstipaddress IN ("103.209.34.205","103.149.86.145","103.146.122.54") or srcipaddress IN ("103.209.34.205","103.149.86.145","103.146.122.54")

    Email Address : 

    sender like "custom@ppqp.net" or sender like "freturbqa@5igy.net" or sender like "karly@7eh3q.com" or sender like "pcmg@0kvv.net" or sender like "tom@t-dom.net" or sender like "yhusefourth@lutoneglobal.net"

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-08-29-IOCs-for-luxury-shop-fraud.txt


    Tags

    Threat ActorFake softwarePayPalVietnamCNOBINInformation Technologyluxury_shop_fraud

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.