EXECUTIVE SUMMARY
The investigation began with the discovery of lidlorg[.]com, a suspected purchase scam website impersonating a well-known German discount retailer. This site was identified as part of a broader scheme involving 71 scam domains that share a set of twelve merchant accounts to carry out fraudulent transactions. These domains, often disseminated through deceptive ad campaigns and utilizing typosquatted URLs, process payments under the guise of selling legitimate goods, while harvesting financial and personal information. Each transaction processed through these accounts is considered highly likely to result in card compromise, posing significant threats to both cardholders and financial institutions. The overlap in infrastructure and tactics used by these sites suggests either a coordinated effort among multiple malicious actors or the work of a single organized entity with diversified infrastructure.
Further analysis of this network revealed consistent patterns of abuse across the domains. Many of the scam sites were linked through shared merchant accounts, some of which were also found to be engaging in transaction laundering—a method of obscuring the true nature of a transaction by funneling payments through seemingly unrelated merchants. This tactic further complicates efforts to trace the operators and disrupt their activities. Recorded Future observed that these scam operations are structurally distinct from typical phishing sites because they employ functioning merchant accounts to facilitate fraudulent purchases rather than merely capturing user credentials. The infrastructure appears supported by a dark web ecosystem that offers services such as malvertising, payment laundering, and traffic redirection, allowing the scam network to continuously regenerate domains and expand its reach while avoiding takedown efforts.
Mitigating this threat requires coordinated action from card issuers and merchant acquirers. Issuers are encouraged to monitor transactions involving the identified merchant accounts and reissue cards where necessary, prioritizing fraud prevention over temporary customer friction. Meanwhile, acquirers are urged to scrutinize merchant registration data and identify other suspicious accounts within their portfolios using network data and fraud detection APIs. Identifying overlaps in merchant data can help distinguish whether the scam infrastructure is operated by one or multiple actors. While domains are easily replaceable and therefore less useful for attribution, the merchant accounts offer a more stable indicator of operator identity. Given the active nature of this scam network and its reliance on shared infrastructure, ongoing vigilance and intelligence sharing are essential to curbing its growth and minimizing financial harm.
THREAT PROFILE:
| Tactics | Technique ID | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1059 | Command and Scripting |
| T1204 | User Execution | |
| Persistence | T1547 | Boot or Logon Autostart |
| T1053 | Scheduled Task | |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1082 | System Information Discovery |
| T1083 | File and Directory Discovery | |
| Collection | T1560 | Archive Collected Data |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details: