SEO Poisoning Campaign Uses Compromised WordPress Sites to Host Fake Marketplaces
A detailed analysis reveals a widespread fraud campaign that uses SEO poisoning and compromised WordPress sites to host AI-generated fake marketplaces, luring victims from eBay and repost them on domains like desidrivingschool[.]com, registered days prior. Victims are lured via search results to these fraudulent stores, which appear to be AI-generated and priced too good to be true. The diary details the attack chain, including sitemap.xml enumeration revealing thousands of poisoned listings.
A detailed analysis by SANS Internet Storm Center intern Joshua Nikolson has exposed a sophisticated website fraud campaign that leverages SEO poisoning and compromised WordPress sites to host AI-generated fake marketplaces. The campaign, which targets shoppers searching for popular products like Texas Instruments calculators and Eddie Bauer blazers, uses a network of fraudulent domains to steal payment information and personal data.
The attack chain begins with threat actors scraping legitimate product listings from eBay and other marketplaces, complete with images and descriptions. These listings are then reposted on domains that appear unrelated to the products being sold, such as desidrivingschool[.]com, which was registered just 12 days before being used to sell a TI-Nspire CAS calculator. The attackers use SEO poisoning techniques to ensure these fake listings appear in Google search results, often on the second page of results for specific product queries.
By appending "/sitemap.xml" to the fraudulent domains, Nikolson discovered thousands of poisoned listings designed to infiltrate search results. The compromised WordPress sites serve as redirect infrastructure, funneling victims to the fake marketplaces. The sites themselves appear to be AI-generated, with a "vibecoded" feel and prices that are too good to be true, making them attractive to bargain hunters.
To understand the full scope of the scam, Nikolson attempted to purchase an Eddie Bauer blazer using a fake identity and a temporary debit card from Privacy.com with a $5 spending limit. The checkout page was a replica of Shopify's checkout interface, and after entering payment information, the system displayed a fake PayPal-style loading screen before redirecting to a "thank you" page—despite the card being declined. The URL revealed the failure code, confirming the transaction was never processed.
Further investigation revealed that multiple charges were attempted on the card in the days following the failed transaction, suggesting the attackers are harvesting payment card details for later use. In some tests, an additional charge at a different price than the advertised product was observed, indicating the attackers may be testing stolen cards or conducting small transactions to verify validity.
The campaign appears to be highly automated, with attackers using AI tools to generate the fake marketplaces and scrape product listings at scale. The use of compromised WordPress sites as redirect infrastructure adds an additional layer of complexity, making it harder for security researchers and law enforcement to takedown the operation. The attackers have also registered multiple domains for payment processing, with one such domain created just one month prior to the analysis and receiving only one detection on VirusTotal.
This campaign highlights the growing sophistication of online fraud, where AI-generated content and SEO poisoning are combined to create convincing fake marketplaces that can deceive even cautious shoppers. The attackers' ability to rapidly register new domains and compromise WordPress sites makes this a persistent threat that requires ongoing vigilance from both consumers and website administrators.