WORKSHOP June 24: Pivoting Across Infrastructure to Detect Unknown Threats

GhostVendors Exposed: Silent Push Uncovers Massive Network of 4000+ Fraudulent Domains Masquerading as Major Brands

threat
June 9, 2025

Key Findings

  • Silent Push Threat Analysts have uncovered a massive “fake marketplace” scam campaign we have dubbed “GhostVendors” involving online ads that impersonate dozens of major brands and spoof actual products on thousands of fraudulent websites.
  • We found over 4,000 domains that are part of this fake marketplace network. This is a significant threat targeting social networks, major brands, advertising companies, and consumers worldwide.
  • During our research, we found that after the threat actor posted its malicious Facebook Marketplace ads for a few days, it stopped its campaigns, thereby deleting all traces of them from the Meta Ad Library.
  • We determined that the threat actors are exploiting an existing Meta policy to target major brands and then completely remove previously posted ads.

Executive Summary

Silent Push Threat Analysts are tracking a massive “fake marketplace” scam that uses thousands of fake websites to abuse dozens of major brands and buy Facebook ads to promote its scam products. Our team is labeling this group “GhostVendors,” and we suspect they are also purchasing ads on other networks to self-promote their scam sites. We will update this report accordingly as our investigation continues.

Our team also confirmed how a Facebook advertiser can buy ads which show up in the Meta Ad Library while they are running, and then stop their campaigns, thereby removing all evidence of their posted ads from the Meta Ad Library. In early May 2025, we documented the appearance of ads from this threat actor group that were searchable in the Ad Library, five days later, all evidence of their presence was removed from the Ad Library due to the ad campaigns stopping. This helped to confirm a known Meta ad library policy existed, and highlighted that potentially these threat actors were taking advantage of this by rapidly launching and stopping ads for similar products on different pages.

Based on the brands being impersonated, this campaign appears to focus on impersonating brands that buy large amounts of online ads—many of the impersonated brands are huge and well-known for purchasing significant quantities of ads. In contrast, other brands being impersonated are smaller ones that mostly use online sales processes.

Brands our team has observed being targeted by the GhostVendors campaign include:

Amazon, Costco, Bath & Body Works, Nordstrom, Saks Fifth Avenue, Lowes, L.L. Bean, Tommy Bahama, Rolex, Brooks Running, Birkenstock, Crocs, Skechers, Total Wine, Omaha Steaks, Instacart, Duluth Trading, Advance Auto Parts, Party City, Dollar General, Tractor Supply, Joann, Big Lots, Orvis, Alo Yoga, On Running, Tom Ford Beauty, Rebecca Minkoff, Yankee Candle, Hoka, Thrive Market, Vionic Shoes, Rock Bottom Golf, Vuori Clothing, Goyard, Icebreaker Clothing, NOBULL Sportswear, Alpha Industries, Volcom, Kizik Shoes, Vessi Shoes, Mammut Outdoor Gear, Buffalo Games & Puzzles, Ravensburger Puzzles, Fast Growing Trees, Gurney’s Seed and Nursery, Vivobarefoot, KaDeWe, Palmetto State Armory, Natural Life, Luke’s Lobster, Cousins Maine Lobster, White Oak Pastures, Seven Sons Farm, Arcade1Up Gaming, EGO Power+ Tools, Cobble Hill Puzzles, Popflex, Argos UK, Huk Clothing, 44 Farms, Tyner Pond Farm, Pipers Farms, Rebel Sport, The Woobles Crochet, Massimo Dutti, and GE Appliances.

Sign Up for a Free Silent Push Community Edition Account

Register now for our free Community Edition to use all the tools and queries highlighted in this blog.

Sign Up Here

Background

Silent Push Threat Analysts have tracked numerous types of “fake marketplace” scams. In 2024, we tracked a group we dubbed the “AIZ—Aggressive Inventory Zombies,” covering it with an in-depth report exclusively for our enterprise clients and a public blog.

Many threat actors create fake online marketplaces that promote real products, using them to conduct various types of financial fraud. This is achieved by either not delivering the ordered products or stealing victims’ payment details. Multiple variations of these types of scams exist, but the end goal for each is typically quick cashouts. Most of these networks abuse large numbers of domains due to the speed with which social networks and other sources respond and block their sites.

Our team recently received a tip about a Facebook Marketplace ad promoting a Milwaukee Tool Box at an impossibly low price via a domain clearly set up using a domain-generated algorithm (DGA), a common tactic employed in many malicious campaigns.

By investigating the advertised products, examining various content clues, and tracking the campaign’s heavy use of technical practices, our team expanded our search from the initial suspicious site to thousands of marketplace scam websites targeting a wide range of social networks and individuals worldwide.

Milwaukee Tools’ Brand Spoofed via Facebook Marketplace Ads, Facebook Purges Ads’ Library of Proof

On May 7, 2025, Silent Push Threat Analysts captured a Facebook page promoting a fake marketplace that spoofed the “Milwaukee Tools” brand. The ad content used the word “Millaeke” while featuring an image of a Milwaukee Tool box:

Screenshot from Facebook Marketplace on May 7, 2025
Screenshot from Facebook Marketplace, May 7, 2025

Our team examined the ad for more information and confirmed that the advertiser’s name was “Millaeke,” while the domain they were promoting in the ad was wuurkf[.]com.

Why You Saw This Ad screenshot from Facebook Marketplace captured May 7, 2025
May 7, 2025 screenshot from Facebook Marketplace

The full URL of the malicious sponsored Facebook Marketplace ad was:

wuurkf[.]com/collections/Tool-Box/products/Milwaukee-56-Premium-18-Drawer-Tool-Box-Chest-and-Cabinet-Combo-with-Electronic-Keypad-Lock

The UTM “link tracking” parameters appended to the URL after clicking the ad included:

utm_medium=paid&utm_source=fb

The Facebook page where these ads are bought could be seen at: “facebook[.]com/profile.php?id=61575534312860”, although once the campaign ended, all traces of the previously published Facebook posts disappeared.

Screenshot of the Facebook page "Millaeke" showing all posts had disappeared
Screenshot of the Facebook page “Millaeke” showing that all posts had disappeared

After viewing Millaeke’s original ad, our team navigated to the Meta Ad Library and confirmed that the page was currently running numerous ads.

However, five days after our team discovered the ads, Millaeke must have stopped its campaign, as all the ads disappeared from the library, which you can see here.

Screenshot of the Meta Ad Library showed no ads for "Millaeke"
The Meta Ad Library showed no advertisements from “Millaeke”—even though ads were displayed here five days earlier

Facebook’s Ad Library Only Includes Active Ads, Creating Threat Tracking Challenges

Our researchers continued to investigate details surrounding Facebook’s ad policy. What we found is that Meta retains ads in the Ad Library on social issues, elections, and politics that have run for the past seven years. However, Meta’s policy dictates that any other types of ads are ONLY saved while those ads are part of active campaigns.

As soon as a campaign ends, the ads are removed from the Ad Library, as exemplified by our monitoring of the fake marketplace ads. This makes tracking threats that abuse Facebook ads much more difficult. It also highlights a challenge for defenders, which can only be effectively addressed by scraping this source of data and creating an external repository—something that appears to be prohibited. As a result, it’s currently impossible to holistically track malicious ads on this network. 

Silent Push Threat Analysts will continue to monitor the situation and update this report if additional facts emerge.

Tracking the GhostVendors’ Marketplace Scam

The previous campaign targeting Milwaukee Tools was using specific metadata for its scam, with clearly observable patterns:

wuurkf[.]com/collections/Tool-Box/products/Milwaukee-56-Premium-18-Drawer-Tool-Box-Chest-and-Cabinet-Combo-with-Electronic-Keypad-Lock

Recalling that these types of campaigns are typically “spray and pray” efforts, in which threat actors regularly spin up large amounts of infrastructure to mitigate takedown efforts, a common tactic in such efforts is for a threat actor to clone their websites rather than make each one unique. Doing so presents an opportunity for defenders.

When tracking campaigns, our analysts often look to the Google index due to its speed in indexing internal pages. Silent Push primarily scans homepages as part of our global content indexing effort, along with internal pages input by our users and threat researchers.

By performing a Google Search, we looked for the exact product name used in the scam ad:

Google Dork Query

inurl:/products/milwaukee-56-premium-18-drawer-tool-box-chest-and-cabinet-combo-with-electronic-keypad-lock/

The query returned fewer than 10 unique results – two entries appeared to be for legit marketplaces, but six other domains featured impossibly cheap prices, DGA domains, or, in this instance, were directly spoofing Wayfair:

  • kpwmua[.]com – Currently offline
  • vtmzox[.]com – Currently offline
  • acudcct[.]com – Online
  • toolzde[.]com – Online
  • yvnbpm[.]com – Online, spoofing Wayfair
  • gardonset[.]com – Online, spoofing Wayfair
Screenshot of a fake tool chest ad on "acudcct[.]com"
Example on “acudcct[.]com”

Fake ad spoofing Milwaukee brand tool chest ad on "yvnbpm[.]com"
Example on “yvnbpm[.]com”

Fake ad spoofing Milwaukee brand tool chest ad on "gardonset.]com"
Example on “gardonset[.]com”

Fake ad spoofing Milwaukee brand tool chest ad on "toolzde[.]com"
Example on “toolzde[.]com”

Additional Facebook Advertisements from the GhostVendors’ Fake Marketplace Threat Actor

Silent Push Threat Analysts discovered two additional examples of Facebook Marketplace ads from the same threat actor group, promoting domains that matched our previous content fingerprints.

Both of these examples were first seen on May 13, 2025.

Screenshot of fake ad on "wrocxop[.]com"
Screenshot of Facebook Marketplace ad promoting “wrocxop[.]com

The first Facebook Marketplace ad was from the Facebook page “Rabx-B,” promoting the website “wrocxop[.]com,” on the same host as the previous websites.

The Meta Ad Library, accessed on May 13, 2025, listed 22 ads for this “Rabx-B” advertiser, with the first starting on May 9, 2025.

These ads direct users to product pages akin to this URL:

“wesonhz[.]shop/products/Cold-Water-Gas-Pressure-Washer-Powered-by-Honda%C2%AE-with-AAA-Triplex-Pump-(4400-PSI-at-4.0-GPM)?utm_medium=paid&utm_source=fb&utm_id=120225268056530127&utm_content
=120225269683470127&utm_term=120225269683300127&utm_campaign=120225268056530127

Facebook Marketplace "Why You Saw This Ad" advertiser details showing "Rabx-B"
Facebook Marketplace ad “Advertiser Details” showing advertiser “Rabx-B”
Screenshot of Facebook page "Rabx-B" purchasing fake marketplace ads with email address and phone number
Screenshot of Facebook page “Rabx-B” purchasing fake marketplace ads – the email address used on the page is “brunothuz805888@outlook[.]com” with phone number (706) 294-9657

Screenshot of Meta Ad Library showing Rabx-B with 22 results
Meta Ad Library for “Rabx-B” with 22 results

The second Facebook Marketplace ad, captured on May 13, 2025, was for the same Facebook page advertiser, “Rabx-B,” but this time it was promoting a new domain, “wesuoey[.]shop.”

Screenshot of Facebook Marketplace ad in the Meta Ad Library
Facebook Marketplace ad in the Meta Ad Library

After comparing the new domain from the same advertiser to what was previously seen, we then returned to the Meta Ad Library to review all 22 Rabx-B ads. We confirmed they were promoting different domains and, importantly, noted that the visible domain in the ad did not match the final destination ad in all instances:

  • wesuoey[.]shop – visible in ad text but link click redirects to wesonhz[.]shop
  • wesonhz[.]shop
  • wrocxop[.]com
Screenshot of Meta Ad Library showing all 22 Rabx-B ads with multiple domains used, seen May 16, 2025
Meta Ad Library for all 22 of the Rabx-B ads with multiple domains used – seen May 16, 2025

Two ads from the same advertiser promoted the domain “wrocxop[.]com” within the visible ad, as seen below, yet redirected the user to “wesonhz[.]shop”.

Screenshot of the Rabx-B ad promoting domain "wrocxop[.]com"
Screenshot of the Rabx-B ad promoting the domain “wrocxop[.]com”
Screenshot May 27, 2025 showing all traces of Rabx-B ads were gone from the marketplace library
By May 27, 2025, all traces of the Rabx-B ads were gone from the marketplace library

Screenshot showing interstitial on Facebook after clicking Rabx-B ad promoting "wrocxop[.]com" that doesn't mention actual URL redirect
Redirection interstitial on Facebook after clicking the Rabx-B ad promoting “wrocxop[.]com,” which doesn’t mention the actual URL redirect on this domain
Screenshot of redirect from "wrocxop[.]com" showing product details hosted on "wesonhz[.]shop"
Screenshot of the redirect from “wrocxop[.]com” to “wesonhz[.]shop,” showing the product details page hosted on “wesonhz[.]shop

It’s clear from this most recent Facebook Marketplace advertiser’s usage of multiple domains, combined with the effort undertaken on their previous campaigns to rapidly end them and thus remove all traces of their ads from the Meta Ad Library, that this particular threat actor has a thorough understanding of the platform’s advertising features and policies.

Our research team discovered another example of a malicious Facebook ad from this same threat actor on May 16, 2025. The ad was posted from the page “Tools Clearance” (facebook[.]com/profile.php?id=61574929192093), impersonating GE Appliances on the domain “geappliances[.]life”:

Screenshot of our discovering a fake Facebook ad hosted on "geappliances[.]life" May 16, 2025
We discovered a malicious Facebook ad hosted on “geappliances[.]life” on May 16, 2025

The domain “geappliances[.]life” contains the same technical fingerprint used to track other websites in this campaign.

The ads for this “Tools Clearance” page were seen in the Meta Ad Library.

Screenshot from "Tools Clearance" Facebook page via the Meta Ad Library
Ads from the “Tools Clearance” Facebook page via the Meta Ad Library
Screenshot May 27, 2025 showing all traces of "Tools Clearance" were gone from the marketplace library
By May 27, 2025, the threat actor stopped the campaign, causing all traces of the “Tools Clearance” ads to disappear from the marketplace library

Discovering Four New Ads

Our research team discovered four additional fake marketplace advertisements:

Screenshot "Why You Saw This Ad" for who "Toolboxchest" wants to show you
Screenshot of phony ad for a heavy-duty rolling tool chest for the ridiculous price of $121.86
Phony ad for a heavy-duty 23-drawer rolling tool chest and cabinet for the unrealistic price of $121.86
Screenshot of phony ad impersonating Wayfair for Husky tool box products
Phony ad impersonating Wayfair promoting “woylervip[.]com/collections/Tool-Box/products

By stopping the campaign, the threat actor was able to have its ads disappear from the Facebook Ad Library.

Example ad from the campaign above: “facebook[.]com/ads/library/?active_status=active&ad_type=all&country=US&id=120224586724400601&is_targeted_country
=false&media_type=all&search_type=page&source=info-sheet&view_all_page_id=654433934418507″  

Screenshot taken May 27, 2025 showing the threat actor must have stopped the campaign since all ads were gone from the library
By May 27, 2025, the threat actor must have stopped the campaign since all traces of the ads disappeared from the marketplace library

 The second ad:

Screenshot of a second example ad spoofing a Milwaukee tool chest for only $128.69
A second example of a tool chest advertised at an unrealistically low price

The ad had the screenshot captured below:

Screenshot of "Why You Saw This Ad" telling who Toolboxchest wants to show ads to
facebook[.]com/ads/library/?active_status=active&ad_type=all&country=US&id=120226523616180200&is_targeted_country
=false&media_type=all&search_type=page&source=info-sheet&view_all_page_id=654433934418507″

But soon thereafter, the advertiser must have ended the campaign since the ad disappeared:  

Screenshot of a fake tool chest ad before it quickly disappeared
Screenshot May 27, 2025 showing the fake tool chest ad was no where to be found
By May 27, 2025, all traces of the ad were gone

The third ad:

Fake Wayfair ad spoofing Milwaukee for a tool chest priced at $106.88 on DocBarbara 372's Facebook page

This appears to be the page:  

Screenshot of DocBarbara 372's Facebook page and "Why You Saw This Ad" notification
facebook[.]com/profile.php?id=61572252608618

The screenshot below displays when the ads were displayed there: 

Screenshot showing when the fake tool chest ads were displayed on DocBarbara 372's Facebook page

But the Facebook Ad Library is now empty:  

Screenshot later showing all ads had disappeared from DocBarbara 372's Facebook page
facebook[.]com/ads/library/?active_status=all&ad_type=all&country=ALL&is_targeted_country
=false&media_type=all&search_type=page&source=page-transparency-widget&view_all_page_id=536613529533713″

The ad was promoting the domain: “supersale[.]top”:  

Another fake Wayfair ad spoofing Milwaukee for a tool chest on sale at the domain "supersale[.]top"
superssale[.]top/products/4-tool-combo-kit

The fourth ad:

Screenshot of a "Holiday Celebration Sale" offering a tool chest at the ridiculous price of only $39.00
A phony “holiday celebration sale” ad advertising a tool chest at an unrealistically low price
Screenshot of Facebook "Why You Saw This Ad" notification of "Holiday Celebration Sale" wanting to show you their ads
Screenshot take May 27, 2025 showing all traces of the "Holiday Celebration Sale" were gone
By May 27, 2025, the campaign must have been stopped since all traces of the ads disappeared

Below is a spoof of a “Milwaukee Clearance of Excess Inventory from 2025” sale:  

Screenshot showing a spoof of "Milwaukee Clearance of Excess Inventory from 2025" tools sale
Example: “toolboxsale[.]com/collections/milwaukee-clearance-of-excess-inventory-from-2025

There are dozens of pages with this “Holiday Celebration Sale” name and the same logo on Facebook: “facebook[.]com/search/pages/?q=holiday%20celebration%20sale”  

Screenshot showing dozens of pages with the same "Holiday Celebration Sale" name and logo on Facebook
facebook[.]com/ads/library/?active_status=active&ad_type=all&country=ALL&is_targeted_country
=false&media_type=all&search_type=page&source=page-transparency-widget&view_all_page_id=582885318250730

Many are active advertisers:

Screenshot showing many of the "Holiday Celebration Sale" advertisers were active
Example: “facebook[.]com/ads/library/?active_status=active&ad_type=all&country=ALL&is_targeted_country
=false&media_type=all&search_type=page&source=page-transparency-widget&view_all_page_id=102448339253132

The ads from these are the same as in the other aspects of the scheme (above): 

Screenshot of multiple ads that were part of the "Holiday Celebration Sale" scam
Screenshot of the previously captured ad, but all ad traces have disappeared

Most of the advertiser accounts were empty, indicating that the advertiser had likely ended the campaigns. The previously captured ad appears to be gone, so it’s unclear which of the Facebook pages was behind the fourth ad.  

Brands Targeted by the GhostVendors’ Campaign

These fake marketplace scam campaigns appear to target dozens of major brands. Some websites feature generic names, whereas others feature brands directly in the domain names.

It also appears that all the websites in this network feature major brands on the product pages, and many of the prices for the products being advertised for sale are unrealistically low.

Silent Push Threat Analysts have not yet tested any of the purchase processes. Even so, we believe it’s likely that many of these don’t deliver the promised products and may instead engage in financial fraud by abusing credit cards used during the attempted purchase process.

The following brands are some of the organizations targeted:

General Retail & Department Stores

  1. Amazon:
    • myamazonboxnews[.]com
    • myamazonbox[.]com
    • amazonboxinc[.]com
    • amzncenter[.]com
    • amzglobalpallets[.]com
    • shopamazonpallet[.]com
  2. Costco:
    • costcosale[.]store
    • cstcosaw[.]xyz
  3. Nordstrom:
    • nordstromss[.]shop
  4. Saks Fifth Avenue:
    • saksavenueoff5th[.]shop
    • saksavenueoff5th[.]com
    • off5th[.]online
  5. Dollar General:
    • dolllargenerai[.]com
    • dollargeneralsupermarket[.]com
  6. KaDeWe (German department store):
    • kadewe-tasche[.]com
    • kadewebag[.]com
    • kadewehandtasche[.]com
  7. Argos UK:
    • argosuk-save[.]shop

Home Improvement & Specialty Retail

  1. Lowes:
    • lowessale[.]shop
  2. Tractor Supply:
    • tractorsupply-us[.]com
    • tractorsupply-co[.]online
  3. Advance Auto Parts:
    • advanceautopartsog[.]com
    • advanceautopartsdeal[.]com
    • advancepartsauto[.]com
    • advanceauto-clear[.]com
  4. Party City:
    • partycity-clearance[.]shop
    • partycitysupersale[.]shop
    • partycity-preopen[.]com
    • partycityliquidation[.]com
    • partycitywarehouseusa[.]com
  5. Joann (Craft/Fabric):
    • joannsave90[.]shop
    • joannliquidations-us[.]com
    • joann-clearing[.]com
  6. Big Lots:
    • biglotsgifts[.]com
  7. EGO Power+ Tools:
    • egopowerplus[.]store
  8. GE Appliances:
    • geappliances[.]life

Footwear Brands

  1. Birkenstock:
    • birkenoutlet-us[.]com
    • birkenstockfootwearsale[.]shop
    • birkenstockus[.]online
    • birkenstock-dealer[.]com
  2. Crocs:
    • crocs-outlets[.]com
  3. Skechers:
    • us-skecherl[.]com
  4. Hike Footwear:
    • hike-footwear-us[.]com
    • hike-footwear-sale[.]com
  5. Vionic Shoes:
    • vionic-online[.]com
    • vionic-shoes[.]shop
    • vionic-shoes[.]com
  6. Kizik Shoes:
    • kizik-us[.]shop
    • kizik-sale[.]com
  7. Vessi Shoes:
    • vessi-sale[.]com
  8. Vivobarefoot:
    • vivobarefoot-outlet[.]shop

Activewear & Athletic Apparel

  1. Brooks Running:
    • brooksonlinesale[.]shop
    • brooksrunning-us[.]shop
    • brooksrunninguss[.]shop
    • brooks-outlet[.]shop
  2. Alo Yoga:
    • aloyogaoutlet[.]top
  3. On Running:
    • onrunningsale-us[.]com
    • storeonrunning[.]com
    • on-running-outlets[.]com
  4. Vuori Clothing:
    • vuoriclothing-us[.]shop
    • vuoriclothing-world[.]shop
    • vuoristore[.]shop
  5. Icebreaker Clothing:
    • icebreaker-sale[.]com
    • icebreaker-store[.]com
  6. NOBULL Sportswear:
    • nobull-warehouse[.]shop
  7. Huk Clothing:
    • hukgears[.]shop
  8. Natural Life Clothing:
    • naturallife-outlet[.]shop
    • naturallife-warehouse[.]shop

Fashion & Luxury Brands

  1. Rolex:
    • 1908-rolexonline[.]com
  2. Tommy Bahama:
    • tommybahama-megasale[.]shop
    • tommybahama-bigsale[.]shop
  3. L.L. Bean:
    • llbeanus[.]online
    • llbean-megasales[.]shop
  4. Tom Ford Beauty:
    • tomfordbeautys[.]shop
  5. Rebecca Minkoff:
    • rebeccaminkoff-ny[.]com
  6. Goyard:
    • goyardes[.]com
    • goyardbagoutlet[.]vip
  7. Massimo Dutti:
    • massimodutioutlets[.]com
    • massimoduttioutlets[.]sbs
  8. Alpha Industries Outerwear:
    • alphaindustries-us[.]shop
  9. Volcom Clothing:
    • world-volcomsales[.]shop
  10. Popflex:
    • popflexactiveclub[.]com

Outdoor & Sporting Goods

  1. Duluth Trading:
    • duluthtradingclearance[.]com
    • duluthtrading-bigsales[.]com
  2. Orvis:
    • orvis-us[.]store
  3. Rock Bottom Golf:
    • rockbottomgolfshops[.]com
  4. Palmetto State Armory (Gun store):
    • palmettostateassrmoryus[.]shop
    • palmetostaeassrmoryte[.]shop
    • palmettoblitz[.]shop
    • palmettobestdeal[.]com
  5. Mammut Outdoor Gear:
    • mammut-discount[.]shop
  6. Rebel Sport (Australian retailer):
    • rebelsportauonline[.]com

Food & Grocery

  1. Instacart:
    • instaacart[.]shop
  2. Total Wine:
    • totalwinus[.]cc
    • totalwine-usa[.]com
    • totalwineus[.]cc
  3. Omaha Steaks:
    • omahasteakso[.]com
    • omahasteakssales[.]com
    • omahasteaksvip[.]com
    • omahasteaks[.]online
    • omahasteaks[.]discount
    • omabbhasteaaks[.]shop
  4. Thrive Market:
    • thrivemarketsale[.]shop
  5. Luke’s Lobster:
    • lukeslobstershop[.]com
    • lukeslobstermsc[.]com
  6. Cousin’s Maine Lobster:
    • cousinsmainelobstershop[.]com

Farm & Garden

(It appears these farms were chosen due to their presence on Facebook)

  1. Fast Growing Trees (Online tree store):
    • fastgrowtree[.]store
    • fastgrowtree[.]com
    • fastgrowingtree[.]store
  2. Gurney’s Seed and Nursery:
    • gurneys[.]store
  3. White Oak Pastures:
    • whiteoakpasturesbfp[.]com
  4. Seven Sons Farm:
    • sevensonsfarm[.]shop
    • sevensonsfarms[.]shop
    • sevensonsbeef[.]shop
  5. 44 Farms:
    • 44farms[.]shop
  6. Tyner Pond Farm:
    • tynerpondfarm[.]shop
  7. Pipers Farms:
    • pipersfarms[.]shop

Home & Hobbies

  1. Bath & Body Works:
    • bathandbodyworks-us[.]sbs
  2. Yankee Candle:
    • yankeecandles[.]shop
  3. Ravensburger Puzzles:
    • ravensburger-online[.]sbs
  4. Buffalo Games & Puzzles:
    • buffalogames-online[.]shop
  5. Arcade1Up Gaming:
    • arcade1upshopbuy[.]shop
  6. Cobble Hill Puzzles:
    • cobblehill[.]sbs
    • cobblehillpuzzles[.]sbs
  7. The Woobles Crochet:
    • thewoobles-sale[.]com
    • thewoobles-us[.]com

Continuing to Track GhostVendors’ Marketplace Scam Websites

Silent Push Threat Analysts consider web shop and fake marketplace scams a prolific global threat to social networks, advertising networks, major brands, and the consumers who are unfortunate enough to encounter them.

It’s clear that many different threat actors launch these marketplace scams, and yet, fortunately, many reuse page and server templates to facilitate the speed of their deployments.

Our team will continue to investigate these scams and appreciates any leads that may help us identify new campaigns.

Back to Blog
Related Post
Read More
Blog

U.S. Treasury Sanctions FUNNULL CDN, FBI Issues Advisory Warning Against Major Cyber Scam Facilitator

May 30, 2025
News Source
Blog

New Finance Scam Discovered Abusing Niche X/Twitter Advertising Loophole

May 7, 2025
News Source
Blog

Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie

April 24, 2025
News Source

Silent Push Inc. ©2025