Silent Push now offers bi-directional support for STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Indicator Information) – two of the most widely adopted standards for Cyber Threat Intelligence (CTI) sharing and automation.
This capability injects our industry-leading preemptive threat intelligence directly into your existing security workflows, allowing for faster, smarter decision-making without added complexity, and giving teams the ability to collaborate cross-platform to detect emerging threats at the earliest opportunity.
What are STIX and TAXII?
The speed and clarity of intelligence delivery determines how well teams respond to emerging adversary activity. CTI is often fragmented, stuck in proprietary formats, or siloed across different systems, making it hard to get at actionable intelligence, or collaborate effectively to detect hidden threats.
Enter stage right: STIX and TAXII.
STIX is a standardized format for structuring threat intelligence – from domain and IP indicators, to TTPs, APT relationships, and threat actor profiles. It provides a machine-readable way to express contextual intelligence in a format that analysts and tools can easily understand.
Together, STIX and TAXII simplify integration, reduce manual effort, and help security teams operate with greater precision and speed.
Not Just Another Feed: Actionable STIX Data Built from IOFA™
Silent Push Enterprise users can now easily ingest threat data derived from infrastructure-level intelligence that focuses on the ways threat actors setup and manage their infrastructure, structured in STIX format and delivered via TAXII feeds.
This allows Silent Push data to plug directly into TIP, SIEM and SOAR platforms, or any other cybersecurity system that supports these standards.
It’s not just about the format. What sets Silent Push apart is the quality and depth of the intelligence being shared.
Unlike CTI vendors that aggregate third-party feeds, or focus solely on IOCs, Silent Push captures and analyzes the unseen layers of attacker infrastructure – from passive DNS and web content changes to behavioral patterns, automation signatures, and hosting relationships – and delivers them asIndicators of Future Attack (IOFA)™.
All our data is collected and aggregated by us, globally and independently, with no reliance on external resolvers or limited partnerships.
This means the STIX data you’re receiving isn’t just another feed of stale domains or hashes. It’s real infrastructure context, including domains and IPs tagged with relevant information, such as threat actor name, linked campaigns, nameserver reputation, malware type, and IOFA™ feed presence.
Plug and Protect: Use Cases for STIX/TAXII in Silent Push
With Silent Push’s STIX/TAXII support, organizations can:
Automate IOFA™ ingestion: Feed Silent Push indicators directly into your SIEM or firewall policy engine without manual formatting or translation.
Enrich existing alerts: Correlate events in your environment with deeper infrastructure context pulled from Silent Push intelligence.
Build custom detections: Use Silent Push data in threat-hunting playbooks or SOAR workflows to uncover related infrastructure and prevent lateral movement.
Bi-directional intelligencesharing: Ingest external CTI data into your Silent Push subscription and contribute IOFA™to CTI sharing communities using a common, interoperable language.
Whether you’re part of a Security Operations Center (SOC), threat hunting team, or CTI unit, this integration allows you to move faster, reduce noise, and act with greater confidence.
Silent Push/OpenCTI TAXII configuration
Designed for Flexibility
Silent Push’s STIX/TAXII implementation is engineered to support flexible consumption of CTI data.
Pull or push feeds to your preferred tools and platforms
Choose from curated data sets – including malicious hosting clusters, high-risk domains, or specific TTPs
Apply filters based on region, time, or infrastructure type in Feed Scanner
Access feeds programmatically for full automation, or manually for ad hoc investigations
We’ve also made sure our TAXII server meets the latest interoperability standards, ensuring compatibility with the tools your team already uses.
Book a Demo
In a security environment that demands faster decisions and tighter integration, Silent Push’s support for STIX and TAXII helps organizations minimize siloed information sharing, and operationalize threat intelligence with minimal friction.
By combining the depth of Silent Push data with the power of open standards, we’re making it easier than ever for teams to stay ahead of adversary infrastructure, and act before the next attack chain begins.
Get in touch today for a personalized demonstration.
Smishing Triad is a coordinated, large-scale phishing operation leveraging mobile messaging (SMS) to impersonate trusted financial and shipping brands. First observed in 2023, it has rapidly evolved into an industrialized ecosystem of phishing kits developed and distributed by Chinese actors — now active in over 121 countries, with a sharp increase in attacks across the APJ region.
The campaign is targeting some of the world’s biggest brands, including HSBC, PayPal, Mastercard, Bank of America, Chase, and more.
Learn about Smishing Triad’s key targets in the financial services sector
Discover the global campaign’s infrastructure and attack methods
Access actionable mitigation strategies and techniques, including a sample list of Indicators of Future Attack™
This isn’t just another phishing report. It’s a look into the next generation of threat infrastructure targeting financial services — one your security team needs to understand now.
The Silent Push Difference
Silent Push provides preemptive cyber intelligence that exposes threat actor infrastructure as it’s being set up, and shared as Indicators of Future Attack (IOFA), allowing organizations to proactively block attacks.
The Challenge: Drowning in a Deluge of APT Investigations
Like many large enterprises, our media services customer faced the daunting task of sifting through vast quantities of raw threat intelligence relating to high-profile Advanced Persistent Threat (APT) groups targeting their organization.
Even with robust security infrastructure, the sheer complexity of data related to APT activity, and their expansive online presence, meant that identifying and responding to APT behavior was a time-consuming and reactive endeavour.
Each investigation was a deep dive, requiring significant manual effort to correlate disparate pieces of information, and extract actionable intelligence that could be used in the organization’s security operation.
This not only put a strain on their Security Operations Center (SOC) team, but also delayed their ability to preemptively mitigate threats, leaving windows of vulnerability open longer than desired.
The existing workflows, while comprehensive, struggled to keep pace with the dynamic nature of APT activity, leading to prolonged investigation cycles and a persistent sense of playing catch-up.
The Solution: TLP Amber Reports within Silent Push Enterprise
Silent Push Enterprise edition features exclusive access to APT and threat-specific TLP (Traffic Light Protocol) Amber reports.
Built on the insight and knowledge we gain through the platform’s ability to reveal and track infrastructure as it’s being deployed, TLP Amber Reports are drafted by Silent Push’s expert Threat Analysts who have collectively produced industry-leading research on high-profile threat campaigns.
Our reports go much deeper than our public blogs, featuring direct links to pivots, queries, scans, and datasets, so that teams can follow along within the platform, along with a comprehensive list of Indicators of Future Attack (IOFA)™ that are exposed during the investigation.
TLP Amber Reports menu
Using our reports as a jump-off point for APT investigations, our customer’s security team no longer had to painstakingly piece together information from multiple sources.
Critical context, including attacker methodologies, tools, and infrastructure, is presented directly within the platform, drastically reducing investigation time. Each TLP Amber report is also tagged with the relevant threat actor or campaign name, and is presented alongside a corresponding IOFA Feed.
Our customer streamlined a time-consuming and reactive process into a short, sharp, review of immediately available intelligence, significantly bolstering their security posture against some of the most highly advanced and prominent cybercriminals currently in operation.
What took days (or even weeks), now took a few hours.
The Silent Push Difference: Ready-made SOC and IR Intelligence
With TTPs laid bare and actionable pivots readily available, the time spent investigating APT activity plummeted. Analysts could now quickly understand an adversary’s modus operandi and identify infrastructure for blocking and reporting.
By understanding the patterns involved in APT infrastructure deployment and management, the security team moved from a reactive to a truly preemptive stance, with a newfound ability to predict where an attack was likely to originate, rather than relying on post-breach indicators that were often redundant as soon as they were publicly known..
Intelligence that was previously hard to access – either spread across multiple pieces of research, hidden under the surface of an attack, or requiring extensive manual correlation – became readily available.
Learn more about our unique approach to preemptive threat intelligence
Find out how Silent Push can help you save countless hours of painstaking threat research with customised TLP Amber reports that are specific to your area of expertise.
Silent Push Threat Analysts have uncovered a massive “fake marketplace” scam campaign we have dubbed “GhostVendors” involving online ads that impersonate dozens of major brands and spoof actual products on thousands of fraudulent websites.
We found over 4,000 domains that are part of this fake marketplace network. This is a significant threat targeting social networks, major brands, advertising companies, and consumers worldwide.
During our research, we found that after the threat actor posted its malicious Facebook Marketplace ads for a few days, it stopped its campaigns, thereby deleting all traces of them from the Meta Ad Library.
We determined that the threat actors are exploiting an existing Meta policy to target major brands and then completely remove previously posted ads.
Executive Summary
Silent Push Threat Analysts are tracking a massive “fake marketplace” scam that uses thousands of fake websites to abuse dozens of major brands and buy Facebook ads to promote its scam products. Our team is labeling this group “GhostVendors,” and we suspect they are also purchasing ads on other networks to self-promote their scam sites. We will update this report accordingly as our investigation continues.
Our team also confirmed how a Facebook advertiser can buy ads which show up in the Meta Ad Library while they are running, and then stop their campaigns, thereby removing all evidence of their posted ads from the Meta Ad Library. In early May 2025, we documented the appearance of ads from this threat actor group that were searchable in the Ad Library, five days later, all evidence of their presence was removed from the Ad Library due to the ad campaigns stopping. This helped to confirm a known Meta ad library policy existed, and highlighted that potentially these threat actors were taking advantage of this by rapidly launching and stopping ads for similar products on different pages.
Based on the brands being impersonated, this campaign appears to focus on impersonating brands that buy large amounts of online ads—many of the impersonated brands are huge and well-known for purchasing significant quantities of ads. In contrast, other brands being impersonated are smaller ones that mostly use online sales processes.
Brands our team has observed being targeted by the GhostVendors campaign include:
Amazon, Costco, Bath & Body Works, Nordstrom, Saks Fifth Avenue, Lowes, L.L. Bean, Tommy Bahama, Rolex, Brooks Running, Birkenstock, Crocs, Skechers, Total Wine, Omaha Steaks, Instacart, Duluth Trading, Advance Auto Parts, Party City, Dollar General, Tractor Supply, Joann, Big Lots, Orvis, Alo Yoga, On Running, Tom Ford Beauty, Rebecca Minkoff, Yankee Candle, Hoka, Thrive Market, Vionic Shoes, Rock Bottom Golf, Vuori Clothing, Goyard, Icebreaker Clothing, NOBULL Sportswear, Alpha Industries, Volcom, Kizik Shoes, Vessi Shoes, Mammut Outdoor Gear, Buffalo Games & Puzzles, Ravensburger Puzzles, Fast Growing Trees, Gurney’s Seed and Nursery, Vivobarefoot, KaDeWe, Palmetto State Armory, Natural Life, Luke’s Lobster, Cousins Maine Lobster, White Oak Pastures, Seven Sons Farm, Arcade1Up Gaming, EGO Power+ Tools, Cobble Hill Puzzles, Popflex, Argos UK, Huk Clothing, 44 Farms, Tyner Pond Farm, Pipers Farms, Rebel Sport, The Woobles Crochet, Massimo Dutti, and GE Appliances.
Sign Up for a Free Silent Push Community Edition Account
Register now for our free Community Edition to use all the tools and queries highlighted in this blog.
Silent Push Threat Analysts have tracked numerous types of “fake marketplace” scams. In 2024, we tracked a group we dubbed the “AIZ—Aggressive Inventory Zombies,” covering it with an in-depth report exclusively for our enterprise clients and a public blog.
Many threat actors create fake online marketplaces that promote real products, using them to conduct various types of financial fraud. This is achieved by either not delivering the ordered products or stealing victims’ payment details. Multiple variations of these types of scams exist, but the end goal for each is typically quick cashouts. Most of these networks abuse large numbers of domains due to the speed with which social networks and other sources respond and block their sites.
Our team recently received a tip about a Facebook Marketplace ad promoting a Milwaukee Tool Box at an impossibly low price via a domain clearly set up using a domain-generated algorithm (DGA), a common tactic employed in many malicious campaigns.
By investigating the advertised products, examining various content clues, and tracking the campaign’s heavy use of technical practices, our team expanded our search from the initial suspicious site to thousands of marketplace scam websites targeting a wide range of social networks and individuals worldwide.
Milwaukee Tools’ Brand Spoofed via Facebook Marketplace Ads, Facebook Purges Ads’ Library of Proof
On May 7, 2025, Silent Push Threat Analysts captured a Facebook page promoting a fake marketplace that spoofed the “Milwaukee Tools” brand. The ad content used the word “Millaeke” while featuring an image of a Milwaukee Tool box:
Screenshot from Facebook Marketplace, May 7, 2025
Our team examined the ad for more information and confirmed that the advertiser’s name was “Millaeke,” while the domain they were promoting in the ad was wuurkf[.]com.
May 7, 2025 screenshot from Facebook Marketplace
The full URL of the malicious sponsored Facebook Marketplace ad was:
The UTM “link tracking” parameters appended to the URL after clicking the ad included:
“utm_medium=paid&utm_source=fb“
The Facebook page where these ads are bought could be seen at: “facebook[.]com/profile.php?id=61575534312860”, although once the campaign ended, all traces of the previously published Facebook posts disappeared.
Screenshot of the Facebook page “Millaeke” showing that all posts had disappeared
After viewing Millaeke’s original ad, our team navigated to the Meta Ad Library and confirmed that the page was currently running numerous ads.
However, five days after our team discovered the ads, Millaeke must have stopped its campaign, as all the ads disappeared from the library, which you can see here.
The Meta Ad Library showed no advertisements from “Millaeke”—even though ads were displayed here five days earlier
Facebook’s Ad Library Only Includes Active Ads, Creating Threat Tracking Challenges
Our researchers continued to investigate details surrounding Facebook’s ad policy. What we found is that Meta retains ads in the Ad Library on social issues, elections, and politics that have run for the past seven years. However, Meta’s policy dictates that any other types of ads are ONLY saved while those ads are part of active campaigns.
As soon as a campaign ends, the ads are removed from the Ad Library, as exemplified by our monitoring of the fake marketplace ads. This makes tracking threats that abuse Facebook ads much more difficult. It also highlights a challenge for defenders, which can only be effectively addressed by scraping this source of data and creating an external repository—something that appears to be prohibited. As a result, it’s currently impossible to holistically track malicious ads on this network.
Silent Push Threat Analysts will continue to monitor the situation and update this report if additional facts emerge.
Tracking the GhostVendors’ Marketplace Scam
The previous campaign targeting Milwaukee Tools was using specific metadata for its scam, with clearly observable patterns:
Recalling that these types of campaigns are typically “spray and pray” efforts, in which threat actors regularly spin up large amounts of infrastructure to mitigate takedown efforts, a common tactic in such efforts is for a threat actor to clone their websites rather than make each one unique. Doing so presents an opportunity for defenders.
When tracking campaigns, our analysts often look to the Google index due to its speed in indexing internal pages. Silent Push primarily scans homepages as part of our global content indexing effort, along with internal pages input by our users and threat researchers.
By performing a Google Search, we looked for the exact product name used in the scam ad:
The query returned fewer than 10 unique results – two entries appeared to be for legit marketplaces, but six other domains featured impossibly cheap prices, DGA domains, or, in this instance, were directly spoofing Wayfair:
kpwmua[.]com – Currently offline
vtmzox[.]com – Currently offline
acudcct[.]com – Online
toolzde[.]com – Online
yvnbpm[.]com – Online, spoofing Wayfair
gardonset[.]com – Online, spoofing Wayfair
Example on “acudcct[.]com”
Example on “yvnbpm[.]com”
Example on “gardonset[.]com”
Example on “toolzde[.]com”
Additional Facebook Advertisements from the GhostVendors’ Fake Marketplace Threat Actor
Silent Push Threat Analysts discovered two additional examples of Facebook Marketplace ads from the same threat actor group, promoting domains that matched our previous content fingerprints.
Both of these examples were first seen on May 13, 2025.
Screenshot of Facebook Marketplace ad promoting “wrocxop[.]com“
The first Facebook Marketplace ad was from the Facebook page “Rabx-B,” promoting the website “wrocxop[.]com,” on the same host as the previous websites.
Facebook Marketplace ad “Advertiser Details” showing advertiser “Rabx-B”
Screenshot of Facebook page “Rabx-B” purchasing fake marketplace ads – the email address used on the page is “brunothuz805888@outlook[.]com” with phone number (706) 294-9657
The second Facebook Marketplace ad, captured on May 13, 2025, was for the same Facebook page advertiser, “Rabx-B,” but this time it was promoting a new domain, “wesuoey[.]shop.”
After comparing the new domain from the same advertiser to what was previously seen, we then returned to the Meta Ad Library to review all 22 Rabx-B ads. We confirmed they were promoting different domains and, importantly, noted that the visible domain in the ad did not match the final destination ad in all instances:
wesuoey[.]shop – visible in ad text but link click redirects to wesonhz[.]shop
Two ads from the same advertiser promoted the domain “wrocxop[.]com” within the visible ad, as seen below, yet redirected the user to “wesonhz[.]shop”.
Screenshot of the Rabx-B ad promoting the domain “wrocxop[.]com”
By May 27, 2025, all traces of the Rabx-B ads were gone from the marketplace library
Redirection interstitial on Facebook after clicking the Rabx-B ad promoting “wrocxop[.]com,” which doesn’t mention the actual URL redirect on this domain
Screenshot of the redirect from “wrocxop[.]com” to “wesonhz[.]shop,” showing the product details page hosted on “wesonhz[.]shop“
It’s clear from this most recent Facebook Marketplace advertiser’s usage of multiple domains, combined with the effort undertaken on their previous campaigns to rapidly end them and thus remove all traces of their ads from the Meta Ad Library, that this particular threat actor has a thorough understanding of the platform’s advertising features and policies.
Our research team discovered another example of a malicious Facebook ad from this same threat actor on May 16, 2025. The ad was posted from the page “Tools Clearance” (facebook[.]com/profile.php?id=61574929192093), impersonating GE Appliances on the domain “geappliances[.]life”:
We discovered a malicious Facebook ad hosted on “geappliances[.]life” on May 16, 2025
The domain “geappliances[.]life” contains the same technical fingerprint used to track other websites in this campaign.
The ads for this “Tools Clearance” page were seen in the Meta Ad Library.
By May 27, 2025, the threat actor stopped the campaign, causing all traces of the “Tools Clearance” ads to disappear from the marketplace library
Discovering Four New Ads
Our research team discovered four additional fake marketplace advertisements:
Phony ad for a heavy-duty 23-drawer rolling tool chest and cabinet for the unrealistic price of $121.86
Phony ad impersonating Wayfair promoting “woylervip[.]com/collections/Tool-Box/products“
By stopping the campaign, the threat actor was able to have its ads disappear from the Facebook Ad Library.
Example ad from the campaign above: “facebook[.]com/ads/library/?active_status=active&ad_type=all&country=US&id=120224586724400601&is_targeted_country =false&media_type=all&search_type=page&source=info-sheet&view_all_page_id=654433934418507″
By May 27, 2025, the threat actor must have stopped the campaign since all traces of the ads disappeared from the marketplace library
The second ad:
A second example of a tool chest advertised at an unrealistically low price
There are dozens of pages with this “Holiday Celebration Sale” name and the same logo on Facebook: “facebook[.]com/search/pages/?q=holiday%20celebration%20sale”
The ads from these are the same as in the other aspects of the scheme (above):
Screenshot of the previously captured ad, but all ad traces have disappeared
Most of the advertiser accounts were empty, indicating that the advertiser had likely ended the campaigns. The previously captured ad appears to be gone, so it’s unclear which of the Facebook pages was behind the fourth ad.
Brands Targeted by the GhostVendors’ Campaign
These fake marketplace scam campaigns appear to target dozens of major brands. Some websites feature generic names, whereas others feature brands directly in the domain names.
It also appears that all the websites in this network feature major brands on the product pages, and many of the prices for the products being advertised for sale are unrealistically low.
Silent Push Threat Analysts have not yet tested any of the purchase processes. Even so, we believe it’s likely that many of these don’t deliver the promised products and may instead engage in financial fraud by abusing credit cards used during the attempted purchase process.
The following brands are some of the organizations targeted:
General Retail & Department Stores
Amazon:
myamazonboxnews[.]com
myamazonbox[.]com
amazonboxinc[.]com
amzncenter[.]com
amzglobalpallets[.]com
shopamazonpallet[.]com
Costco:
costcosale[.]store
cstcosaw[.]xyz
Nordstrom:
nordstromss[.]shop
Saks Fifth Avenue:
saksavenueoff5th[.]shop
saksavenueoff5th[.]com
off5th[.]online
Dollar General:
dolllargenerai[.]com
dollargeneralsupermarket[.]com
KaDeWe (German department store):
kadewe-tasche[.]com
kadewebag[.]com
kadewehandtasche[.]com
Argos UK:
argosuk-save[.]shop
Home Improvement & Specialty Retail
Lowes:
lowessale[.]shop
Tractor Supply:
tractorsupply-us[.]com
tractorsupply-co[.]online
Advance Auto Parts:
advanceautopartsog[.]com
advanceautopartsdeal[.]com
advancepartsauto[.]com
advanceauto-clear[.]com
Party City:
partycity-clearance[.]shop
partycitysupersale[.]shop
partycity-preopen[.]com
partycityliquidation[.]com
partycitywarehouseusa[.]com
Joann (Craft/Fabric):
joannsave90[.]shop
joannliquidations-us[.]com
joann-clearing[.]com
Big Lots:
biglotsgifts[.]com
EGO Power+ Tools:
egopowerplus[.]store
GE Appliances:
geappliances[.]life
Footwear Brands
Birkenstock:
birkenoutlet-us[.]com
birkenstockfootwearsale[.]shop
birkenstockus[.]online
birkenstock-dealer[.]com
Crocs:
crocs-outlets[.]com
Skechers:
us-skecherl[.]com
Hike Footwear:
hike-footwear-us[.]com
hike-footwear-sale[.]com
Vionic Shoes:
vionic-online[.]com
vionic-shoes[.]shop
vionic-shoes[.]com
Kizik Shoes:
kizik-us[.]shop
kizik-sale[.]com
Vessi Shoes:
vessi-sale[.]com
Vivobarefoot:
vivobarefoot-outlet[.]shop
Activewear & Athletic Apparel
Brooks Running:
brooksonlinesale[.]shop
brooksrunning-us[.]shop
brooksrunninguss[.]shop
brooks-outlet[.]shop
Alo Yoga:
aloyogaoutlet[.]top
On Running:
onrunningsale-us[.]com
storeonrunning[.]com
on-running-outlets[.]com
Vuori Clothing:
vuoriclothing-us[.]shop
vuoriclothing-world[.]shop
vuoristore[.]shop
Icebreaker Clothing:
icebreaker-sale[.]com
icebreaker-store[.]com
NOBULL Sportswear:
nobull-warehouse[.]shop
Huk Clothing:
hukgears[.]shop
Natural Life Clothing:
naturallife-outlet[.]shop
naturallife-warehouse[.]shop
Fashion & Luxury Brands
Rolex:
1908-rolexonline[.]com
Tommy Bahama:
tommybahama-megasale[.]shop
tommybahama-bigsale[.]shop
L.L. Bean:
llbeanus[.]online
llbean-megasales[.]shop
Tom Ford Beauty:
tomfordbeautys[.]shop
Rebecca Minkoff:
rebeccaminkoff-ny[.]com
Goyard:
goyardes[.]com
goyardbagoutlet[.]vip
Massimo Dutti:
massimodutioutlets[.]com
massimoduttioutlets[.]sbs
Alpha Industries Outerwear:
alphaindustries-us[.]shop
Volcom Clothing:
world-volcomsales[.]shop
Popflex:
popflexactiveclub[.]com
Outdoor & Sporting Goods
Duluth Trading:
duluthtradingclearance[.]com
duluthtrading-bigsales[.]com
Orvis:
orvis-us[.]store
Rock Bottom Golf:
rockbottomgolfshops[.]com
Palmetto State Armory (Gun store):
palmettostateassrmoryus[.]shop
palmetostaeassrmoryte[.]shop
palmettoblitz[.]shop
palmettobestdeal[.]com
Mammut Outdoor Gear:
mammut-discount[.]shop
Rebel Sport (Australian retailer):
rebelsportauonline[.]com
Food & Grocery
Instacart:
instaacart[.]shop
Total Wine:
totalwinus[.]cc
totalwine-usa[.]com
totalwineus[.]cc
Omaha Steaks:
omahasteakso[.]com
omahasteakssales[.]com
omahasteaksvip[.]com
omahasteaks[.]online
omahasteaks[.]discount
omabbhasteaaks[.]shop
Thrive Market:
thrivemarketsale[.]shop
Luke’s Lobster:
lukeslobstershop[.]com
lukeslobstermsc[.]com
Cousin’s Maine Lobster:
cousinsmainelobstershop[.]com
Farm & Garden
(It appears these farms were chosen due to their presence on Facebook)
Fast Growing Trees (Online tree store):
fastgrowtree[.]store
fastgrowtree[.]com
fastgrowingtree[.]store
Gurney’s Seed and Nursery:
gurneys[.]store
White Oak Pastures:
whiteoakpasturesbfp[.]com
Seven Sons Farm:
sevensonsfarm[.]shop
sevensonsfarms[.]shop
sevensonsbeef[.]shop
44 Farms:
44farms[.]shop
Tyner Pond Farm:
tynerpondfarm[.]shop
Pipers Farms:
pipersfarms[.]shop
Home & Hobbies
Bath & Body Works:
bathandbodyworks-us[.]sbs
Yankee Candle:
yankeecandles[.]shop
Ravensburger Puzzles:
ravensburger-online[.]sbs
Buffalo Games & Puzzles:
buffalogames-online[.]shop
Arcade1Up Gaming:
arcade1upshopbuy[.]shop
Cobble Hill Puzzles:
cobblehill[.]sbs
cobblehillpuzzles[.]sbs
The Woobles Crochet:
thewoobles-sale[.]com
thewoobles-us[.]com
Continuing to Track GhostVendors’ Marketplace Scam Websites
Silent Push Threat Analysts consider web shop and fake marketplace scams a prolific global threat to social networks, advertising networks, major brands, and the consumers who are unfortunate enough to encounter them.
It’s clear that many different threat actors launch these marketplace scams, and yet, fortunately, many reuse page and server templates to facilitate the speed of their deployments.
Our team will continue to investigate these scams and appreciates any leads that may help us identify new campaigns.
![Screenshot of a fake tool chest ad on "acudcct[.]com"](https://www.silentpush.com/wp-content/uploads/ghostvs-image-5-acudcct-com-spoof.png)
![Fake ad spoofing Milwaukee brand tool chest ad on "yvnbpm[.]com"](https://www.silentpush.com/wp-content/uploads/ghostvs-image-6-yvmbpm-com-spoof.png)
![Fake ad spoofing Milwaukee brand tool chest ad on "gardonset.]com"](https://www.silentpush.com/wp-content/uploads/ghostvs-image-7-gardonset-com-spoof.png)
![Fake ad spoofing Milwaukee brand tool chest ad on "toolzde[.]com"](https://www.silentpush.com/wp-content/uploads/ghostvs-image-8-toolze-spoof.png)
![Screenshot of fake ad on "wrocxop[.]com"](https://www.silentpush.com/wp-content/uploads/ghostvs-image-9-fb-wrocxop-com-fb-spoof.png)
![Screenshot of the Rabx-B ad promoting domain "wrocxop[.]com"](https://www.silentpush.com/wp-content/uploads/ghostvs-image-15-rabx-b-about-the-ad.png)
![Screenshot showing interstitial on Facebook after clicking Rabx-B ad promoting "wrocxop[.]com" that doesn't mention actual URL redirect](https://www.silentpush.com/wp-content/uploads/ghostvs-image-16-what-to-know.png)
![Screenshot of redirect from "wrocxop[.]com" showing product details hosted on "wesonhz[.]shop"](https://www.silentpush.com/wp-content/uploads/ghostvs-image-17-wrocxop-cop-redirect-to-wesonhz-shop-showing-prod-details.png)
![Screenshot of our discovering a fake Facebook ad hosted on "geappliances[.]life" May 16, 2025](https://www.silentpush.com/wp-content/uploads/ghostvs-image-18-ge-appliances-on-99-usd.png)
![Another fake Wayfair ad spoofing Milwaukee for a tool chest on sale at the domain "supersale[.]top"](https://www.silentpush.com/wp-content/uploads/ghostvs-image-32-new-ad-3of4-5.png)
