Preemptive Cyber Defense Blueprint for Incident Response Teams: Download Today

GhostVendors Exposed: Silent Push Uncovers Massive Network of 4000+ Fraudulent Domains Masquerading as Major Brands

/in /by

Key Findings

  • Silent Push Threat Analysts have uncovered a massive “fake marketplace” scam campaign we have dubbed “GhostVendors” involving online ads that impersonate dozens of major brands and spoof actual products on thousands of fraudulent websites.
  • We found over 4,000 domains that are part of this fake marketplace network. This is a significant threat targeting social networks, major brands, advertising companies, and consumers worldwide.
  • During our research, we found that after the threat actor posted its malicious Facebook Marketplace ads for a few days, it stopped its campaigns, thereby deleting all traces of them from the Meta Ad Library.
  • We determined that the threat actors are exploiting an existing Meta policy to target major brands and then completely remove previously posted ads.

Executive Summary

Silent Push Threat Analysts are tracking a massive “fake marketplace” scam that uses thousands of fake websites to abuse dozens of major brands and buy Facebook ads to promote its scam products. Our team is labeling this group “GhostVendors,” and we suspect they are also purchasing ads on other networks to self-promote their scam sites. We will update this report accordingly as our investigation continues.

Our team also confirmed how a Facebook advertiser can buy ads which show up in the Meta Ad Library while they are running, and then stop their campaigns, thereby removing all evidence of their posted ads from the Meta Ad Library. In early May 2025, we documented the appearance of ads from this threat actor group that were searchable in the Ad Library, five days later, all evidence of their presence was removed from the Ad Library due to the ad campaigns stopping. This helped to confirm a known Meta ad library policy existed, and highlighted that potentially these threat actors were taking advantage of this by rapidly launching and stopping ads for similar products on different pages.

Based on the brands being impersonated, this campaign appears to focus on impersonating brands that buy large amounts of online ads—many of the impersonated brands are huge and well-known for purchasing significant quantities of ads. In contrast, other brands being impersonated are smaller ones that mostly use online sales processes.

Brands our team has observed being targeted by the GhostVendors campaign include:

Amazon, Costco, Bath & Body Works, Nordstrom, Saks Fifth Avenue, Lowes, L.L. Bean, Tommy Bahama, Rolex, Brooks Running, Birkenstock, Crocs, Skechers, Total Wine, Omaha Steaks, Instacart, Duluth Trading, Advance Auto Parts, Party City, Dollar General, Tractor Supply, Joann, Big Lots, Orvis, Alo Yoga, On Running, Tom Ford Beauty, Rebecca Minkoff, Yankee Candle, Hoka, Thrive Market, Vionic Shoes, Rock Bottom Golf, Vuori Clothing, Goyard, Icebreaker Clothing, NOBULL Sportswear, Alpha Industries, Volcom, Kizik Shoes, Vessi Shoes, Mammut Outdoor Gear, Buffalo Games & Puzzles, Ravensburger Puzzles, Fast Growing Trees, Gurney’s Seed and Nursery, Vivobarefoot, KaDeWe, Palmetto State Armory, Natural Life, Luke’s Lobster, Cousins Maine Lobster, White Oak Pastures, Seven Sons Farm, Arcade1Up Gaming, EGO Power+ Tools, Cobble Hill Puzzles, Popflex, Argos UK, Huk Clothing, 44 Farms, Tyner Pond Farm, Pipers Farms, Rebel Sport, The Woobles Crochet, Massimo Dutti, and GE Appliances.

Sign Up for a Free Silent Push Community Edition Account

Register now for our free Community Edition to use all the tools and queries highlighted in this blog.

Sign Up Here

Background

Silent Push Threat Analysts have tracked numerous types of “fake marketplace” scams. In 2024, we tracked a group we dubbed the “AIZ—Aggressive Inventory Zombies,” covering it with an in-depth report exclusively for our enterprise clients and a public blog.

Many threat actors create fake online marketplaces that promote real products, using them to conduct various types of financial fraud. This is achieved by either not delivering the ordered products or stealing victims’ payment details. Multiple variations of these types of scams exist, but the end goal for each is typically quick cashouts. Most of these networks abuse large numbers of domains due to the speed with which social networks and other sources respond and block their sites.

Our team recently received a tip about a Facebook Marketplace ad promoting a Milwaukee Tool Box at an impossibly low price via a domain clearly set up using a domain-generated algorithm (DGA), a common tactic employed in many malicious campaigns.

By investigating the advertised products, examining various content clues, and tracking the campaign’s heavy use of technical practices, our team expanded our search from the initial suspicious site to thousands of marketplace scam websites targeting a wide range of social networks and individuals worldwide.

Milwaukee Tools’ Brand Spoofed via Facebook Marketplace Ads, Facebook Purges Ads’ Library of Proof

On May 7, 2025, Silent Push Threat Analysts captured a Facebook page promoting a fake marketplace that spoofed the “Milwaukee Tools” brand. The ad content used the word “Millaeke” while featuring an image of a Milwaukee Tool box:

Screenshot from Facebook Marketplace on May 7, 2025
Screenshot from Facebook Marketplace, May 7, 2025

Our team examined the ad for more information and confirmed that the advertiser’s name was “Millaeke,” while the domain they were promoting in the ad was wuurkf[.]com.

Why You Saw This Ad screenshot from Facebook Marketplace captured May 7, 2025
May 7, 2025 screenshot from Facebook Marketplace

The full URL of the malicious sponsored Facebook Marketplace ad was:

wuurkf[.]com/collections/Tool-Box/products/Milwaukee-56-Premium-18-Drawer-Tool-Box-Chest-and-Cabinet-Combo-with-Electronic-Keypad-Lock

The UTM “link tracking” parameters appended to the URL after clicking the ad included:

utm_medium=paid&utm_source=fb

The Facebook page where these ads are bought could be seen at: “facebook[.]com/profile.php?id=61575534312860”, although once the campaign ended, all traces of the previously published Facebook posts disappeared.

Screenshot of the Facebook page "Millaeke" showing all posts had disappeared
Screenshot of the Facebook page “Millaeke” showing that all posts had disappeared

After viewing Millaeke’s original ad, our team navigated to the Meta Ad Library and confirmed that the page was currently running numerous ads.

However, five days after our team discovered the ads, Millaeke must have stopped its campaign, as all the ads disappeared from the library, which you can see here.

Screenshot of the Meta Ad Library showed no ads for "Millaeke"
The Meta Ad Library showed no advertisements from “Millaeke”—even though ads were displayed here five days earlier

Facebook’s Ad Library Only Includes Active Ads, Creating Threat Tracking Challenges

Our researchers continued to investigate details surrounding Facebook’s ad policy. What we found is that Meta retains ads in the Ad Library on social issues, elections, and politics that have run for the past seven years. However, Meta’s policy dictates that any other types of ads are ONLY saved while those ads are part of active campaigns.

As soon as a campaign ends, the ads are removed from the Ad Library, as exemplified by our monitoring of the fake marketplace ads. This makes tracking threats that abuse Facebook ads much more difficult. It also highlights a challenge for defenders, which can only be effectively addressed by scraping this source of data and creating an external repository—something that appears to be prohibited. As a result, it’s currently impossible to holistically track malicious ads on this network. 

Silent Push Threat Analysts will continue to monitor the situation and update this report if additional facts emerge.

Tracking the GhostVendors’ Marketplace Scam

The previous campaign targeting Milwaukee Tools was using specific metadata for its scam, with clearly observable patterns:

wuurkf[.]com/collections/Tool-Box/products/Milwaukee-56-Premium-18-Drawer-Tool-Box-Chest-and-Cabinet-Combo-with-Electronic-Keypad-Lock

Recalling that these types of campaigns are typically “spray and pray” efforts, in which threat actors regularly spin up large amounts of infrastructure to mitigate takedown efforts, a common tactic in such efforts is for a threat actor to clone their websites rather than make each one unique. Doing so presents an opportunity for defenders.

When tracking campaigns, our analysts often look to the Google index due to its speed in indexing internal pages. Silent Push primarily scans homepages as part of our global content indexing effort, along with internal pages input by our users and threat researchers.

By performing a Google Search, we looked for the exact product name used in the scam ad:

Google Dork Query

inurl:/products/milwaukee-56-premium-18-drawer-tool-box-chest-and-cabinet-combo-with-electronic-keypad-lock/

The query returned fewer than 10 unique results – two entries appeared to be for legit marketplaces, but six other domains featured impossibly cheap prices, DGA domains, or, in this instance, were directly spoofing Wayfair:

  • kpwmua[.]com – Currently offline
  • vtmzox[.]com – Currently offline
  • acudcct[.]com – Online
  • toolzde[.]com – Online
  • yvnbpm[.]com – Online, spoofing Wayfair
  • gardonset[.]com – Online, spoofing Wayfair
Screenshot of a fake tool chest ad on "acudcct[.]com"
Example on “acudcct[.]com”

Fake ad spoofing Milwaukee brand tool chest ad on "yvnbpm[.]com"
Example on “yvnbpm[.]com”

Fake ad spoofing Milwaukee brand tool chest ad on "gardonset.]com"
Example on “gardonset[.]com”

Fake ad spoofing Milwaukee brand tool chest ad on "toolzde[.]com"
Example on “toolzde[.]com”

Additional Facebook Advertisements from the GhostVendors’ Fake Marketplace Threat Actor

Silent Push Threat Analysts discovered two additional examples of Facebook Marketplace ads from the same threat actor group, promoting domains that matched our previous content fingerprints.

Both of these examples were first seen on May 13, 2025.

Screenshot of fake ad on "wrocxop[.]com"
Screenshot of Facebook Marketplace ad promoting “wrocxop[.]com

The first Facebook Marketplace ad was from the Facebook page “Rabx-B,” promoting the website “wrocxop[.]com,” on the same host as the previous websites.

The Meta Ad Library, accessed on May 13, 2025, listed 22 ads for this “Rabx-B” advertiser, with the first starting on May 9, 2025.

These ads direct users to product pages akin to this URL:

“wesonhz[.]shop/products/Cold-Water-Gas-Pressure-Washer-Powered-by-Honda%C2%AE-with-AAA-Triplex-Pump-(4400-PSI-at-4.0-GPM)?utm_medium=paid&utm_source=fb&utm_id=120225268056530127&utm_content
=120225269683470127&utm_term=120225269683300127&utm_campaign=120225268056530127

Facebook Marketplace "Why You Saw This Ad" advertiser details showing "Rabx-B"
Facebook Marketplace ad “Advertiser Details” showing advertiser “Rabx-B”
Screenshot of Facebook page "Rabx-B" purchasing fake marketplace ads with email address and phone number
Screenshot of Facebook page “Rabx-B” purchasing fake marketplace ads – the email address used on the page is “brunothuz805888@outlook[.]com” with phone number (706) 294-9657

Screenshot of Meta Ad Library showing Rabx-B with 22 results
Meta Ad Library for “Rabx-B” with 22 results

The second Facebook Marketplace ad, captured on May 13, 2025, was for the same Facebook page advertiser, “Rabx-B,” but this time it was promoting a new domain, “wesuoey[.]shop.”

Screenshot of Facebook Marketplace ad in the Meta Ad Library
Facebook Marketplace ad in the Meta Ad Library

After comparing the new domain from the same advertiser to what was previously seen, we then returned to the Meta Ad Library to review all 22 Rabx-B ads. We confirmed they were promoting different domains and, importantly, noted that the visible domain in the ad did not match the final destination ad in all instances:

  • wesuoey[.]shop – visible in ad text but link click redirects to wesonhz[.]shop
  • wesonhz[.]shop
  • wrocxop[.]com
Screenshot of Meta Ad Library showing all 22 Rabx-B ads with multiple domains used, seen May 16, 2025
Meta Ad Library for all 22 of the Rabx-B ads with multiple domains used – seen May 16, 2025

Two ads from the same advertiser promoted the domain “wrocxop[.]com” within the visible ad, as seen below, yet redirected the user to “wesonhz[.]shop”.

Screenshot of the Rabx-B ad promoting domain "wrocxop[.]com"
Screenshot of the Rabx-B ad promoting the domain “wrocxop[.]com”
Screenshot May 27, 2025 showing all traces of Rabx-B ads were gone from the marketplace library
By May 27, 2025, all traces of the Rabx-B ads were gone from the marketplace library

Screenshot showing interstitial on Facebook after clicking Rabx-B ad promoting "wrocxop[.]com" that doesn't mention actual URL redirect
Redirection interstitial on Facebook after clicking the Rabx-B ad promoting “wrocxop[.]com,” which doesn’t mention the actual URL redirect on this domain
Screenshot of redirect from "wrocxop[.]com" showing product details hosted on "wesonhz[.]shop"
Screenshot of the redirect from “wrocxop[.]com” to “wesonhz[.]shop,” showing the product details page hosted on “wesonhz[.]shop

It’s clear from this most recent Facebook Marketplace advertiser’s usage of multiple domains, combined with the effort undertaken on their previous campaigns to rapidly end them and thus remove all traces of their ads from the Meta Ad Library, that this particular threat actor has a thorough understanding of the platform’s advertising features and policies.

Our research team discovered another example of a malicious Facebook ad from this same threat actor on May 16, 2025. The ad was posted from the page “Tools Clearance” (facebook[.]com/profile.php?id=61574929192093), impersonating GE Appliances on the domain “geappliances[.]life”:

Screenshot of our discovering a fake Facebook ad hosted on "geappliances[.]life" May 16, 2025
We discovered a malicious Facebook ad hosted on “geappliances[.]life” on May 16, 2025

The domain “geappliances[.]life” contains the same technical fingerprint used to track other websites in this campaign.

The ads for this “Tools Clearance” page were seen in the Meta Ad Library.

Screenshot from "Tools Clearance" Facebook page via the Meta Ad Library
Ads from the “Tools Clearance” Facebook page via the Meta Ad Library
Screenshot May 27, 2025 showing all traces of "Tools Clearance" were gone from the marketplace library
By May 27, 2025, the threat actor stopped the campaign, causing all traces of the “Tools Clearance” ads to disappear from the marketplace library

Discovering Four New Ads

Our research team discovered four additional fake marketplace advertisements:

Screenshot "Why You Saw This Ad" for who "Toolboxchest" wants to show you
Screenshot of phony ad for a heavy-duty rolling tool chest for the ridiculous price of $121.86
Phony ad for a heavy-duty 23-drawer rolling tool chest and cabinet for the unrealistic price of $121.86
Screenshot of phony ad impersonating Wayfair for Husky tool box products
Phony ad impersonating Wayfair promoting “woylervip[.]com/collections/Tool-Box/products

By stopping the campaign, the threat actor was able to have its ads disappear from the Facebook Ad Library.

Example ad from the campaign above: “facebook[.]com/ads/library/?active_status=active&ad_type=all&country=US&id=120224586724400601&is_targeted_country
=false&media_type=all&search_type=page&source=info-sheet&view_all_page_id=654433934418507″  

Screenshot taken May 27, 2025 showing the threat actor must have stopped the campaign since all ads were gone from the library
By May 27, 2025, the threat actor must have stopped the campaign since all traces of the ads disappeared from the marketplace library

 The second ad:

Screenshot of a second example ad spoofing a Milwaukee tool chest for only $128.69
A second example of a tool chest advertised at an unrealistically low price

The ad had the screenshot captured below:

Screenshot of "Why You Saw This Ad" telling who Toolboxchest wants to show ads to
facebook[.]com/ads/library/?active_status=active&ad_type=all&country=US&id=120226523616180200&is_targeted_country
=false&media_type=all&search_type=page&source=info-sheet&view_all_page_id=654433934418507″

But soon thereafter, the advertiser must have ended the campaign since the ad disappeared:  

Screenshot of a fake tool chest ad before it quickly disappeared
Screenshot May 27, 2025 showing the fake tool chest ad was no where to be found
By May 27, 2025, all traces of the ad were gone

The third ad:

Fake Wayfair ad spoofing Milwaukee for a tool chest priced at $106.88 on DocBarbara 372's Facebook page

This appears to be the page:  

Screenshot of DocBarbara 372's Facebook page and "Why You Saw This Ad" notification
facebook[.]com/profile.php?id=61572252608618

The screenshot below displays when the ads were displayed there: 

Screenshot showing when the fake tool chest ads were displayed on DocBarbara 372's Facebook page

But the Facebook Ad Library is now empty:  

Screenshot later showing all ads had disappeared from DocBarbara 372's Facebook page
facebook[.]com/ads/library/?active_status=all&ad_type=all&country=ALL&is_targeted_country
=false&media_type=all&search_type=page&source=page-transparency-widget&view_all_page_id=536613529533713″

The ad was promoting the domain: “supersale[.]top”:  

Another fake Wayfair ad spoofing Milwaukee for a tool chest on sale at the domain "supersale[.]top"
superssale[.]top/products/4-tool-combo-kit

The fourth ad:

Screenshot of a "Holiday Celebration Sale" offering a tool chest at the ridiculous price of only $39.00
A phony “holiday celebration sale” ad advertising a tool chest at an unrealistically low price
Screenshot of Facebook "Why You Saw This Ad" notification of "Holiday Celebration Sale" wanting to show you their ads
Screenshot take May 27, 2025 showing all traces of the "Holiday Celebration Sale" were gone
By May 27, 2025, the campaign must have been stopped since all traces of the ads disappeared

Below is a spoof of a “Milwaukee Clearance of Excess Inventory from 2025” sale:  

Screenshot showing a spoof of "Milwaukee Clearance of Excess Inventory from 2025" tools sale
Example: “toolboxsale[.]com/collections/milwaukee-clearance-of-excess-inventory-from-2025

There are dozens of pages with this “Holiday Celebration Sale” name and the same logo on Facebook: “facebook[.]com/search/pages/?q=holiday%20celebration%20sale”  

Screenshot showing dozens of pages with the same "Holiday Celebration Sale" name and logo on Facebook
facebook[.]com/ads/library/?active_status=active&ad_type=all&country=ALL&is_targeted_country
=false&media_type=all&search_type=page&source=page-transparency-widget&view_all_page_id=582885318250730

Many are active advertisers:

Screenshot showing many of the "Holiday Celebration Sale" advertisers were active
Example: “facebook[.]com/ads/library/?active_status=active&ad_type=all&country=ALL&is_targeted_country
=false&media_type=all&search_type=page&source=page-transparency-widget&view_all_page_id=102448339253132

The ads from these are the same as in the other aspects of the scheme (above): 

Screenshot of multiple ads that were part of the "Holiday Celebration Sale" scam
Screenshot of the previously captured ad, but all ad traces have disappeared

Most of the advertiser accounts were empty, indicating that the advertiser had likely ended the campaigns. The previously captured ad appears to be gone, so it’s unclear which of the Facebook pages was behind the fourth ad.  

Brands Targeted by the GhostVendors’ Campaign

These fake marketplace scam campaigns appear to target dozens of major brands. Some websites feature generic names, whereas others feature brands directly in the domain names.

It also appears that all the websites in this network feature major brands on the product pages, and many of the prices for the products being advertised for sale are unrealistically low.

Silent Push Threat Analysts have not yet tested any of the purchase processes. Even so, we believe it’s likely that many of these don’t deliver the promised products and may instead engage in financial fraud by abusing credit cards used during the attempted purchase process.

The following brands are some of the organizations targeted:

General Retail & Department Stores

  1. Amazon:
    • myamazonboxnews[.]com
    • myamazonbox[.]com
    • amazonboxinc[.]com
    • amzncenter[.]com
    • amzglobalpallets[.]com
    • shopamazonpallet[.]com
  2. Costco:
    • costcosale[.]store
    • cstcosaw[.]xyz
  3. Nordstrom:
    • nordstromss[.]shop
  4. Saks Fifth Avenue:
    • saksavenueoff5th[.]shop
    • saksavenueoff5th[.]com
    • off5th[.]online
  5. Dollar General:
    • dolllargenerai[.]com
    • dollargeneralsupermarket[.]com
  6. KaDeWe (German department store):
    • kadewe-tasche[.]com
    • kadewebag[.]com
    • kadewehandtasche[.]com
  7. Argos UK:
    • argosuk-save[.]shop

Home Improvement & Specialty Retail

  1. Lowes:
    • lowessale[.]shop
  2. Tractor Supply:
    • tractorsupply-us[.]com
    • tractorsupply-co[.]online
  3. Advance Auto Parts:
    • advanceautopartsog[.]com
    • advanceautopartsdeal[.]com
    • advancepartsauto[.]com
    • advanceauto-clear[.]com
  4. Party City:
    • partycity-clearance[.]shop
    • partycitysupersale[.]shop
    • partycity-preopen[.]com
    • partycityliquidation[.]com
    • partycitywarehouseusa[.]com
  5. Joann (Craft/Fabric):
    • joannsave90[.]shop
    • joannliquidations-us[.]com
    • joann-clearing[.]com
  6. Big Lots:
    • biglotsgifts[.]com
  7. EGO Power+ Tools:
    • egopowerplus[.]store
  8. GE Appliances:
    • geappliances[.]life

Footwear Brands

  1. Birkenstock:
    • birkenoutlet-us[.]com
    • birkenstockfootwearsale[.]shop
    • birkenstockus[.]online
    • birkenstock-dealer[.]com
  2. Crocs:
    • crocs-outlets[.]com
  3. Skechers:
    • us-skecherl[.]com
  4. Hike Footwear:
    • hike-footwear-us[.]com
    • hike-footwear-sale[.]com
  5. Vionic Shoes:
    • vionic-online[.]com
    • vionic-shoes[.]shop
    • vionic-shoes[.]com
  6. Kizik Shoes:
    • kizik-us[.]shop
    • kizik-sale[.]com
  7. Vessi Shoes:
    • vessi-sale[.]com
  8. Vivobarefoot:
    • vivobarefoot-outlet[.]shop

Activewear & Athletic Apparel

  1. Brooks Running:
    • brooksonlinesale[.]shop
    • brooksrunning-us[.]shop
    • brooksrunninguss[.]shop
    • brooks-outlet[.]shop
  2. Alo Yoga:
    • aloyogaoutlet[.]top
  3. On Running:
    • onrunningsale-us[.]com
    • storeonrunning[.]com
    • on-running-outlets[.]com
  4. Vuori Clothing:
    • vuoriclothing-us[.]shop
    • vuoriclothing-world[.]shop
    • vuoristore[.]shop
  5. Icebreaker Clothing:
    • icebreaker-sale[.]com
    • icebreaker-store[.]com
  6. NOBULL Sportswear:
    • nobull-warehouse[.]shop
  7. Huk Clothing:
    • hukgears[.]shop
  8. Natural Life Clothing:
    • naturallife-outlet[.]shop
    • naturallife-warehouse[.]shop

Fashion & Luxury Brands

  1. Rolex:
    • 1908-rolexonline[.]com
  2. Tommy Bahama:
    • tommybahama-megasale[.]shop
    • tommybahama-bigsale[.]shop
  3. L.L. Bean:
    • llbeanus[.]online
    • llbean-megasales[.]shop
  4. Tom Ford Beauty:
    • tomfordbeautys[.]shop
  5. Rebecca Minkoff:
    • rebeccaminkoff-ny[.]com
  6. Goyard:
    • goyardes[.]com
    • goyardbagoutlet[.]vip
  7. Massimo Dutti:
    • massimodutioutlets[.]com
    • massimoduttioutlets[.]sbs
  8. Alpha Industries Outerwear:
    • alphaindustries-us[.]shop
  9. Volcom Clothing:
    • world-volcomsales[.]shop
  10. Popflex:
    • popflexactiveclub[.]com

Outdoor & Sporting Goods

  1. Duluth Trading:
    • duluthtradingclearance[.]com
    • duluthtrading-bigsales[.]com
  2. Orvis:
    • orvis-us[.]store
  3. Rock Bottom Golf:
    • rockbottomgolfshops[.]com
  4. Palmetto State Armory (Gun store):
    • palmettostateassrmoryus[.]shop
    • palmetostaeassrmoryte[.]shop
    • palmettoblitz[.]shop
    • palmettobestdeal[.]com
  5. Mammut Outdoor Gear:
    • mammut-discount[.]shop
  6. Rebel Sport (Australian retailer):
    • rebelsportauonline[.]com

Food & Grocery

  1. Instacart:
    • instaacart[.]shop
  2. Total Wine:
    • totalwinus[.]cc
    • totalwine-usa[.]com
    • totalwineus[.]cc
  3. Omaha Steaks:
    • omahasteakso[.]com
    • omahasteakssales[.]com
    • omahasteaksvip[.]com
    • omahasteaks[.]online
    • omahasteaks[.]discount
    • omabbhasteaaks[.]shop
  4. Thrive Market:
    • thrivemarketsale[.]shop
  5. Luke’s Lobster:
    • lukeslobstershop[.]com
    • lukeslobstermsc[.]com
  6. Cousin’s Maine Lobster:
    • cousinsmainelobstershop[.]com

Farm & Garden

(It appears these farms were chosen due to their presence on Facebook)

  1. Fast Growing Trees (Online tree store):
    • fastgrowtree[.]store
    • fastgrowtree[.]com
    • fastgrowingtree[.]store
  2. Gurney’s Seed and Nursery:
    • gurneys[.]store
  3. White Oak Pastures:
    • whiteoakpasturesbfp[.]com
  4. Seven Sons Farm:
    • sevensonsfarm[.]shop
    • sevensonsfarms[.]shop
    • sevensonsbeef[.]shop
  5. 44 Farms:
    • 44farms[.]shop
  6. Tyner Pond Farm:
    • tynerpondfarm[.]shop
  7. Pipers Farms:
    • pipersfarms[.]shop

Home & Hobbies

  1. Bath & Body Works:
    • bathandbodyworks-us[.]sbs
  2. Yankee Candle:
    • yankeecandles[.]shop
  3. Ravensburger Puzzles:
    • ravensburger-online[.]sbs
  4. Buffalo Games & Puzzles:
    • buffalogames-online[.]shop
  5. Arcade1Up Gaming:
    • arcade1upshopbuy[.]shop
  6. Cobble Hill Puzzles:
    • cobblehill[.]sbs
    • cobblehillpuzzles[.]sbs
  7. The Woobles Crochet:
    • thewoobles-sale[.]com
    • thewoobles-us[.]com

Continuing to Track GhostVendors’ Marketplace Scam Websites

Silent Push Threat Analysts consider web shop and fake marketplace scams a prolific global threat to social networks, advertising networks, major brands, and the consumers who are unfortunate enough to encounter them.

It’s clear that many different threat actors launch these marketplace scams, and yet, fortunately, many reuse page and server templates to facilitate the speed of their deployments.

Our team will continue to investigate these scams and appreciates any leads that may help us identify new campaigns.

Enhance your cybersecurity workflows with Silent Push SOAR integrations 

/in /by

Security teams face several challenges when attempting to turn large amounts of indicator data into actionable intelligence, at scale, across an expansive security automation operation that encompasses numerous vendor platforms. 

Teams often find themselves battling with ever-increasing alert queues, containing domains and IPs which require multiple manual pivots to validate an authentic threat. 

Silent Push Enterprise Edition changes the game by giving teams the ability to automatically feed a world of additional context into each indicator they come across in the wild, at scale, using proprietary categorization that isn’t available through any other vendor. 

Categorization and Correlation 

Each hostname, website and IP Silent Push scans is enriched with 200+ datapoints that allow teams to enact faster, better informed, automated decisions on how to deal with indicators they encounter in their alert queues – known or unknown – including: 

  • Attacker DNS automation 
  • Malicious hosting clusters 
  • Infrastructure changes over time 
  • Inbound scanning signatures 
  • Website content 
  • WHOIS and certificate data 

IOFA Feed Integration

As well as historic DNS and web content data analysis, a key capability of the Silent Push API is the ability to query all of our Indicators of Future Attack (IOFA)™ Feed data, and use the information to gain better insight on where the next attack may be coming.

Let’s look at some of the industry-leading SOAR platforms that we connect with via the Silent Push API, along with some quick workflow examples.

Cortex XSOAR (Palo Alto Networks) 

Our Cortex XSOAR integration brings together two powerful cybersecurity functions: preemptive threat detection and enterprise-grade security orchestration. 

By combining Silent Push data with XSOAR’s playbook automation capabilities, security teams can transition from reactive IOC-based triage to proactive threat discovery, at scale.

Capabilities 

  • Enrich domains, IPs, and ASNs in real-time 
  • Automatically triage alerts by correlating indicators with IOFA™ feed data, including Silent Push risk scoring 
  • Trigger live URL scans (including screenshots of suspicious domains) directly from an XSOAR playbook 
  • Feed enriched indicators into downstream systems, like firewalls or SIEMs, enabling faster mitigation and reduced analyst load 

Example 

When an alert hits your SOC, it can be passed through XSOAR to Silent Push, where the domain is enriched with DNS history, certificate associations, infrastructure movement, and similarity to known threat actor TTPs. 

After generating an enhanced risk profile based on the above information, the system can escalate, suppress, or initiate blocking – all without manual intervention. 

Key Outcomes Delivered 

  • Reduced response times
  • Eliminates a need for isolated lookups 
  • Continuous infrastructure monitoring within existing playbooks 

Splunk SOAR 

Our Splunkbase app for Splunk SOAR (formerly Phantom) delivers threat intelligence and playbook automation within Splunk SecOps workflows. 

By embedding infrastructure-focused data alongside Splunk datastreams, teams can move from manual investigation to proactive, TTP-driven responses.

 

Capabilities 

  • Perform domain and IP enrichment within a Splunk instance 
  • Lookup historic and live WHOIS data, certificate information, and ASN/subnet reputations 
  • Explore DNS history 
  • Automatically generate risk scores 
  • Fetch live URLs with scans and screenshots into Splunk 

Example 

Your SOC receives a phishing or brand impersonation alert into your Splunk instance. A playbook takes the suspicious domain, enriches it via Silent Push (including IOFA™ feed correlation and DNS history), and calculates a risk score. If the domain is flagged as high risk, an automated response is triggered – such as initiating an action in a ticketing system, or isolating the asset via firewall integration. 

Key Outcomes Delivered 

  • Reduce manual triage steps
  • Cut mean times to detect (MTTD) and respond (MTTR) to threats
  • Provide your Splunk instance with the ability to proactively detect emerging infrastructure

Torq 

The Silent Push Torq integration feeds Silent Push enrichment data directly into your no-code security workflows, allowing teams to operationalize threat data without writing a single line of code. 

Our Torq integration automates early-stage threat detection and response with context from Silent Push’s DNS, certificate, WHOIS and content scanning datasets. 

Capabilities 

Silent Push exposes multiple API endpoints through a native integration with Torq, including: 

  • Domain and IP enrichment 
  • Forward and reverse DNS lookups 
  • Live endpoint scans and screenshots 
  • Access to IOFA™ feeds 

Examples 

Torq accepts a domain or IP input (e.g., from SIEM or ticketing alert), queries Silent Push, and uses caching to avoid redundant lookups (ideal for high volume investigations). Results can then be routed to downstream actions like ticketing (e.g., ServiceNow), chat (e.g., Slack), or blocking controls. 

Key Outcomes Delivered 

  • Real-time infrastructure intelligence at scale, without scripting or manual triage
  • Feed enhanced risk scores into EDR response logic 
  • Faster, smarter, and more proactive security decisions across your stack 

Swimlane 

Our Swimlane integration brings advanced infrastructure intelligence into Swimlane’s low-code, hyperautomation environment, enhancing Swimlane “cases” – a container or record within Swimlane SOAR that represents a security incident, alert, or event – with Silent Push data. 

Capabilities 

The Swimlane plugin supports data enrichment for: 

  • Domains, IPv4, and IPv6
  • Nameserver details and change history 

Example 

Silent Push enrichment tasks automatically run when a SIEM or EDR alert is activated in Swimlane. Your SOAR parses observables, queries the Silent Push database, and enriches case records with infrastructure intelligence in real time. High-risk domains or IPs are highlighted through IOFA™ feed correlation, and trigger immediate escalation, task creation, or containment workflow actions. 

Key Outcomes Delivered 

  • Inject preemptive infrastructure intelligence into Swimlane cases 
  • Detect and disrupt threat actor infrastructure at scale, before an attack is launched 
  • Trigger automatic escalation for high priority alerts 

Tines 

The Silent Push Tines integration allows security teams to embed Silent Push IOFA™ data directly into Tines stories, facilitating early detection, smarter triage, and automated response without the need for manual coding. 

Capabilities 

  • Retrieve domain and IP risk scores, WHOIS data, nameserver reputations and historical change information 
  • Fetch subnet reputations and scanned data including open directories, JARM fingerprints, HTTP headers, favicons, and SSL attributes 
  • Analyze a domain’s digital footprint and output it to Tines as a downloadable CSV 

Example 

Your system flags a phishing trigger (via email, Slack, or SIEM) in a Tines Story. The domain is passed into Silent Push enrichment actions, which return risk scores, WHOIS details, associated domain clusters, and certificate data. 

The dataset is then used to: 

  1. Make a triage decision via conditional logic 
  1. Present findings through a Tines page for analyst review (if manual approval is desired) 
  1. Automatically generate a ticket in ServiceNow, or an alert in Slack, if critical thresholds are met 

Key Outcomes Delivered 

  • Operationalize enrichment data at scale 
  • Elevate static lookups to dynamic stories, infused with context 
  • Speed-up detection by sharpening analyst workflows 

ServiceNow 

The upcoming Silent Push ServiceNow integration connects incidents and observables inside ServiceNow’s Security Operations suit, with Silent Push datapoints, enabling teams to take fast, informed action on emerging threats before they turn into a breach.

Capabilities 

  1. Generate Tickets from an IOFA™ Feed 

When Silent Push detects a newly registered domain mimicking your brand or infrastructure, a ServiceNow ticket is created that allows legal, brand protection, or threat intel teams to automatically initiate a takedown or investigation. 

  1. Enrich Existing Tickets with IOFA™ Context 

If an indicator appears in Splunk that triggers a ServiceNow ticket, Silent Push can be queried to retrieve DNS history, certificate data, hosting changes, and risk scoring to help assess its threat level. 

  1. Build Custom Enrichment Workflows 

Leverage over 20 Silent Push APIs within your ServiceNow playbooks. For example, automatically capture a live screenshot of any domain included in a phishing report or correlate IPs with infrastructure clusters seen in IOFA™ datasets. 

Book a demo 

Our team is on hand to show you how easy it is to link your SOAR platform with the Silent Push API, and build faster, more efficient security workflows that remove manual intervention and give teams access to better insight on emerging threat infrastructure. 

Contact us today for a platform demonstration.

Workshop – Pivoting Across Infrastructure to Detect Unknown Threats

/in , /by

Join us for an interactive online session designed for those new to threat hunting in the Silent Push platform.

Adversary infrastructure is often hidden or unused—escaping detection by most CTI tools — until it’s suddenly activated in an attack.

Learn how to uncover the 98% of malicious infrastructure that typically goes undetected. We’ll show you how pivoting — linking data points like domains, IPs, and certificates — can map out an attacker’s hidden network. Get real-time examples of powerful pivots in the Silent Push free Community Edition and learn how to spot threats before they strike.

  • Date: 24 June 2025
  • Time: 10am ET // 4pm CET // 10am SGT // 12pm AEST
  • Location: Online – Zoom
  • Requirements: Silent Push free Community Edition | Sign-up here
REGISTER

Emerging Tech: Adoption Trends in Preemptive Cyber Defense

/in /by

According to Gartner®, current projections indicate a substantial increase in the adoption rate of Preemptive Cyber Defense (PDC) solutions from 5% to 35% by 2028.

Generative AI is transforming cybersecurity, making traditional “detect and respond” methods insufficient in blocking modern-day attacks. Malicious actors are using AI to scale and personalize attacks, requiring preemptive threat intelligence to anticipate and mitigate risks early.  

Read this Gartner® report to learn how to uplift your cybersecurity strategy with preemptive detection technologies.

Gartner, Emerging Tech: Adoption Trends iPreemptive Cyber Defense, Isy Bangurah, Luis Castillo, Walker Black, 12 November 2024. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The Silent Push Difference

Silent Push provides preemptive cyber intelligence that exposes threat actor infrastructure as it’s being set up, and shared as Indicators of Future Attack (IOFA), allowing organizations to proactively block attacks.

Silent Push Events: May 2025

/in /by

SINCON, May 22-23, Singapore 

First up is SINCON 2025, held on May 22–23 at voco Orchard Singapore. 

This year’s event focused on advancing cybersecurity through technical exploration and innovation, with a strong emphasis on proactive defense strategies and knowledge sharing.

Our CEO, Ken Bagnall, gave a talk on “Finding Adversary Infrastructure Before the Attack with Future-Based Threat Intelligence.” 

Ken demonstrated how attackers consistently reuse infrastructure to a series of patterns, and how teams can use Indicators of Future Attack (IOFA)™ to expose these patterns and block all the infrastructure that’s being deployed in an attack – not just the handful of domains and IPs lurking on the surface.

Everyone who stopped for a chat at our booth was keen to explore the importance of understanding adversary tactics when attempting to anticipate and stop future attacks, rather than purely relying on reactive post-breach defense mechanisms. Those days are clearly over. 

Lots of Enterprise demos. Lots of new Community Edition users. See you next year! 

Silent Push & Shellsoft Technology Corp. Partnership Seminar, May 27, Singapore 

Our CEO, Ken Bagnall, APJ Sales Director, Anthony Ng, and Chief Customer Officer, Brad Arnold – working alongside our partners at Shellsoft Technology Corp – hosted an event for cybersecurity leaders and executives at Cork Elite, on the roof deck of the W Hotel in Singapore.

At the event, Ken gave a talk that showed how most legacy CTI platforms are simply passing on intelligence that’s already widely known, and how Silent Push focuses on the DNS-based relationships that are created as adversaries deploy their infrastructure to facilitate early detection, to expose IOFA™.

Check out Shellsoft Technology Corporation’s solutions here. We’re excited to be working together!

BSides, May 24, Dublin 

Our Director of Threat Intelligence, Kasey Best, and Senior Threat Analyst, Zach Edwards, were in Dublin for Security BSides Dublin 2025. 

Held at the Trinity Business School, the community-driven, non-profit conference brought together information security professionals, students, and enthusiasts from across Europe to engage in a day of learning, networking, and collaboration. 

The event featured a diverse range of presentations and workshops covering topics such as application security, malware analysis, ethical hacking, and emerging threats like AI-driven attacks and IoT vulnerabilities. 

Kasey and Zach held a well-attended session that expanded on our exposé of the Triad Nexus pig butchering and money laundering network

By renting IP addresses from reputable providers like Amazon Web Services and Microsoft Azure, threat actors use malicious hosting providers such as the FUNNULL Content Delivery Network (CDN) – recently sanctioned by OFAC – to weave illicit operations into mainstream infrastructure. 
 
If you’re looking for more info on how to stop infrastructure laundering attacks, check out our on-demand webinar

Health ISAC Spring Summit, May 19-23, Florida 

Next up is the Health-ISAC Spring Summit, at the Naples Grand Beach Resort in Florida. 

The 2025 event – “Creating Safe Harbours” – brought together cybersecurity professionals from across the healthcare sector for a week of collaboration, intelligence sharing, and discussions on the evolving threat landscape facing healthcare providers, pharmaceutical companies, and medical device manufacturers. 

Our CRO, David Troha, and Director of Sales Engineering, Maulik Limbachiya, fielded questions on how Silent Push can help the healthcare industry proactively avoid sector-specific attack vectors, including ransomware, and APT groups targeting intellectual property and patient records.

FS-ISAC EMEA Summit, May 20-22, Brussels 

Held in Brussels, the 2025 FS-ISAC EMEA Summit addressed evolving cybersecurity challenges in the financial sector around three key areas: intelligence, security and resilience

Hot talking points included AI-driven fraud, third-party risk management, regulatory compliance, and the ever-present threat of ransomware. 

Our team was on hand to listen to the challenges financial organizations face across Europe, the Middle East, and Africa as they attempt to integrate preemptive cybersecurity technologies into reactive (and often unwieldy) defense frameworks, to speed up detection and expose threats early.

Hacker Hoedown May 16-17, Dallas 

The inaugural Dallas Hacker Hoedown took place at Will Call Bar, on May 16-17. 

A self-professed grassroots event, the Hoedown (which didn’t actually feature any hoedowns, in case you’re wondering) is designed to foster laid-back collaboration among security professionals – something a little different to the highbrow discussions at most industry events. 

Key themes included the changing role of SOC teams and security analysts, the inherent difficulty in protecting large SaaS environments from attacks, and recent governmental and technical developments including AI and the future of CVE. 

Our Director of Sales Engineering, Maulik Limbachiya, gave a talk on how Silent Push exposed preemptively exposed Contagious Interview’s threat infrastructure, and led the charge on tracking the group’s evasion techniques. 

Here’s to next year’s event! Cheers for the invite. 

TechNet Cyber, May 6-8, Baltimore 

AFCEA’s TechNet Cyber 2025 convened military, government, industry, and academic leaders to address numerous evolving challenges in cybersecurity. 

Held at the Baltimore Convention Center, the event focused on the theme “Empowering the Warfighter: Innovate, Integrate, Dominate.” 

Our Sales Engineer, Noah Plotkin, gave a presentation on how organizations need to combat attacker sophistication with simplicity by using an adversary’s own TTPs against them to track infrastructure the moment it’s deployed

Noah demonstrated advanced techniques in our Enterprise platform that enable teams to expose malicious infrastructure at the earliest opportunity, by focusing on the management of domains and IPs, and how infrastructure moves across the IP space over time. 

Health ISAC, May 7, Netherlands 

The Utrecht Health-ISAC event was a full-day, in-person security workshop that brought together health sector security professionals to address the current threat landscape, and various challenges facing the healthcare industry. 

Our Threat Analyst, Mees van Wickeren, had some great discussions on the need for a renewed set of best practices focused on proactive threat detection. Lots of interest in how we can help to minimize cyber risk across the sector, and help organizations avoid loss through early detection mechanisms. 

Looking ahead…

Next month we’ll be at the 37th Annual FIRST Conference, at the Bella Center, Copenhagen, on June 22–27. 

Organized by the Forum of Incident Response and Security Teams, FIRST events bring together cybersecurity professionals to collaborate on improving computer security worldwide. 

FIRST conferences are always a valuable experience for the team, with so many takeaways, new prospects met, old friends caught up with and lots of chatter about preemptive detection technology, and the role played by IOFA™in future-based threat detection.

If you’re in attendance and you’d like a chat, contact us here

See you on the conference floor! 

Silent Push Inc. ©2025