Black-hat SEO driving massive surge in e-commerce fraud

A major investigation into the sprawling ecosystem of fake e-commerce operations in Japan has uncovered a network of sophisticated scam groups using black-hat search engine optimization (SEO) techniques to deceive consumers. The study, titled “Uncovering Black-Hat SEO Based Fake E-Commerce Scam Groups from Their Redirectors and Websites”, was released as a preprint on arXiv by researchers from Trend Micro, the Japan Cybercrime Control Center (JC3), multiple prefectural police departments, and Kagawa University.

Analyzing a massive dataset of nearly 693,000 fake e-commerce (EC) websites gathered over two and a half years, the research team used link analysis tools and time-series techniques to track threat actors and map their infrastructure. The study identifies 17 large-scale scam groups and highlights the growing trend of using redirector malware and Japanese keyword hacks to manipulate search engine results and lure victims into fraudulent webshops.

How do these fake e-commerce scams work?

At the core of these scams is a method known as black-hat SEO poisoning, where hackers compromise legitimate websites to plant SEO malware. This malware fabricates sitemaps and pages filled with target keywords, often in Japanese, that rank high in search engine results. Unsuspecting users who click these links are silently redirected to fraudulent EC sites designed to steal personal data or money.

The compromised sites, termed redirectors, serve as covert intermediaries. Once accessed through search engines, they reroute the visitor’s browser to a fake EC site using hidden scripts or server-side redirections. In particular, attackers exploit a method known as the Japanese Keyword Hack, wherein fake product pages targeting Japanese shoppers are injected into international domains to boost local visibility.

The researchers focused on the destination sites rather than the malware itself, given limitations in capturing live SEO malware samples. By analyzing data such as email addresses, Matomo tracking servers, and analytics IDs embedded in the fake websites, the team was able to group websites likely controlled by the same scam operators.

How many scam groups were identified and what are their characteristics?

Using the JC3 dataset collected between May 2022 and December 2024, the researchers performed graph-based link analysis with Maltego and custom algorithms. The resulting graph included 105,286 fake EC domains, 13,456 email addresses, 36 Matomo servers, and 4,958 51.la analytics IDs. From this network, 1,118 groups were initially detected, but only 17 were large enough (over 2,000 websites or 200 domains) to merit focused analysis.

Among these, Group G1 and Group G2 emerged as the largest and most persistent, with over 335,000 and 159,000 associated websites respectively. Both groups showed significant infrastructure investments, including thousands of email addresses and tracking IDs. Interestingly, multiple groups appeared to share analytics services like Matomo, with certain servers such as la51[.]xyz and omtage[.]top recurring across distinct groups, suggesting possible overlaps or partnerships.

The study's time-series analysis revealed fluctuating activity patterns. Some groups remained active throughout the two-year window, while others emerged, peaked, and disappeared within months. Notably, G1-1 and G2-1, the most prolific subgroups, were still operational in late 2024, underlining their resilience and adaptability.

A case study on refund scams - identified by the Japanese Consumer Affairs Agency in early 2025 - linked four fake sites to these dominant scam groups. In this scam, victims are tricked into authorizing mobile app payments under the pretense of receiving a refund. Domains involved in the scheme were traced back to Groups G1-1 and G2-1, reinforcing the notion that scam strategies are often shared across major actor groups.

What can be done to counteract these threats?

The researchers argue that grouping fake EC sites is essential for understanding and disrupting cybercriminal operations. By clustering domains and identifying associated infrastructure, authorities and cybersecurity firms can better prioritize takedowns and attribute attacks to specific actors.

One proposed countermeasure involves monitoring and blocking known Matomo servers associated with fake sites. For example, G1 and G2 groups rely heavily on a small number of Matomo tracking domains, making them viable targets for surveillance or deactivation. In contrast, the use of 51.la IDs is more diffuse, with thousands of unique IDs used, complicating blacklist-based mitigation.

The study also acknowledges the operational and ethical challenges of analyzing such large datasets. Although the redirectors are typically victims of compromise, they are still part of the redirection chains. JC3 shares redirector data with law enforcement to notify administrators and mitigate the issue, though many remain uncontactable or unaware of the compromise.

While large actor groups draw most attention, the study notes that smaller groups, despite their size, often use the same toolkits and infrastructure, particularly 51.la analytics. This may point to a broader criminal ecosystem where knowledge, scripts, and services are shared across disparate groups.