Counterfeit Chinese Websites Imitate Retail Brands

Information Security Media Group provides a weekly overview of cybersecurity incidents globally. This week’s highlights include counterfeit Chinese websites imitating retail brands, the arrest of hackers involved in significant data leaks in Spain, a ransomware incident affecting a Swiss health nonprofit, an investigation by the International Criminal Court into a cyberattack, UNFI’s systems recovery, vulnerabilities in smart tractors, and a British individual sentenced for locking an employer out of a network. Additionally, a WordPress intrusion has installed a Windows Trojan.

Related Insight: Ransomware in 2025: Evolving Threats and Defense Strategies

Recent investigations have identified thousands of fraudulent retail websites impersonating major international brands, including Apple, PayPal, and Michael Kors. These scams deceive consumers into inputting credit card details under the pretense of making legitimate purchases.

The cybersecurity firm Silent Push disclosed that the sites primarily target English and Spanish-speaking customers globally. Analysis of the underlying infrastructure revealed indicators of operation by cybercriminals located in China.

While some fake websites utilize scraped product listings, others are haphazardly constructed, such as a false Guitar Center site that sells children’s products. Notably, some sites integrate authentic Google Pay features to seem more credible. Unfortunately, consumers receive no products after making purchases.

Despite ongoing takedowns, thousands of these fraudulent sites persist and are capable of utilizing search engine manipulation tactics to attract victims.

Spanish authorities have reported the arrest of two individuals involved in extensive data leaks that exposed sensitive personal information from top government officials and journalists. These arrests follow a malicious campaign that disclosed the national identity and personal email of Prime Minister Pedro Sánchez.

The main suspect, a 19-year-old computer science student referred to as “Yoel O.Q.,” was apprehended at his residence in the Canary Islands. His accomplice, “Cristian Ezequiel S.M.,” was also taken into custody. Law enforcement claims the duo operated a network responsible for siphoning and releasing personal data of high-ranking politicians, selling access and hacking tools for cryptocurrency.

Both suspects are now under provisional release but face serious allegations, characterized by the Ministry of the Interior as potential threats to national security. They reportedly share connections with far-right Telegram channels that disseminated the compromised data to a following exceeding 90,000 users.

Subject to investigations for potential terrorism-related offenses, they have been remanded to Madrid for testimony before the National Court.

The Zurich-based health nonprofit Radix has been the recent target of a ransomware attack perpetrated by the Sarcoma group, with compromised files subsequently appearing on the dark web, including sensitive government data.

Radix confirmed that while its backups remain secure and partner information was unaffected, the Swiss government expressed concerns that federal offices using Radix services might be impacted. Investigations are ongoing, as the attackers did not breach government IT systems directly.

The organization has reported the incident to privacy regulators and law enforcement, collaborating with the Swiss Federal Office for Cybersecurity. Their platforms for anonymous counseling remained unharmed.

The Sarcoma group employs a double extortion tactic, claiming over 100 victims, including those based in the U.S., Italy, and Canada.

The International Criminal Court recently announced detection of a “sophisticated and targeted” cyberattack, which has been successfully contained by its security systems. This incident follows a previous espionage-influenced breach reported in 2023 and reflects the increasing threats faced by ICC officials.

Established in 2002, the ICC plays a key role in prosecuting individuals for severe crimes such as war crimes and genocide, operating separately from the United Nations’ International Court of Justice.

United Natural Foods, a crucial supplier for Amazon’s Whole Foods, has restored its systems after a significant cyberattack on June 5 that impeded customer operations and order processing. The organization announced that electronic ordering and invoicing functions have returned to normal.

However, UNFI warned in its SEC filing that the incident may significantly affect their fourth-quarter net income, attributing forecasts to operational disruptions and elevated investigation costs. Fortunately, the breach is confirmed not to involve any personal or protected health information, hence no consumer notifications are required.

UNFI engaged external cybersecurity consultants and informed law enforcement about the attack’s specifics, but details regarding the specific nature of the cyberact remain undisclosed.

Researchers at Limes Security have identified a serious vulnerability within the FJD AT2 aftermarket steering system, utilized in smart tractors globally, particularly in Asia and Europe, which could allow remote control by malicious actors.

This flaw in GPS-dependent tractors presents major implications for safety and operational control, highlighting vulnerabilities in agricultural technologies. The research team plans to present their findings at the upcoming Black Hat USA conference.

While FJDynamics has denied the claims, Limes Security emphasizes that the issue remains unpatched, exposing numerous agricultural vehicles to hijacking and surveillance threats.

Researchers from Proofpoint have detected a connection between the TA829 group, known for the RomCom RAT, and a new activity cluster identified as UNK_GreenSec, associated with the TransferLoader malware. This Russia-affiliated threat actor is recognized for targeting individuals with espionage and financial attacks.

Notably, both groups utilize compromised MikroTik routers for command and control operations and execute similar phishing techniques to deploy distinct malware strains. The overlapping infrastructure highlights a possible collaboration or operational unity between the two factions.

A British court sentenced Mohammed Umar Taj, a 31-year-old IT professional, to over seven months in prison for sabotaging his employer’s network following his suspension. Taj retained privileged access, altering credential and authentication settings and locking out the organization, resulting in substantial financial losses.

West Yorkshire Police reported that Taj intended to retaliate for his suspension and pleaded guilty to unauthorized actions aimed at disrupting computer operations. Investigators successfully retrieved detailed logs outlining his disruptive actions.

Researchers at Sucuri have revealed a WordPress-based malware campaign that silently infects visitors with a Windows Trojan. Disguised as a routine breach, the malware embeds itself within the header.php file.

The activation of this malware triggers the downloading of a ZIP file containing a Trojan executable set to auto-launch when the system starts. The malware connects to a remote command-and-control server, establishing an avenue for attacker access.

Additional Insights from the Week

Reporting by Information Security Media Group includes insights from analysts in various locations, including Mathew Schwartz in Scotland, Gregory Sirico in New Jersey, Prajeet Nair in Bengaluru, India, Akshaya Asokan in Southern England, and Marianne Kolbasuk McGee in the Boston exurbs.