Researchers at Recorded Future are tracking a payment-fraud tactic that hijacks the search rankings of legitimate websites to funnel shoppers into scam stores, and they warn it is already powering fraud tied to the 2026 FIFA World Cup. Unlike the familiar scams that buy social media ads to push fake-bargain sites, this technique pulls in victims through ordinary organic search results, which makes it harder for both shoppers and security teams to spot.
In its report, Recorded Future's Payment Fraud Intelligence team says the operators follow a consistent four-step pattern: break into a legitimate, well-ranked website, plant fake product listings and search-crawler metadata on it, ride that site's existing search ranking to attract shoppers, then redirect anyone who arrives from a search result to a separate scam domain that takes payment and never ships the goods.
Why it is hard to spot
The redirect is selective. The injected code only fires for visitors who arrive from a search result carrying a specific tracking parameter, so regular visitors and the site's own administrators keep seeing the real site and the compromise often goes unnoticed. This conditional behavior is a form of cloaking. A second layer of concealment hides the payment infrastructure itself: the scam domains are never indexed by search engines, so only the compromised pages show up, keeping the sites that actually collect money out of view of researchers and monitoring tools.
Built to scale and survive
The economics favor the attacker. Capturing organic traffic costs nothing compared with the advertising or search-optimization work that ranking normally demands, and it sidesteps both ad-platform and search monitoring. The operations are also resilient: crews rotate domains, branding, and content from shared templates and spread payments across several merchant accounts, so taking down any single domain or account does little. The scheme even monetizes low-value targets such as blogs and small-business pages that have steady search traffic but no checkout to skim. Recorded Future profiled one cluster it calls AEGIR, identifying 41 scam domains running through three merchant accounts that have drawn roughly 26 million visits since they were created, 17 million of them in 2026 alone; a shared image fingerprint points to around 1,714 more sites likely tied to the same operation. A separate, ad-driven World Cup cluster active in April and May 2026 used 33 scam domains linked to about 2,500 online ads.
The harm and what to watch
Victims lose money on goods that never arrive, and many also have their card data stolen and resold, producing later unauthorized charges with no obvious link back to the scam site. Payments are dispersed across merchant accounts registered with misused or compromised business identities to pass know-your-business checks, which enables transaction laundering, while the legitimate businesses whose sites or identities are abused absorb the complaints. Recorded Future notes the activity leaves knowable signatures: referrer-based cloaking, domain-rotation patterns, and mismatched merchant descriptors. Shoppers chasing World Cup tickets, merchandise, or streaming deals should stick to official channels and treat steep discounts found through search with caution, since the listing may sit on a legitimate but compromised site.
Related coverage: Fake stores hit European shoppers with bogus Samsung and World Cup deals.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.