Fake shops target shoppers across Europe with fake Samsung deals, counterfeit goods and World Cup scams

A recent investigation by Bitdefender Labs has uncovered a significant escalation in fake online shop campaigns targeting consumers across 12 European countries between March and May 2026. These operations, far from being isolated incidents, are now functioning as coordinated, multinational businesses employing professional e-commerce tactics.
Attackers are impersonating globally recognized brands such as Samsung, Nike, Adidas, ZARA, H&M, Amazon, Lidl, and SHEIN. They employ a multi-channel approach, utilizing Facebook ads, WhatsApp messages, email, SMS, phone calls, and fraudulent websites to lure victims. The ultimate goals range from direct financial theft through fake payments to acquiring sensitive personal information or selling counterfeit merchandise.
Researchers mapped over 40 domains linked to these fraudulent activities, noting a pattern of reused infrastructure and tactics across different countries and brands. Methods to evade detection include rotating domain names, employing misleading redirects, and leveraging Unicode lookalike domains that visually mimic legitimate URLs. Some operators have even established counterfeit supply chains through platforms like WhatsApp, using password-protected catalogs to showcase their illicit goods.
Several campaigns have capitalized on the anticipation surrounding the 2026 FIFA World Cup, promising exclusive merchandise or special deals to exploit consumer excitement. For instance, one campaign offered Samsung Galaxy S26 Ultra devices at a 90% discount, while another promoted free Adidas Deutschland 2026 Fan Kits.
The scale and sophistication of these operations are notable. Campaigns are localized to specific European markets, with tailored messaging and content. For example, a ZARA and Nike impersonation campaign originating from a Polish hub used the same domain and advertising identity, indicating a shared operational backend.
WhatsApp has emerged as a significant platform for counterfeit goods distribution. One operator, identified as "Carl," contacted European users via WhatsApp, offering "1:1 quality" counterfeit products and directing them to password-protected Yupoo catalogs. This network appears to be China-based, with DHL shipping offered to Europe.
Beyond direct sales scams, some operations focus on subscription traps or data harvesting. Amazon clone sites were identified, designed to exploit the brand's trust to collect payment details or enroll unsuspecting users into unwanted subscriptions.
The investigation highlights the evolution of these fake-shop networks, which now operate with significant advertising budgets and infrastructure designed to bypass traditional security measures. The reuse of domain infrastructure and the adaptation of tactics across various brands underscore the organized nature of these cybercriminal enterprises.





