[GUEST DIARY] Tearing apart website fraud to see how it works., (Wed, May 13th)

[This is a Guest Diary by Joshua Nikolson, an ISC Intern and part of the SANS.edu Bachelor's degree in Applied Cybersecurity (BACS) program.] Introduction One day at work, a friend messaged me, How do you check a website to see if it s legit? This friend recently received a phishing text message from a bank , and I figured he wanted to be careful and double-check. I told him to put the URL into VirusTotal but said that just because it may say it s clean, that doesn t mean it s not malicious. He sent me a screenshot of the VirusTotal page for the URL, with no detections and everything showing green. I took a moment to look at it a little more closely. The domain name was unusual, and right off the bat I could see it had been created in the last few months. As of now, it has one detection from a vendor. All domains mentioned in this blogpost will be listed in the Indicators of Compromise section at the end. Going to the site, I could immediately tell that something was off about it. It was a secondhand marketplace that seemed to sell just about everything under the sun, with tons of listings in each category and items priced too good to be true. While the site had that AI vibecoded feeling , I wanted to give my friend something more concrete other than don t trust this site . I decided to reverse image search one of the product images, a Lenovo ThinkPad battery replacement, and after some digging, I found an eBay listing with all the same product images and item descriptions. I did this for a few more of the site s listings and came to the same result. I let my friend know, and he said, Yeah, it looked too good to be true . Finding a Marketplace I found this interesting and wanted to see if I could find something similar again. Today, it is trivial to use AI to mass-deploy these scams, and I wanted to see what would happen if I tried to buy something. Let s look up what my friend was originally looking for: a Texas Instruments TI-nSpire CAS calculator. Simply searching on Google and going to the second page, something pops out to me. Why is a driving school selling a calculator? The search result link, hxxps://desidrivingschool[.]com/listing/164903741/ redirects to a marketplace where it is for sale: This domain looks suspicious on its own, and to add insult to injury, it was registered ~12 days ago on April 3rd, 2026: What's happening here? You may be asking why this Desi Driving School is showing up in the search results for this calculator? Good question. If you append /sitemap.xml to the URL, you can see tons of these listings that are meant to infiltrate the search results. This is a prime example of SEO poisoning, in which potential victims are lured through their shopping searches to these fake marketplaces. Threat actors have previously used compromised WordPress sites as command-and-control infrastructure or to stage payloads, but this is being used as a distinct attack vector. Unfortunately, this website was likely compromised, wh