SHELLHOUNDS Intelligence Report + Consumer Advisory

A Fraudulent “Checkout-as-a-Service” Funnel Using Brand Impersonation, Off-Domain Payment Capture, and PayPal Descriptor Churn

Prepared: 2025-12-07 (America/Toronto)
By: SHELLHOUNDS (compiled from victim-provided browser network telemetry, email header evidence, and DNS/RDAP artifacts)

Consumer Advisory

What this scam looks like

You land on a storefront that looks legitimate, but checkout happens on a different website. That checkout site loads unusual payment scripts and may collect payment details and personal info.

The biggest “tells” (fast checks anyone can do)

1. Checkout domain mismatch: you shop on one domain (e.g., polaroid-canada.com) but pay on another (e.g., xbhmsa.shop).

2. Immediate card alert like PAYPAL *<name>, followed later by a support/order email for an order you didn’t place.

3. The PayPal “name” changes across incidents (they rotate recipients/vendors to evade easy blocking).

4. Order email sender isn’t the brand (e.g., support@goods-notify.com), even if the email looks “official.”

What to do right now (if you interacted with it)

• If you entered card details: call your card issuer, report suspected fraud, request a new card number, and enable alerts.

• If PayPal is involved: review Recent Activity and Automatic Payments/Billing Agreements and revoke anything you don’t recognize.

• Don’t click more links in the email or “support” messages.

• Save proof: screenshots, the suspicious URLs, and the email “Original message” (full headers).

Executive Summary

SHELLHOUNDS assessed a fraud operation that uses:

• a brand-impersonation storefront (polaroid-canada.com),

• a separate off-domain checkout environment (xbhmsa.shop) loading a bespoke module (ppcard) and cryptographic JavaScript, and

• a transactional-email lure (goods-notify.com) designed to legitimize the charge after the fact.

A notable operational tactic is PayPal descriptor churn: credit-card alerts appear as PAYPAL *<name>, but the name changes between incidents, suggesting PayPal recipient/vendor rotation to evade simple blocking and confuse victims.

Abstract

This paper documents a coordinated e-commerce fraud operation consistent with a “checkout-as-a-service” funnel. Victims are led to a brand-impersonation storefront (polaroid-canada.com) that pivots into an off-domain checkout hosted at xbhmsa.shop. The checkout loads a custom “ppcard” module and cryptographic JavaScript (/ppcard/.../crypto.min.js) and passes structured order parameters via URL query strings (ppcard.fuzz.js?params=...), consistent with client-side data handling and potential payment/PII capture.

DNS and RDAP evidence shows both domains are fronted by Cloudflare but use distinct Cloudflare name server pairs, suggesting compartmentalized zones. RDAP indicates polaroid-canada.com was registered on 2025-10-17 via Dynadot, which is atypical for an established brand storefront and supports the impersonation hypothesis. Transactional-phishing emails sent from goods-notify.com leverage third-party delivery infrastructure (Mailgun indicators) and exhibit authentication anomalies (DMARC fail). Cross-incident victim reports further indicate PayPal recipient/vendor rotation, resulting in changing credit-card notification descriptors (e.g., PAYPAL *<name>), reducing the effectiveness of merchant-string fraud rules.

1. Scope and Evidence

1.1 Evidence sources

• Browser DevTools network telemetry capturing checkout-related resources on xbhmsa.shop (including /ppcard/.../crypto.min.js and /ppcard/.../ppcard.fuzz.js).

• Gmail “Original message” view of an “Order Confirmation” email from support@goods-notify.com (SPF/DKIM/DMARC results, sending infrastructure details, HTML content).

• DNS raw/summary artifacts for polaroid-canada.com and xbhmsa.shop (A/AAAA/NS/SOA).

• RDAP registration artifact for polaroid-canada.com (registrar, create/expire dates, abuse contact).

• Victim cross-incident observation: rotating PayPal vendor identities leading to variable card notification descriptors.

1.2 Out of scope

• Active probing of domains or origin infrastructure.

• Full deobfuscation/reverse engineering of minified JavaScript payloads.

• Definitive attribution to a specific individual/group.

2. Methodology

2.1 Passive collection & preservation

• Preserved HTTP request metadata (URL, method, status, referrer, response headers).

• Preserved email header chains and authentication results (SPF/DKIM/DMARC).

• Preserved DNS and RDAP snapshots for infrastructure context.

2.2 Infrastructure clustering

• Compared authoritative delegation (NS records), A/AAAA resolution, and SOA admin fields.

• Analyzed RDAP data for registrar, registration timeline, and abuse contacts.

2.3 Behavioral analysis

Evaluated whether checkout logic:

• shifted off the brand domain,

• relied on third-party scripts/modules for payment capture,

• transmitted structured PII/order data in query strings,

• leveraged cryptographic helper libraries consistent with obfuscation/encryption at the client.

3. Findings

3.1 Brand-impersonation storefront: polaroid-canada.com appears newly registered

RDAP indicates polaroid-canada.com was registered on 2025-10-17 via Dynadot, with one-year expiration and no DNSSEC.
DNS shows Cloudflare fronting with:

• A: 172.64.80.1

• AAAA: 2606:4700:130:...:cloudflare

• NS: deborah.ns.cloudflare.com, kyrie.ns.cloudflare.com

Assessment: A newly registered, brand-like domain presenting as a national storefront is a common indicator of fraudulent retail impersonation.

3.2 Off-domain checkout host: xbhmsa.shop serves custom payment module assets

Browser telemetry shows payment-related script loads from xbhmsa.shop, including:

• .../ppcard/modules/assets/js/crypto.min.js (HTTP 200)

• .../ppcard/modules/assets/js/ppcard.fuzz.js?version=1.0&params=... (HTTP 200)

The ppcard.fuzz.js request includes a large structured params= blob containing order-related fields and flow-control URLs, consistent with passing transaction context into the checkout script via query string.

Assessment: Off-domain checkout hosting combined with a bespoke module (“ppcard”) and client-side crypto libraries is strongly consistent with payment/PII capture kits rather than standard PSP integrations.

3.3 Compartmentalized zones: same CDN fronting, different authoritative NS pairs

DNS indicates both polaroid-canada.com and xbhmsa.shop are fronted by Cloudflare, but with different nameserver pairs—suggesting distinct Cloudflare zones/accounts.

Assessment: This supports operational compartmentalization (separate domains/roles), reducing single-point takedown impact.

3.4 Email lure: transactional “Order Confirmation” from goods-notify.com

The victim received a transactional-looking email from support@goods-notify.com styled as an e-commerce order confirmation. Header evidence indicates use of a commercial email delivery platform (Mailgun indicators) with an authentication anomaly (DMARC fail reported in Gmail’s summary).

Assessment: Fraud campaigns commonly use legitimate email delivery services for scale and deliverability; SPF/DKIM “pass” alone is not proof of legitimacy, and DMARC failure + brand mismatch is a strong fraud indicator.

3.5 Behavioral evasion: PayPal vendor/recipient rotation

Across multiple incidents, victims report a consistent pattern:

1. Immediate credit-card alert appears as a PayPal descriptor (e.g., PAYPAL *<name>).

2. Delayed “support/order” email references a phony order to normalize the alert and drive engagement.

Crucially, the PayPal recipient identity varies, producing different notification descriptors each time (“descriptor churn”). This degrades merchant-string blocking rules and makes victims less likely to recognize repeated fraud.

Assessment: Vendor rotation + delayed confirmation is consistent with deliberate evasion of both automated controls and human suspicion.

4. Adversary Tooling & Service Stack

4.1 Confirmed

• Cloudflare: authoritative DNS and reverse-proxy/CDN fronting for both domains (distinct NS pairs).
  Operational value: origin shielding, TLS automation, caching/WAF options, resilience to takedown.

• Dynadot: registrar for polaroid-canada.com.
  Operational value: rapid provisioning of brand-adjacent impersonation domains.

• Custom checkout/payment kit (“ppcard”) + client-side cryptography library: /ppcard/.../crypto.min.js and /ppcard/.../ppcard.fuzz.js.
  Operational value: client-side obfuscation/encryption and structured parameter passing for checkout workflow and potential data capture.

• Commercial email delivery infrastructure (Mailgun indicators) in email headers.
  Operational value: scalable delivery and improved inbox placement.

4.2 Likely / Inferred

• OpenCart (commodity storefront framework): victim observation suggests a generic OpenCart-style “disposable shop” deployment.

• YooCart (yoocart.net) and OpenCart ecosystem (opencart.com): victim reports association with these services, suggesting templates/hosting/modules may have been leveraged.

5. Indicators of Compromise (IOCs)

5.1 Domains

• polaroid-canada.com — suspected brand impersonation storefront (newly registered).

• xbhmsa.shop — off-domain checkout host.

• goods-notify.com — transactional-phishing sender domain.

5.2 Nameserver clustering indicators

• polaroid-canada.com → deborah.ns.cloudflare.com, kyrie.ns.cloudflare.com

• xbhmsa.shop → galilea.ns.cloudflare.com, jose.ns.cloudflare.com

5.3 IPs (CDN anycast; not attribution)

• 172.64.80.1

• 2606:4700:130:...:cloudflare

5.4 URL paths/resources (checkout-kit indicators)

• https://xbhmsa.shop/checkouts/<token>

• https://xbhmsa.shop/ppcard/modules/assets/js/crypto.min.js

• https://xbhmsa.shop/ppcard/modules/assets/js/ppcard.fuzz.js

• https://xbhmsa.shop/ppcard/modules/process-js.php (observed in session context)

5.5 Behavioral / pattern indicators (PoSAs)

• Variable PayPal descriptor: PAYPAL *<rotating recipient/merchant name>

• Sequence correlation: PayPal alert → delayed “order confirmation/support” email → off-domain checkout assets (/ppcard/...) on xbhmsa.shop

6. Detection & Hunting Guidance

6.1 For everyday shoppers

• Before paying, look at the URL bar: if checkout domain differs from the store domain, stop.

• Treat PAYPAL *<name> alerts as suspicious if you didn’t initiate a PayPal payment—especially if followed by a “confirmation” email you didn’t expect.

6.2 For security/fraud teams

• Avoid single-string merchant rules (descriptor churn defeats them). Use correlation:

  • PayPal-related alert + delayed order email + browse history to suspicious domains.

• Alert on /ppcard/ path loading and cross-domain checkout pivoting.

• Email detections: “Order Confirmation” from non-brand sender domains + DMARC failure + masked/redirect links.

6.3 For registrars/CDNs abuse desks

• Review domain purpose and content for brand impersonation indicators.

• Validate cross-domain checkout flows and presence of payment-capture kits.

• Prioritize rapid action during seasonal shopping peaks.

7. Recommended Response Actions

7.1 If payment details were entered

• Replace the card; enable alerts; monitor for test charges and delayed fraud.

• If PayPal was used/mentioned: review Automatic Payments/Billing Agreements and revoke unknown entries.

7.2 Account protection

• Change passwords (start with email), enable MFA on email/PayPal/bank.

• Monitor for targeted follow-on phishing leveraging harvested PII (address/phone/email).

7.3 Reporting & takedown escalation

• Report to card issuer and PayPal (fastest protective path).

• Report to registrar abuse for the impersonation domain (Dynadot; abuse contact available in RDAP).

• Report to Cloudflare abuse for both domains with:

  • suspicious URLs,

  • timestamps,

  • description of off-domain checkout and /ppcard/ kit.

8. Startup & Merchant Defense: Preventing Brand Impersonation

Fraud operations like this thrive on speed: they register lookalike domains, clone storefront content, and route victims into off-domain “checkout” infrastructure. Startups can’t prevent all impersonation, but they can reduce impact and shorten takedown time.

8.1 Core defensive measures

Domains & DNS

• Register common lookalikes: hyphens, plurals, misspellings, country variants, and relevant TLDs.

• Enable strong registrar security: MFA, restricted account access, and (where available) registry lock.

• Deploy DNSSEC for your official domains to strengthen DNS integrity.

Email trust

• Enforce SPF/DKIM and set DMARC to quarantine/reject once validated.

• Clearly publish which domains you email from (orders, support, receipts).

Checkout integrity

• Keep checkout on your own domain wherever possible; if using PayPal/PSPs, make redirects explicit and expected.

• Implement CSP/SRI and change-control around scripts to reduce injection and “checkout kit” risks.

Monitoring

• Set alerts for lookalike domain registrations and brand keyword use in ads/social.

• Track referral and checkout anomalies (spikes in checkout hits, unusual geos, low successful PSP confirms).

8.2 Using service providers

Many startups delegate brand protection and abuse response because monitoring, escalation, and takedowns are time-consuming. Common provider categories include:

• Brand protection / domain monitoring vendors: detect lookalike registrations, typosquats, and counterfeit storefronts; help with enforcement workflows.

• DMARC management providers: simplify email authentication rollout, reporting, and “reject” enforcement safely.

• Anti-phishing / takedown services: run 24/7 reporting pipelines to registrars, CDNs, hosting providers, and platforms; track case status.

• Fraud/chargeback & transaction risk platforms: reduce conversion fraud, account testing, and abuse signals tied to payments.

• Managed SOC / MDR providers: operationalize monitoring and response when internal security staff is limited.

Practical guidance: If you lack a dedicated security/fraud function, a lightweight combination of domain monitoring + DMARC management + a takedown service can dramatically reduce impersonation dwell time—especially during holiday campaigns.

8.3 Incident response playbook

Maintain a ready-to-send abuse packet:

• Proof of brand/trademark ownership

• Official domains + official checkout/payment domains

• Example fraudulent URLs, timestamps, and screenshots

• Email “original” headers (for phishing cases)

• A security contact for validation and coordination

9. Limitations

• OpenCart/YooCart usage is reported/observed; artifacts provided do not conclusively fingerprint platform use.

• CDN anycast IPs do not indicate ownership or origin hosting.

• Without JS deobfuscation, precise data flows and exfiltration endpoints cannot be exhaustively enumerated.

10. Conclusion

SHELLHOUNDS assesses with high confidence this activity reflects a mature, compartmentalized fraud operation: a newly registered brand-impersonation domain leading to an off-domain checkout that loads bespoke payment scripts, reinforced by delayed transactional email and PayPal descriptor churn. This combination is designed to bypass consumer instincts and simple anti-fraud rules. Immediate containment actions and coordinated reporting are warranted.

Appendices

Appendix A

• Domain: polaroid-canada.com

• Registrar: Dynadot

• Created: 2025-10-17

• Expires: 2026-10-17

• DNSSEC: not signed

Appendix B

• polaroid-canada.com NS: deborah.ns.cloudflare.com, kyrie.ns.cloudflare.com

• xbhmsa.shop NS: galilea.ns.cloudflare.com, jose.ns.cloudflare.com

• Both domains resolve to Cloudflare anycast A/AAAA.