"Since everyone is beating around the bush on this one and making side comments. The 5-billionth search prize/reward is a scam I didn't read through all of the comments but I saw enough people saying that they actually would have fell for this, so OP maybe a good idea to edit your post and add that if anyone else does get this pop up it is a scam and they should not enter any sensitive details etc. Stay safe online everyone <3"
This comment appeared in r/notinteresting, where someone had posted a screenshot of a celebratory "You've made the 5-billionth search!" page. The subreddit's users were having a field day, making jokes about the fake testimonials, mocking the cheesy design, and riffing on the obvious scam elements. But mixed in with the humor were concerning admissions: some people thought it looked real, even if cheesy, and others admitted they "actually would have fell for this."
While the Reddit community was debating whether the scam was real, we were tracking the criminal operation behind it. We've been monitoring D-Shortiez, the China-based threat actor responsible for these scams, since 2022. Over the past three years, we've documented how this group has ramped up its operations running multiple sophisticated campaigns that have cost Americans millions of dollars.
In that time, they’ve evolved from simple browser exploiters to highly coordinated fraud operators—fusing fake support flows with technical browser hijacks to lock users in place and extract value across multiple fraud types.
D-Shortiez isn't your typical scammer. We first spotted them in 2022 exploiting browser quirks most people had never heard of. By 2023, we documented how they had served over 300 million malicious ad impressions targeting primarily U.S. audiences.
This summer, we've identified them running two separate scam operations. The first uses fake Google reward programs like the "5-billionth search" pages referenced in the Reddit thread. The second takes a unique approach to tech support scams: instead of the traditional "click to call this number" method that hands victims off to phone-based call centers, D-Shortiez uses forced redirects to redirect users to fake computer lockdowns that generate immediate panic.
The combination of forced redirects with scams is unusually sophisticated. Most scam networks, like ScamClub or DCCBoost use forced redirects, but have not run this type of tech support scams in recent years. D-Shortiez stands out for fusing these techniques into one relentless flow. Other major players on the tech support scam scene like QuizTSS or Aalgmor run these types of tech support scams, but they don’t have the ability to pair them with a forced session redirect.
The numbers behind these scams show how criminals exploit human psychology at scale. Gift card scams operate on volume: reach millions of people, convince a small percentage. According to Federal Trade Commission data, gift card fraud losses reached $217 million during 2023.
The scam pages feature testimonials from fake winners with names like 'Brad Jenkins from Chicago'—carefully chosen generic identities designed to seem authentic while remaining completely untraceable.
Tech support scams work differently. The FBI reports that in 2023, tech support fraud was the number one crime type impacting people over 60, with nearly 18,000 complaints and almost $600 million in reported losses. According to the latest FBI data, tech support scams led to over $1.4 billion in losses in 2024.
Tech support scam from D-Shortiez
Most tech support scams rely on phone calls or require victims to voluntarily call fake support numbers after seeing pop-ups. D-Shortiez's approach is unique: they use forced redirects to automatically create browser lockdowns that simulate computer crashes or security breaches. Victims find themselves unable to close their browser or navigate away, creating immediate panic without any phone interaction required. From there, the scam options multiply: charging hundreds of dollars for fake security services, installing malware to steal passwords, or gaining access to bank accounts and email systems under the guise of technical support.
What makes D-Shortiez particularly dangerous isn't just their scale, it's their technical sophistication. As our research documented, D-Shortiez developed techniques that "very effectively act as a back button hijack, comparable to some browser locking techniques that online scammers have leaned on over the years. Victims are lured to scams and the neutralized back button keeps them from being able to back out of the site."
For security teams looking to protect their networks, we've included the specific domains and infrastructure indicators at the end of this article.
[Read our complete technical analysis of D-Shortiez's browser hijacking techniques]
This isn't accidental. They operate with what we observed as "very aggressive sustained bursts, and some breaks in between," indicating calculated campaign planning rather than opportunistic attacks. They exploit legitimate advertising networks to distribute their scams, making them appear as normal ads until users click and get trapped in malicious redirect loops.
To avoid detection and increase clicks, D-Shortiez often uses stolen ad creatives—repurposing banners from real brands to make their scams look legitimate. This tactic helps them blend into authentic inventory and bypass visual filters.
Sample ads used by D-Shortiez
They also know which platforms are most vulnerable. We observed recent campaigns running through native ad networks like Outbrain, enabling them to reach wide audiences in premium environments before being flagged. Their ability to scale fast and exploit redirect loopholes shows a deep understanding of how digital advertising works—and how to weaponize it.
According to our Malvertising and Ad Quality (MAQ) Index 2024, forced redirects were among the top security violation categories, with a notable surge of forced redirect attacks occurring from late August to the end of September, demonstrating how threat actors like D-Shortiez have made this technique a cornerstone of their malicious campaigns.
The broader implications go beyond individual victims. D-Shortiez's operations represent how cybercrime is industrializing. They've created sustainable business models that exploit different victim demographics through technically sophisticated but operationally distinct campaigns, essentially becoming criminal entrepreneurs who diversify across fraud verticals.
This evolution has real consequences for digital trust. When sophisticated criminals can serve 300 million malicious impressions while adapting to security countermeasures, it signals that traditional approaches to online safety may not be enough.
The success of both operations also demonstrates how improvements in traditional fraud prevention drive criminal innovation. As phone-based scams face increased scrutiny through caller ID authentication and awareness campaigns, groups like D-Shortiez are developing browser-based attacks that exploit similar psychological vulnerabilities without requiring traditional infrastructure.
The Reddit commenter's advice—"don't enter any sensitive details" and "stay safe online everyone"—is well-intentioned but insufficient against operations this sophisticated. Here's what actually works:
D-Shortiez's evolution from browser hijackers to diversified fraud operators provides a preview of how digital crime is changing. As traditional security measures improve, criminal groups are becoming more sophisticated, more diverse, and more technically advanced.
The fact that a Reddit user had to explicitly warn people about an "obvious" scam—and that many commenters admitted they would have fallen for it—reveals how successful these psychological manipulation techniques have become.
Whether you encounter fake gift card celebrations or fabricated computer warnings, remember: both represent the same underlying threat. Sophisticated criminal enterprises have learned to industrialize fraud through technical innovation, psychological manipulation, and market segmentation that would impress legitimate businesses.
The confetti may be fake, and the virus warnings may be lies, but the criminal innovation behind them is devastatingly real—and getting more sophisticated every day.
Indicators of Compromise (IOCs):
(As of June 27, 2025)
Security teams can use these indicators of compromise (IOCs) to block D-Shortiez's malicious domains and protect their networks. We're sharing this threat intelligence to help the broader cybersecurity community defend against these specific criminal operations.
|
modanova[.]shop mplanningtools[.]site majorag[.]shop aminerai[.]lol currentboutique[.]online crazydogtshirts[.]store compressionsale[.]store siksilkil[.]store hunkemoller[.]store cosplayshopper[.]store pikolinos[.]site pb7star[.]store modavitawe[.]shop propertyroom[.]store ruelalala[.]store caperobbin[.]store outdazll[.]store intimina[.]store sasafishing[.]store pat21[.]store zylostyle[.]store pinkon[.]store rrobertgraham[.]store ifchic[.]site frmoda[.]store shopdoubletake[.]shop proozyy[.]store boxlunch[.]shop darntough[.]homes oxilarnorthamerica[.]com shefashion[.]homes viruswarning0626us14x.z13.web.core.windows[.]net viruswarning0624us02f.z13.web.core.windows[.]net viruswarning0626us22x.z13.web.core.windows[.]net viruswarning0626us04x.z13.web.core.windows[.]net viruswarning0626us13a.z13.web.core.windows[.]net viruswarning0625us01f.z13.web.core.windows[.]net viruswarning0625us10a.z13.web.core.windows[.]net viruswarning0624us16a.z13.web.core.windows[.]net |
Article Sources: