Hot Sale 2025: Fake Pages from Aurrera, Suburbia, Liverpool and More

Shopping online during big events like the Hot Sale can feel like winning the lottery: irresistible discounts, fast shipping and all at the click of a button. But just when you think you've found the perfect deal, you could be falling into a carefully designed trap.

The Hot Sale 2025, which runs from May 26 to June 3, has been the target of a sophisticated digital phishing campaign. At least 728 fake websites were recently detected, all hosted on a single IP address, imitating official stores such as Aurrera, Suburbia and Pop Mart, among many others.

Behind this operation would be a group possibly of Chinese origin, which would have deployed this network with the aim of stealing banking data from unsuspecting consumers. All this happens in the middle of one of the most vulnerable seasons for cyber fraud.

Hot Sale 2025 Fake Pages: Cloned Stores Like Suburbia and Steve Madden

The scope of the fraud was not minor. The fake sites not only used similar names, they also copied the design, colors and even the communication style of well-known brands in Mexico. They literally looked like the official sites.

The impersonated brands ranged from department stores such as Suburbia, Liverpool or Coppel, to fashion brands, sports shoes and even soccer clubs. In total, attempts to clone at least 27 companies were identified, including:

1. Suburbia
2. Bodega Aurrera
3. Flexi
4. Liverpool
5. InnovaSport
6. Cuadra
7. Walmart
8. Taf Sneaker
9. Coppel
10. Original Penguin
11. Rainnys
12. Team Pro Standards
13. Price Shoes
14. Sodimac
15. Prada
16. Regina Romero
17. Steve Madden
18. Timberland
19. Toluca FC
20. Pirma / Pinda
21. Perrísimo
22. Pop Mart
23. SMSALE
24. The Body Shop
25. Udiscover

Yes, even luxury and sports brands fell into this impersonation ring. If any of these stores sound familiar to you (and I'm sure they do), it's likely that the scammers have also thought of you as a possible victim. So, be careful with the sites you visit and even more so with those that offer you "everything at 80% off for a limited time".

Read more: Scam Designs: How Hackers Use UX/UI to Trick You

How do the fake Hot Sale 2025 pages operate?

These fake pages are not just any makeshift attempt. They are so well done that at first glance they look real. They copy everything: logos, products, payment methods, colors and even privacy policies. All in an attempt to gain your trust. But the trick is at the key moment: just when you enter your card details, you get an error like “Call bank for authorize”, and that's where they get you. Although you think nothing happened, in reality, your information has already been sent to the attackers' servers.

Experts who analyzed the source code of several of these pages discovered connections to domains such as seirennr.com, which act as the “brain” where all the stolen information is stored. Many of these domains were registered very recently, between April and May 2025, and they share something in common: they are registered through DNS providers in China, specifically HiChina, a company that is part of Alibaba Cloud.

And this is all coming from China?

It looks like it is. The DNS servers are in China and the Whois records (which tell who created a domain) are written in Mandarin. This reinforces the idea that the group behind this scam operates from Asia and has probably done it before.

To make it even more believable, many of these fake pages include completely bogus “privacy notices”. And to top it off, the system is automated: they can create new sites in minutes using any popular brand name. It's like having a fake store factory.

In addition, they use services like Cloudflare to hide the real IP of their servers. This makes tracking them down much more difficult. Some of these sites don't even stick to a single brand: a page that at first pretended to be InnovaSport then redirected to a fake Panam store. In other words, they change their target depending on what is in fashion during the Hot Sale.

They simulate real payments to steal your data: This is how fake pages operate

During some tests carried out on these fake sites, it was found that they simulate everything as if it were a real purchase. When you type in your card details (even if they are made up), the site acts as if it is processing the payment: a timer appears saying “cart reserved” and familiar logos such as Visa, MasterCard, PayPal, Oxxo and SPEI are displayed. All of this is designed to make you think you are on a secure site and steal your information without you realizing it.