Nearly 9 million people were targeted in a phishing campaign impersonating UK retail giant Boots, offering free gifts and customer rewards to steal personal and financial information from unsuspecting consumers.
-
Nearly 9 million people were targeted in a large phishing scam impersonating Boots, using fake customer survey/free gift emails to steal personal details and payment card information.
-
The attackers made the campaign harder to detect by personalizing each email and hosting the fake Boots page on a hacked Bolivian government website, which gave the scam more credibility.
-
Researchers believe the operation was run by Romanian-speaking threat actors and found it wasn’t limited to Boots – they were also rotating scams themed around HMRC and Solana, showing a broader, organized fraud campaign.
The aim of the scam appears to be to get victims’ personal and payment card details.
The same threat actor was also running campaigns on rotation that involved impersonating the UK tax office, HMRC, and the US-based blockchain firm Solana.
The fake Boots site was hosted on a compromised Bolivian government website, which seems random but enabled scammers to benefit from the trust and reputation associated with an established public-sector domain.
The operation, uncovered by cybersecurity firm Huntress, was discovered after attackers – believed to be from Romania – compromised a customer’s business server and used it to stage a large-scale email campaign.
Huntress recovered the attackers’ full staging directory and found six mailing lists containing a combined 8,894,920 email addresses, making it one of the largest consumer-focused phishing operations exposed in recent months.
Lure of the free gift
In the case of the Boots campaign, the emails masqueraded as customer satisfaction surveys from the UK pharmacy and beauty chain, which offered a free gift on completion.
This would appeal to lots of UK shoppers as Boots Advantage Card – one of the first loyalty schemes of its type with over 17million users – helps keep the prices of beauty and pharmacy goods reasonable for customers, while also offering discounts, extra points and exclusive offers.
The Advantage scheme itself was hacked in 2020, leading to a data breach of customer information and a temporary suspension of the card's usage.
Each message included personalized details such as the recipient's email address and a unique reference number generated specifically for that target.
According to Huntress security operations analyst Josh Kiriakoff, because no two recipients receive identical subjects, they are more likely to evade any basic anti-phishing filter that clusters identical messages.
To claim the reward, victims were asked to provide a range of sensitive information, including their full name, email address, date of birth, phone number, and home address.
Kiriakoff claims that the subsequent payment page was designed to harvest credit and debit card details.
HMRC and Solana campaigns
According to Kiriakoff, samples from the mailing lists revealed a broad international mix of consumer email accounts spanning providers such as Gmail, Hotmail, Yahoo, and numerous regional services.
The Boots campaign was “simply the job loaded” when the researchers gained visibility into the phishing kit, and other campaign folders included HMRC and Solana cryptocurrency, suggesting criminals were likely rotating through multiple UK-focused fraud themes, including retail tax and crypto lures.
The analyst said the mailing lists resembled the kind of bulk databases routinely bought and sold in cybercriminal circles.
“We hit the UK hard”
Kiriakoff suggested that the operation was run by a Romanian-speaking threat actor, a conclusion which was reached through “tradecraft, rather than geography.”
Campaign files included a project named dracii (“The devils” in Romanian). The staging directory on the compromised server was labeled "dam pe uk puterniiicccc” slang that roughly translates to “We hit the UK hard.”
Huntress added that Romanian-style project names, folders, recipient list labels, and source IP addresses all pointed in the same direction.
The South American connection
Victims who clicked the links were directed to a fake Boots website hosted on a compromised language and culture website owned by the Bolivian government.
Kiriakoff described the use of the government website as intentional, noting that trusted domains are often less likely to trigger automated security warnings.
"The actor had broken into this government site and planted their phishing kit in a /boots_store/ subdirectory. This is a deliberate, and depressingly effective, choice."
Huntress security operations analyst Josh Kiriakoff.
“The actor had broken into this government site and planted their phishing kit in a /boots_store/ subdirectory.
“This is a deliberate, and depressingly effective, choice. A freshly registered boots-rewards-uk[.]xyz trips domain age heuristics, reputation scoring, and blocklists on day one.
“Compromising someone else's trusted site is cheaper for the attacker than building their own.”
Check if your data has been leaked
Although Huntress did not disclose how many people may have fallen for the scam, the scale of the campaign points to the risks consumers face from increasingly sophisticated phishing operations.
After identifying the phishing infrastructure, Huntress notified the affected domain and Bolivia's national CSIRT, the Centro de Gestión de Incidentes Informáticos (CGII).
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked