Here are some tips on how to avoid visiting fake and fraudulent websites while shopping on Google
Stay safe while shopping online. Learn practical tips to avoid fake and fraudulent websites on Google and protect yourself from scams.
First, let's take the "Toro 60V Max 22 in. Recycler Personal Pace Mower" as an example.
Those marked "Fake" are fake. Why?
Let's analyze the product links:
https://www.google.com/aclk?sa=L&ai=DChsSEwjDz6-4t_6QAxX3EkQIHa9zLxMYACICCAEQGRoCZHo&co=1&ase=2&gclid=CjwKCAiA8vXIBhAtEiwAf3B-g5hWW8PIh5nxZdy0lFlNFLQhe-PNh4K5vCXV-hnzAux3o0NhSni5rhoCoAkQAvD_BwE&cid=CAASugHkaM1WgIzxdI1FQUOt9U85kX3QHCvf_QQETqNNGlE_6O5EXSMesInX5HxfEYGQcGytd3YehYO8b5fjFzpYZeOX5h1niF_1jA4slWVvyTBSqzRYz3DoJ2qDDuzsPLxCYpWgAf3C48LnKT5Vu79WNbZBMx7nu55WyiGxYtMz-65OFYD1z-xnh0yQ7vRg0qSTaXTJ55_FArsZQZ6hhrEk_LwwDz66PLcnCzvAA-kCd9McS4Dfb20uxFesWxc&cce=2&category=acrcp_v1_32&sig=AOD64_3tEmr6-OPV2qnnN7z51v0_qacWzA&ctype=5&q=&nis=4&ved=2ahUKEwjZtKm4t_6QAxUXN0QIHZwSGXEQ9aACKAB6BAgGECI&adurl=
This is his ad code, which we get when we click it.
https://senturacoffees.com/product/toro-60v-max-22-in-recycler-personal-pace-mower/?utm_term=&utm_campaign=&utm_source=adwords&utm_medium=ppc&hsa_acc=4222849201&hsa_cam=23226608157&hsa_grp=188296432276&hsa_ad=782677652065&hsa_src=g&hsa_tgt=pla-293946777986&hsa_kw=&hsa_mt=&hsa_net=adwords&hsa_ver=3&gad_source=1&gad_campaignid=23226608157&gbraid=0AAAAABU98A9nDJnuPJIiqPY4N-IBWPuxm&gclid=CjwKCAiA8vXIBhAtEiwAf3B-g5hWW8PIh5nxZdy0lFlNFLQhe-PNh4K5vCXV-hnzAux3o0NhSni5rhoCoAkQAvD_BwE
This is a website that doesn't redirect; it uses WordPress.
Question 1: Why doesn't it redirect?
Answer: If there's no redirect and the price is lower than normal, it's 100% a fraudulent or phishing website.
Question 2: How did it pass Google Merchant Center's review?
Answer: They didn't use senturacoffees.com to apply for a Google Merchant Center account. They used a different account. I spent some time finding the domain they used: senturacoffee.com. Yes, you read that right, the new domain just added an 's' and replaced senturacoffee.com with senturacoffees.com.
Note that Figure 1 shows a legitimate website applying for a Google Merchant status, while Figure 2 shows a fake website.
Furthermore, the website is named "Sentura Coffee," but it doesn't sell coffee-related products; instead, it sells high-priced tools, appliances, and other similar items. This is a red flag.
This is the first fake website.
Next, we will analyze the second fake website.
www.harrellamb.com
When we click:
https://www.google.com/aclk?sa=L&ai=DChsSEwjDz6-4t_6QAxX3EkQIHa9zLxMYACICCAEQMBoCZHo&co=1&ase=2&gclid=CjwKCAiA8vXIBhAtEiwAf3B-g0WKGD_pqXRB5_Kif8R-IiRTGexSQDmV5sigMk5JohJrmdw7C9_qrxoCzfcQAvD_BwE&cid=CAASugHkaM1WgIzxdI1FQUOt9U85kX3QHCvf_QQETqNNGlE_6O5EXSMesInX5HxfEYGQcGytd3YehYO8b5fjFzpYZeOX5h1niF_1jA4slWVvyTBSqzRYz3DoJ2qDDuzsPLxCYpWgAf3C48LnKT5Vu79WNbZBMx7nu55WyiGxYtMz-65OFYD1z-xnh0yQ7vRg0qSTaXTJ55_FArsZQZ6hhrEk_LwwDz66PLcnCzvAA-kCd9McS4Dfb20uxFesWxc&cce=2&category=acrcp_v1_32&sig=AOD64_13lst4lfhc3f8BzdKyWJZ4g8M7IQ&ctype=5&q=&nis=4&ved=2ahUKEwjZtKm4t_6QAxUXN0QIHZwSGXEQ9aACKAB6BAgGEE0&adurl=
The link appears when you enter the website:
https://www.harrellamb.com/products/toro-self-propelled-gas-lawn-mower-22-in-honda-engine-high-wheel-variable-speed_07a3e21c?currency=USD&variant=42819383263268&utm_source=google&utm_medium=cpc&utm_campaign=Google%20Shopping&stkn=2ea143a06a66&gad_source=1&gad_campaignid=22850772606&gbraid=0AAAABAx0qnQj6nI2NgIwglZPlAafmZWVw&gclid=CjwKCAiA8vXIBhAtEiwAf3B-g0WKGD_pqXRB5_Kif8R-IiRTGexSQDmV5sigMk5JohJrmdw7C9_qrxoCzfcQAvD_BwE
Then you will be redirected to another website.
https://zhdfosua.shop/products/toro-self-propelled-gas-lawn-mower-22-in-honda-engine-high-wheel-variable-speed_07a3e21c
Of course, if we are accessing:https://www.harrellamb.com/products/toro-self-propelled-gas-lawn-mower-22-in-honda-engine-high-wheel-variable-speed_07a3e21c
It won't redirect.
Its redirection code is located on the product page, and I found their code as follows:
<form name="products_href" method="POST" style="display:none" action="https://get.xcoachest.com/gw/upSpu/">
<input type="hidden" name="spu" value="7998823989284">
</form>
<script>
const spuValue = document.querySelector('input[name="spu"]').value;
fetch('https://get.xcoachest.com/gw/getIP/', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: new URLSearchParams({ spu: spuValue })
})
.then(response => {
if (!response.ok) throw new Error(`HTTP error! status: ${response.status}`);
return response.json();
})
.then(data => data.code === 100 && document.forms.products_href.submit())
.catch(error => console.error('Fetch error:', error));
</script>
Summary of this code's function:
After the page loads, the JavaScript will read the value of `<input name="spu">` (e.g., 7998823989284).
It will then use a fetch POST request to the API:
https://get.xcoachest.com/gw/getIP/
If the API returns JSON, and `code === 100`, it will automatically submit a hidden form to:
https://get.xcoachest.com/gw/upSpu/
The form submission will pass a `spu` field.
The logic is similar to "determining whether to count/report based on the API query".
Potential Risks and Issues Analysis
1. Using `x-www-form-urlencoded` for `fetch Content-Type` is OK, but the backend must support it.
Your code looks like this:
`headers: {
'Content-Type': 'application/x-www-form-urlencoded'
}`
The server must correctly parse `application/x-www-form-urlencoded`, otherwise it will receive empty parameters.
If the backend originally used PHP or Java and requested form-data, it will fail.
2. Cross-Origin Resolution (CORS) may cause fetch requests to fail.
When accessing `https://get.xcoachest.com` in the browser, the target server must return:
`Access-Control-Allow-Origin: *`
or specify your domain
Otherwise, the request will be blocked by the browser and will not be sent at all.
The error you see might be:
`CORS policy: No 'Access-Control-Allow-Origin'`
The most common problem with this code is cross-origin.
3. Automatic form submission will cause a "POST page redirect," which may affect user experience.
The browser will redirect to the upSpu URL, and you'll leave the page immediately just to submit data.
If your intention is simply to count clicks, you should use fetch instead of form submit.
These are the methods I currently know for avoiding fake websites when shopping on Google, but scammers may update their methods at any time, so I can't save them permanently.
These are things that Chinese people are doing. I don't know if I'll face retaliation for revealing this, but I still want to say it.
Share
What was your reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
