Social Engineering Tactics: Flipkart Sale Scam Looks to Victimize Holiday Shoppers

Threat actors are pushing Flipkart-themed product listings that redirect mobile visitors off-site to UPI/QR-based payment pages, such as PhonePe, Paytm, and GPay.

The checkout looks legitimate and even shows a beneficiary name, but it’s a scam, and payments made off the platform are extremely hard to recover. The kit deliberately serves only mobile user-agents and redirects desktops to Google to avoid automated analysis.

With the holiday shopping season heating up, shoppers hunting “crazy sale” deals are being targeted by a polished-looking Flipkart clone. A product page advertises an unbelievable discount; clicking Buy takes the victim to a payment page outside Flipkart that accepts UPI apps or shows a QR code and beneficiary name. Victims believe they’re paying for a marketplace order, but the money goes directly to a scammer.

What makes the Flipkart social engineering campaign notable

Flipkart is an e-commerce giant based in India. Some of the Flipkart scam sites serve content only to mobile user agents and redirect desktop browsers to Google. That makes automated scanners and many analysts miss the fraud.

Example JavaScript used in some pages:

<script>
if (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent)) { // mobile: serve scam
} else { window.location.href = "http://www.google.com"; // desktop: redirect away
}
</script>

• Instead of using Flipkart’s payment flow, victims are shown payment options (PhonePe / Paytm / Google Pay / UPI) and a QR code, with funds transferred directly to the beneficiary.
• Social engineering + urgency: fake “festival” or “big billion” sale language creates urgency and bypasses skepticism.
• Visible scam artifacts: some pages display a beneficiary name, signaling the payment is going to a person, not Flipkart’s merchant account.
• Use of static hosting & typosquatting: pages hosted on services like pages.dev, netlify.app, or .shop/.top/.icu domains using Flipkart-like misspellings.

Why this matters now

Holiday sales drive high search volume and ad-clicks, thus scammers increase activity during these periods to maximize victims. Off-site payments bypass marketplace protections, including seller verification and buyer protection, making UPI/IMPS transfers nearly irreversible.

Strategic evasion (mobile-only serving) reduces detection by automated scanners, takedown platforms, and desktop-focused analysts.

Technical indicators & IOCs

Sample malicious domains observed

1. flipkaart-combo-sale[.]pages[.]dev
2. order-checkout[.]pages[.]dev
3. bigbilonsfkrt01[.]pages[.]dev
4. 1mvflepskatbigbelin[.]pages[.]dev
5. flipfestivalsale1[.]pages[.]dev
6. fktbigbilliondays[.]netlify[.]app
7. Dealbazaarr[.]shop
8. flipkart-offers[.]com
9. Easykart[.]icu
10. biigdelless[.]top
11. Kartplazzoxcioaoec[.]top

Behavioral and HTML/JS indicators

• Presence of a script checking navigator.userAgent and redirecting non-mobile devices to benign pages (e.g., Google).
• Checkout flow that immediately redirects to a different domain (not flipkart.com or its official endpoints).
• Payment page containing:
  • QR image for UPI payment,
  • Plain text beneficiary name (a person’s name),
  • UPI/PhonePe/Paytm/GPay icons but no official order or merchant ID.
• Misspelled brand names or domains using extra characters or uncommon TLDs.
• Referer headers showing a Flipkart-like page but ending up on pages.dev, netlify.app, .shop, .icu, .top, etc.

Practical guidance for users

1. Don’t pay. If redirected off the official site or app for payment, stop immediately.
2. Use the official app or bookmarked site. Flipkart’s legitimate domain is flipkart.com. Prefer the official app or saved bookmarks.
3. Verify seller & payment flow. Legitimate marketplaces never ask for direct UPI transfers outside their platform.
4. Capture evidence. If you encounter such a page, screenshot:
   • The listing page URL,
   • The final payment page URL,
   • The QR code and visible beneficiary name,
   • Any seller/phone/contact info shown.
5. If you paid: Contact your bank or UPI provider immediately to raise a dispute and provide all details.
6. Report phishing: Report to Flipkart’s fraud team, the hosting provider (pages.dev/netlify), and local cybercrime or consumer protection authorities.

Learn more about how Doppel can help protect your organization from phishing and fraudulent ads – request a demo .