As Black Friday (and Cyber Monday) approaches, the annual online sales phenomenon shows no sign of slowing down, and neither do cybercriminals looking to take advantage of the busiest shopping days of the year.
The kick-off to holiday shopping, much of which has become digital, represents a massive opportunity for cybercriminals seeking to exploit the surge in online activity. Shoppers are primed to expect hard-to-believe online bargains that they might be more suspicious of outside Black Friday/Cyber Monday.
As of the end of October 2023, Netcraft’s research has identified a staggering 135% increase in fake retail sites blocked compared to October last year, on top of an increase of 63% over October the previous year, conveying that the annual increase more than doubled in the last 12 months over already alarming growth.
In this review, we’ll look at prominent fake retail sites identified by Netcraft and the techniques cybercriminals use to trick users and ultimately impact brand credibility and reputation.
Claiming to offer highly discounted goods, fake online shops either impersonate the websites of luxury brands and established retailers or operate across multiple brands. These properties are often a front to capture payment details (and other sensitive information). The details shoppers submit can be used directly or sold to other cybercriminals. Any goods that end up being delivered – many are not – are likely to be counterfeit.
With so many genuine sites offering significant discounts on actual products, it’s easy to see why cybercriminals exploit Black Friday and Cyber Monday themes. Here are a few examples of fake retail sites we’ve detected, starting with a site that targets US home improvement retailer Lowe’s.
Figure 1: Fake shop with ‘Black Friday’ promotion, targeting US retailer Lowe’s.
As expected, cybercriminals change their tactics to coincide with newsworthy and retail events to make the fake shops more convincing. The following example shows how a fake shop targeting online retailer Rakuten was adapted to include a Black Friday Banner.
Figure 2: Fake shop targeting Rakuten shown in August (above) and November, including the ‘Black Friday’ promotion.
These fake retail sites include copies of the spoofed site’s authentic logos, trademarks, and products to make the scam more convincing, but that’s not the only technique cybercriminals use. They also host fake retail sites on deceptive domains. This typically involves registering a domain name that is deceptively similar to another (usually well-known) organization. Once again, the aim is to trick users into believing they are interacting with a trustworthy website.
The following example shows how domain spoofing and website impersonation are combined to create a fake shop that targets premium shoe retailer Vionic. The first two images are fake shops that capitalize on Black Friday events. You can see how closely these align with the bottom image used to promote Vionic’s Black Friday deals on the genuine Vionic website last year.
Figure 3: Fake shops hosted at vionicsneakersnederland.com (top), vionicskonorge.com (middle), and genuine Vionic branding (bottom).
Both fake retail sites use promotional images from Vionic’s legitimate Black Friday promotion from the previous year. If we look at the domains used to host the illegitimate websites:
- The top site (vionicsneakersnederland.com) is aimed at users in the Netherlands.
- The middle site (vionicskonorge.com ) is aimed at users in Norway.
This is a common tactic, with cybercriminals registering deceptive domain names to imply (in this case) that they are authorized suppliers within different geographies.
It’s also worth noting that not all fake retail sites will be replicas of recognizable brands or online shops described so far. Many will be generic, unbranded, online retail sites, with criminals hoping that the huge discounts on offer – usually for luxury goods – will be enough to tempt shoppers in search of a bargain.
As the above examples demonstrate, spotting individual fake shops as a consumer can be difficult. However, there are best practices to identify counterfeit sites at scale.
Here, you’ll find some, but certainly not all, of the indicators Netcraft uses to gain confidence before blocking a fake retail site in its threat intelligence feeds and before taking down such an attack on behalf of a customer include:
1. Are the prices too good to be true? Fake shops often offer extreme 50% to 95% discounts, showing an imaginary old (possibly inflated) price striked out. This can be a very good signal for brands that rarely offer legitimate discounts.
2. Does the shop provide contact details in terms of a geographic location or a phone number? The absence of these is a clear indicator of malicious intent, as is the presence of generic and templated content in the ‘about us’ section, which often includes text that could be used for any organization (‘We are proud of the quality and consistency of the product and service provided to our customers and we are here to make your online shopping experience excellent’).
3. How is the site promoted? Fake shops will often include social media icons, but they either won’t contain links or will link to a fraudulent profile.
4. How professional is the page design? Fake retail sites rarely duplicate the brand exactly; they usually insert a well-known logo into a predesigned template of the cybercriminal’s choosing. Another indicator is ‘brand mismatching,’ where (for example) a fake shop that’s supposed to be selling electrical goods includes Nike logos.
5. Does the site have a questionable domain? Fake retail sites frequently use domain names that are deceptively similar to well-known brands, which could be a common mis-spelling, the addition of geo-based attributes [such as vionicskonorge.com], or an attempt at deception by adding a phrase such as a sale or ‘discount’ to a legitimate brand.
Fake shops harm your existing customers and drive potential traffic away from legitimate retail outlets. They also cost brands financially and damage their reputations. Your brand’s hard-earned reputation, perhaps years in the making, can be tarnished instantly by criminals using sophisticated cyber attacks.
Netcraft discovers about 3,000 fraudulent online shops every day and, to date, has taken down over 500,000 fake shops. Our brand protection solutions are designed to offer quick response and resolution to cyber threats targeting your organization before they can cause extensive damage to brand value and customer trust. Netcraft protects brands in 100+ countries and performs takedowns for four of the ten most phished companies online.
Netcraft’s brand protection platform operates 24/7 to discover fake shops, fraud, scams, and other cyber attacks through extensive automation, AI, machine learning, and human insight. Our disruption & takedown service ensures malicious content is blocked and removed quickly and efficiently—typically within hours.