Our Vice President of Operations Molly DeQuattro recently shared threat research with leading cybersecurity news site Dark Reading to bring awareness to how scam websites targeting apparel brands evolve over time. We sat down with Molly to talk about her and her team’s findings more in-depth to help brand’s better understand how scammers target their customers and brand online, the Optimal e-commerce template used by these scammers, reasons why fraudsters take this phased approach to some scams, and how these scams can be identified earlier in their lifecycle to reduce the damage.
How popular is this e-commerce template among legitimate sites vs. brand impersonation attacks?
Molly DeQuattro: It’s a little hard to tell. I will say that while I was looking for additional samples to share for this blog, I found another five shoe impersonation sites and one likely legit car dealership site using the template on a single page of search results.
How can brands tell if a site in a generic or benign state will eventually impersonate them?
MD: Brands can watch for lookalike domains – either domains that contain their brand name or unique band-related messages like slogans. However, it’s important to not focus solely on lookalike domains. In fact, 70% or more of impersonation activity that we see happens on non-lookalike domains.
For the 200+ shoe brand and shoe retailer domains that we traced in late December 2022, every single one evolved into an impersonation site.
What patterns exist in terms of how long a site might remain dormant (i.e., not completely impersonating a brand)?
MD: We see a range of patterns. Sometimes the impersonation site is live and ready for action the moment it comes online. We see a lot of activity in the first week a domain is registered, for sure. We also see dormant sites that don’t become impersonation sites until far beyond the 30 day mark. The vast majority of the cache of shoe sites we found in late 2022 were dormant for weeks before becoming full-fledged impersonation sites ready to take payments. And they’re mostly still up as of this writing.
How often do lookalike domains turn into scam sites?
MD: Despite the pattern we observed for these shoe impersonation sites, most–by an order of magnitude– lookalike domains stay parked and innocuous. In real numbers, for every 500 newly registered lookalike domains, maybe a few dozen spin up impersonation content. For the biggest brands, those ratios trend a little higher, but the implications are the same: regular scanning of those parked sites must be automated in order to successfully identify scams before they snare their first victim.
How important is it for a scam site to resemble the legitimate site and how does it impact the effectiveness of the scam? Do these “templated” websites that don’t look exactly like a brand’s official website do as much damage?
MD: It doesn’t seem to matter how closely the scam site mimics the original site – especially in the e-commerce retailer space. Sites that sell apparel tend to change seasonally with promotions and the like. And unlike your bank’s website where you might log-in once a week at least, a shoe buyer isn’t likely to shop more than once a month or even every three months. All that to say, a potential victim won’t necessarily notice that a fake site doesn’t exactly match the official site. If the brand marks are splashed around a site, and the product images look reasonably good, most folks won’t notice that a scam site doesn’t use the same design as the original.
Why were you and the team capable of detecting these scams in the early stages?
MD: We see a lot of templated scam sites, and we observed the Optimal e-commerce HTML template becoming increasingly common amongst scammers. We then trained our AI detection model to identify the template and tracked a large increase in new websites using the template published around the same time – and across multiple registrars and hosting providers.
We found it curious that these same sites remained in their templated state, rather than evolving into mature sites–scam or otherwise. We don’t look at websites just once. We continually revisit them so that we can catch them as soon as they “turn bad,” if they ever do. Essentially, this pattern stood out in our broader analysis, and when we looked deeper, we found hundreds of them impersonating a variety of shoe brands.
What are some tips or things to check for on a scam site that signal malicious intent?
MD: It can be difficult to tell, especially when someone is excited because they think they’re about to get an incredible bargain. So first, if a discount sounds too good to be true, slow yourself down so you can apply more scrutiny to the e-commerce website. The Better Business Bureau provides a number of recommendations for researching an online retailer before you make a purchase.
To reiterate, don’t rely solely on the following to keep yourself safe, but there are two commonalities we’ve seen among the scam sites lately that I’ll mention.
First, many impersonation sites neglect to update their copyright statement–often found at the bottom of the website. The copyright statement on a legitimate/official site often includes the full legal name of the business entity along with the current year. In contrast, impersonations typically leave the copyright as “© 2023 [insertfakedomainhere].com”
Second, we also find that social media links on impersonation sites rarely point to actual social profiles, legitimate or not.
What You Should Do Next
- If you want a more in-depth briefing on this particular e-commerce scam targeting multiple well-known shoe brands, contact us.
- Are your brand protection efforts lacking compared with best practices? Find out using our free Busy Person’s Guide to Online Brand Protection.
- Learn about another online brand impersonation trend observed by Allure Security – scammers abusing free subdomains offered by dynamic DNS service providers – on our blog.