Researchers uncover 37,000 fake websites aiming to fool holiday shoppers

Woman shopping online on a laptop

Security researchers have discovered around 37,000 fake retail websites set up to scam holiday shoppers.

According to the RiskIQ 2020 Black Friday E-commerce Blacklist Threat Report, cyber criminals set up these websites to leverage leading online retailers’ names and consumers’ poor security habits to fool shoppers looking for holiday shopping deals.

Registering domains that infringe on well-known brands is a common tactic in phishing campaigns and has grown in popularity in recent years due to the opening of thousands of new generic top-level domains (gTLDs), the growth of free and cheap domain registration services, and attack techniques, like domain shadowing, according to the report.

In a query of 20 Fortune 100 companies’ branded terms, RiskIQ’s domain infringement detection revealed 37,000 probable domain infringement instances over two weeks. That’s 1,850 incidents per brand.

Researchers also found 208 domain infringement events containing only “Black Friday,” “Cyber Monday,” “Boxing Day,” or “Christmas.” New hostnames containing these terms spun up near the Thanksgiving shopping weekend don’t necessarily indicate a legitimate threat, but shoppers should be skeptical of them.

Looking at five of the top-10 most trafficked sites in the US and UK, RiskIQ found 18,891 blacklisted URLs containing their branded terms. That’s 945 blacklisted URLs per brand.

The researchers also found that hackers have developed apps that spoof legitimate retailers to scam victims. They found 1,654 blacklisted apps containing branded terms in the title or description or 82.7 per brand.

RiskIQ found an average of nearly three blacklisted apps for each brand containing its branded terms and “Black Friday,” “Cyber Monday,” “Boxing Day,” or “Christmas” in the title or description. This shows clear intent by threat actors to leverage the shopping holiday, said researchers.

The report also delved into Magecart web-skimming attacks. Magecart places skimmers on scores of e-commerce sites, including those of global brands, allowing operatives to intercept thousands of consumer credit card records.

RiskIQ found the average length of a Magecart breach is 22 days. Anyone purchasing on a compromised site during this period is likely a credit card theft victim.

"This year's bad holiday actors will capitalize by using the brand names of leading e-tailers, as well as the poor security habits of consumers," said RiskIQ CEO Lou Manousos. "They'll fool shoppers looking for shopping deals, sales, and coupons by creating fake mobile apps and landing pages."

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.