Massive phishing campaign of 6,000 sites imitating 100 top brands

Widespread brand impersonation campaign targets popular apparel brands

Massive phishing campaign of 6000 sites imitating 100 top brandsMany popular brands targeted by crooks who create clone phishing sites

A massive brand impersonation campaign has been circulating online since June 2022, targeting over a hundred well-known apparel, footwear, and clothing brands. This intricate scheme is designed to trick unsuspecting users into providing their account credentials and financial information on fraudulent websites. The brands chosen for impersonation are well-known and trusted by consumers, making them prime targets for scammers looking to take advantage of their goodwill and entice potential victims.

Nike, Puma, Asics, Vans, Adidas, Columbia, Superdry, Converse, Casio, Timberland, Salomon, Crocs, Sketchers, The North Face, UGG, Guess, Caterpillar, New Balance, Fila, Doc Martens, Reebok, Tommy Hilfiger, and many more are among the brands impersonated by the phony sites. Over the years, these brands have built a strong customer base and established credibility, which scammers intend to exploit for their fraudulent activities.

The intricate network of fake sites and domains

According to Bolster's threat research team,[1] the campaign is based on a complex network of approximately 3,000 domains and approximately 6,000 sites. These active and inactive domains and sites are used to create a convincing front for the fraudulent operation. The scammers behind the campaign put in significant effort to weave a vast web of deception to make it difficult for users to distinguish between genuine and counterfeit websites.

The researchers discovered a significant increase in campaign activity between January and February 2023, with 300 new fake sites added each month. This rapid expansion reflects the operation's size and sophistication, as scammers continue to refine their tactics and target a broader range of brands. The sheer number of sites involved demonstrates cybercriminals' concerted effort in carrying out this massive phishing campaign.

The scammers behind this brand impersonation campaign have gone to great lengths to make their bogus websites appear as genuine as possible. Bolster's researchers discovered numerous fake sites for well-known brands such as Nike, Puma, and Clarks. These fake domains meticulously replicate the design, layout, and overall aesthetic of the official brand websites in order to trick visitors into thinking they are on a legitimate platform.

To give the scam domains even more credibility, they were linked to specific Autonomous System numbers associated with internet service providers Packet Exchange Limited and Global Colocation Limited. Scammers create a sense of authenticity and stability by leveraging these providers' infrastructure, leading users to trust the fraudulent sites.

The deceptive nature of the phishing operation

Scammers frequently use the technique of “domain aging.”[2] They make the sites appear more legitimate by registering the domains in advance and leaving them inactive for an extended period of time. This is because a domain that has existed without raising suspicion for a longer period of time is less likely to be flagged as suspicious by security tools.

As a result, some of the malicious domains in this campaign went undetected for a long time, eventually becoming indexed[3] by Google Search and potentially ranking high in search results. Because top search results are associated with credibility and trustworthiness, this high visibility increases the likelihood of unsuspecting users clicking on these fraudulent links.

The counterfeit websites discovered in this campaign are not hastily built clones, but rather have realistic “About Us” pages, contact information, functional order pages, and an overall level of sophistication that makes them difficult to identify as suspicious.

This level of detail and effort invested in replicating genuine brand websites increases the scammers' chances of successfully deceiving users and convincing them to provide sensitive information. It is critical for users to remain cautious and follow best practices in order to avoid falling.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions