Massive impersonation campaign targets apparel firms including Nike and Adidas


Attackers employing unique search engine optimization (SEO) techniques are carrying out a widespread brand impersonation scam campaign and targeting hundreds of clothing, footwear, and apparel brands, new research has shown.

Among the brands affected by the campaign are Nike, Puma, Adidas, Casio, Crocs, New Balance, and numerous others. It went live around June 2022 and had peak phishing activity between November 2022 and February 2023. The campaign is still ongoing.

To carry out their scam activities, threat actors registered thousands of domains to target unsuspecting customers of these brands for their own financial gain.

ADVERTISEMENT

According to threat researchers at Bolster, an automated digital risk protection company, scammers exploit the trust in reputable brands to trick shoppers into making purchases on their fraudulent websites.

Needless to say, the victims never receive the promised products. They get either nothing at all or cheap low-quality knock offs sourced from Chinese marketplaces. On top of that, their personal information is compromised too.

A few of Bolster’s retail customers were also affected, the company’s threat researcher Nikhil Panwar told Cybernews. In response, Bolster has issued takedowns and managed to get most sites targeting the affected brands taken down.

Live fake sites still out there

The campaign domains associated with this scam have been traced back to the Autonomous System number AS48950.

These domains’ IP addresses are hosted by two specific internet service providers, Packet Exchange Limited and Global Colocation Limited. It’s worth noting that both providers have a negative reputation for fraud risk.

The threat actors have predominantly utilized the tactic of combining a brand name with a random country name. The example below illustrates how extensively one of the companies, Puma, has been targeted.

The Bolster researchers first noticed a live site from this campaign back in June 2022. The initial number of fake sites wasn’t high but the campaign soon hit peak levels. Unsurprisingly, the threat actors heavily targeted the last holiday season.

apparel-brands
An example of the typosquat domains targeting Clarks, and how high they are ranked in the Google Search Engine. Courtesy of Bolster.
ADVERTISEMENT

“While the attack is not as frequent as during the holiday season, the research team is still monitoring substantial activities from this brand impersonation campaign. Currently, there are still about 2200-2300 live domains from this campaign during the week of May 22nd-26th, 2023,” Panwar said in the report.

It’s also interesting to note that several of these scam sites have managed to exist for a considerable period of time — to the extent that they appear as a solid second or third result on search engines like Google.

When they’re ranked so highly, it becomes quite easy to dupe even tech-savvy users. Bolster says that the threat actors have been strategically employing various SEO techniques to manipulate rankings and increase visibility.

“This attack seems meticulously planned as the domains were registered two years in advance, allowing for aged domains that in some cases greatly increases their rank to the second or third result in Google search for many brand-related keywords,” says Panwar.

Extra steps always a good idea

Again, the very fact that these deceptive sites are ranking so highly in search engine results is particularly concerning for non-tech-savvy users who may be at greater risk of falling victim to these scams.

Customers who overlook the fact that these websites aren’t official often end up falling into the trap. They enter their email, password, and credit card details, unknowingly compromising their personal information as well, Bolster says.

The scammers can then take over the users’ accounts, or create new accounts using stolen identities.

“To make matters worse, some of these impersonation websites manage to rank highly in search engine results, making it easier for victims to unwittingly stumble upon them and consider them legitimate,” stresses Panwar.

Bolster researchers believe that the same group of threat actors is behind all of these scam and brand impersonation sites. This is because there’s a pattern of using the same domain registrar, combining the same two ISPs, and registering similar typosquat domain names.

ADVERTISEMENT

The company’s advice to users is to be vigilant while browsing and making online purchases. Verifying the authenticity of websites is especially important when dealing with popular brands such as Nike, Adidas, or Puma.

For example, it’s always a good idea to confirm the brand’s domain and take extra steps to verify the legitimacy of the domain if you’re suspicious.

For the brands themselves, neutralizing these sites is possible by issuing takedowns for domains and hosting providers.

According to Bolster’s Panwar, the problem is that these specific threat actors are using a combination of very difficult hosting providers and domain registrar. To be specific, they’re using the Alibaba domain registrar and Packet Exchange Limited and Global Colocation Limited hosting providers.

Advances in AI help

The issue of impersonating well-known brands is, unfortunately, very difficult to solve. There are simply too many fraudulent websites out there, Salvatore Stolfo, the chief technology officer at Allure Security and professor of computer science at Columbia University, told Cybernews in an interview.

One possible solution is automating detection of scam impersonations with the help of artificial intelligence (AI).

“Since these scam sites take the email, password, and payment information from users, it's entirely possible for threat actors to abuse that information later on.”

Nikhil Panwar.

Panwar agrees: “Yes, advances in AI help. We’re seeing new natural language understanding frameworks coming out more frequently. Leveraging large language models to understand content on a webpage is making detection better.”

ADVERTISEMENT

Besides, according to Stolfo, it’s important for brands to realize that solving the problem at the root cause — finding and taking malicious websites as soon as they appear on the internet — should be the priority.

As Cybernews reported in 2022, Microsoft and Facebook top the list of most impersonated brands. Besides tech giants, financial services brands are also often targeted.

Interestingly, most phishing attacks occur on Tuesdays and Wednesdays. The way scammers choose specific days for attacks is no coincidence.

Research has shown most malicious emails are delivered between 2 p.m. and 6 p.m., with very little fluctuation day-to-day, except for the weekend. That’s because threat actors bank on employees being stressed and tired, thus more likely to open a shady email or click an unsafe link.

Bolster researchers say they’re so far not aware of attackers actively abusing information of shoppers’ personal information. But the possibility is real.

“Since these scam sites take the email, password, and payment information from users, it's entirely possible for threat actors to abuse that information later on,” Panwar told Cybernews.