6 Examples of the Evolution of a Scam Site
Examining some key examples of recently found fraud sites that target the lucrative retail shoe industry helps us understand how brand impersonation sites evolve.
February 2, 2023
Fraudsters are getting more sophisticated about how they set up and make adjustments to brand impersonation scam sites — not just for phishing, but for all kinds of consumer fraud. A recent analysis by security researchers at Allure Security illustrates how brand impersonation sites are born, how they progress, and the evolutionary steps that fraudsters are now taking to unleash a fully realized scam site.
The analysis was conducted on a cluster of 103 sites the researchers discovered at the tail end of 2022 that primarily focused on shoe brand companies. They found an interesting new trend among these sites that differed from the typical brand impersonation. Whereas most impersonation sites are built out of the box to closely mimic the brand they're copying, these new sites did not.
"We hunt for online impersonations of businesses on behalf of brands that hire us. So as a part of our work we started to find impersonations of one of our customers, a running sneaker company, that evolved in a way we hadn't seen before," said Josh Shaul, CEO of Allure Security. "Usually what we would see is somebody put up a website that looks just like the running sneaker's website or similar enough, with just their branding all over it, but this was different."
At the time of discovery, the lookalike domains had been purchased recently, and in the first few days of existence they looked like generic shops, all of which were built around a very common retail website template. Over the course of 10 days to just a couple of weeks, the sites began to evolve. Within a few weeks, they were redesigned to become a full impersonation.
"As we started to dig deeper and look for more, we realized this wasn't something that was just happening to one of our customers," Shaul says. "This was happening to lots of brands."
Dark Reading worked with Shaul to discuss examples of this process. They illustrate this latest evolution of an impersonation scam site using screenshots, reveal the motives for this process, and uncover the potential fraudulent schemes that their creators could be using these sites to carry out.
The template that this recent campaign used to carry out these retail impersonations is called Optimal. According to its developer, it's a "Multipurpose Ecommerce Bootstrap 5 HTML Template" that has 24 prebuilt homepage variations, along with all the other typical internal pages that a new, legitimate retail business would use to launch a site. It sells for about $14 on Envato Market. Look at the template to the far bottom right of these demo shots — it will look extremely similar to several of the early-stage scam sites explored in the following slides.
Early screenshots from Allure show that some of these scam sites made very few changes from the template's demo home page. The dummy copy remains, along with the generic photo from the demo. Even the branding at the top of the page doesn't have the impersonated brand's logo at the top but instead says "Optimal."
Two weeks later, this fully realized scam site used Optimal to create a site that more closely mimics the inov-8 brand aesthetic, even utilizing similar photos as on the legitimate inov-8 website.
So why go through this two-step evolutionary process? Shaul speculates that it's likely to evade company defenses looking for brand impersonations.
"They put up something that's going to get the SEO hit that they want because it's got the products and product names all over it. But then when somebody goes to look at it, it's clearly not mimicking the brand itself. It doesn't look anything like the real website," he says. "And so I think these things get marked safe, and then after a little bit of time they evolve to not-safe, real impersonations, but with all the benefits of a couple of weeks or months of SEO time."
As with the previous example at the early stage, this one starts with the same Optimal demo look and generic copy, only with Vans products listed underneath.
The fully realized scam site now more closely aligns with the Vans marketing look and feel.
Many of the scam domains chosen in these examples use a common impersonation tactic called cybersquatting by snagging a domain name that looks like it could be an official site related to the brand but, on closer inspection, is not affiliated with it. In most cases among these particular campaign examples, the cybersquatters employed domains with different country names in the second-level domain. A big red flag in this case is the .net top-level domain. The real Vans UK domain is vans.co.uk.
The example here is a fully realized scam site for what is meant to look like a Vans shopping site for those in the United Arab Emirates. Like the previous Vans example, the initial early-stage site for this domain used the same English demo copy and graphics from the Optimal template. Now as a fully realized brand impersonation, this variation of the Vans imitation uses the same graphics as the one targeted against UK victims. The twist is the localization, with all of the copy written in Arabic.
This example is from the fully realized stage of the scam site Joyajapan.com, which targets the brand of Swiss shoe company Joya. The early-stage site looked very similar to this one, with the only exceptions that text was in English instead of Japanese and the Optimal logo remained instead of an impersonation of the Joya logo. In this fully realized stage, there is some localization and the addition of some semblance of a logo. However, the logo used doesn't match that of the brand.
This was another iteration going after Vans, this time for a Swiss audience, using the domain vansschuheschweiz.com. Again, note the top-level doman; the proper Vans site is vans.ch, using one of the official TLDs for Switzerland.
While that now-familiar orange background graphic used in the Optimal demo was very common in this scam site campaign, the attackers did mix things up occasionally. At the top, you can see a different variation of the home page template was used. The resulting fully realized site shown below also looked different than the other two Vans examples shown earlier.
Source: Allure Security
Source: Allure Security
The following compares and contrasts one of the fully realized scam sites next to the actual brand's site. This one is for Hey Dude. The top is the scam, and the bottom is the real website. The comparison shows that many times these impersonations aren't dead ringers for a brand's look and feel. Like with Joya, this site doesn't use the company logo. But it does let the pictures of company products act as the visual anchor points for the site.
This kind of rough mimicry is often good enough to perpetrate the kinds of fraud that attackers seek to carry out. In this case, it appears the goal is to probably run a nondelivery scam where someone orders from the fake site, is charged, and simply doesn't get what was ordered.
"We didn't walk through and see how far we could get in the ordering process, but it's more than likely nondelivery fraud here," Shaul says, explaining that this kind of fraud can really hurt brand reputation and online trust for a brand. If someone gets burned by a non-delivery site for a brand, they may choose not to buy that product online again.
"And I think as you see more online-only brands pop up, and more of the old school brick-and-mortar brands try to move the bigger chunk of their business online, that's a real threat to the business," he adds.
Source: Allure Security
The following compares and contrasts one of the fully realized scam sites next to the actual brand's site. This one is for Hey Dude. The top is the scam, and the bottom is the real website. The comparison shows that many times these impersonations aren't dead ringers for a brand's look and feel. Like with Joya, this site doesn't use the company logo. But it does let the pictures of company products act as the visual anchor points for the site.
This kind of rough mimicry is often good enough to perpetrate the kinds of fraud that attackers seek to carry out. In this case, it appears the goal is to probably run a nondelivery scam where someone orders from the fake site, is charged, and simply doesn't get what was ordered.
"We didn't walk through and see how far we could get in the ordering process, but it's more than likely nondelivery fraud here," Shaul says, explaining that this kind of fraud can really hurt brand reputation and online trust for a brand. If someone gets burned by a non-delivery site for a brand, they may choose not to buy that product online again.
"And I think as you see more online-only brands pop up, and more of the old school brick-and-mortar brands try to move the bigger chunk of their business online, that's a real threat to the business," he adds.
Fraudsters are getting more sophisticated about how they set up and make adjustments to brand impersonation scam sites — not just for phishing, but for all kinds of consumer fraud. A recent analysis by security researchers at Allure Security illustrates how brand impersonation sites are born, how they progress, and the evolutionary steps that fraudsters are now taking to unleash a fully realized scam site.
The analysis was conducted on a cluster of 103 sites the researchers discovered at the tail end of 2022 that primarily focused on shoe brand companies. They found an interesting new trend among these sites that differed from the typical brand impersonation. Whereas most impersonation sites are built out of the box to closely mimic the brand they're copying, these new sites did not.
"We hunt for online impersonations of businesses on behalf of brands that hire us. So as a part of our work we started to find impersonations of one of our customers, a running sneaker company, that evolved in a way we hadn't seen before," said Josh Shaul, CEO of Allure Security. "Usually what we would see is somebody put up a website that looks just like the running sneaker's website or similar enough, with just their branding all over it, but this was different."
At the time of discovery, the lookalike domains had been purchased recently, and in the first few days of existence they looked like generic shops, all of which were built around a very common retail website template. Over the course of 10 days to just a couple of weeks, the sites began to evolve. Within a few weeks, they were redesigned to become a full impersonation.
"As we started to dig deeper and look for more, we realized this wasn't something that was just happening to one of our customers," Shaul says. "This was happening to lots of brands."
Dark Reading worked with Shaul to discuss examples of this process. They illustrate this latest evolution of an impersonation scam site using screenshots, reveal the motives for this process, and uncover the potential fraudulent schemes that their creators could be using these sites to carry out.
About the Author(s)
You May Also Like