Massive Phishing Campaign Uses 6,000 Sites to Impersonate 100 Brands

Cyber Security Threat Summary:
“A widespread brand impersonation campaign targeting over a hundred popular apparel, footwear, and clothing brands has been underway since June 2022, tricking people into entering their account credentials and financial information on fake websites. The brands impersonated by the phony sites include Nike, Puma, Asics, Vans, Adidas, Columbia, Superdry Converse, Casio, Timberland, Salomon, Crocs, Sketchers, The North Face, UGG, Guess, Caterpillar, New Balance, Fila, Doc Martens, Reebok, Tommy Hilfiger, and others. According to Bolster's threat research team, who discovered the campaign, it relies on at least 3,000 domains and roughly 6,000 sites, including inactive ones. Bolster reports that the campaign had a significant activity spike between January and February 2023, adding 300 new fake sites monthly” (Bleeping Computer, 2023).

According to researchers, the domains use a similar naming convention which includes the brand name together with a city or county, followed by a generic TLD such as “.com.” Many of these domains were hosted by two internet service providers Packet Exchange Limited and Global Colocation limited and registered through Alibaba[.]com Signapore. When examining the domains, researchers noted that they range anywhere between two years and 90 years. With some of these domains being two years old, they are less likely to be flagged as suspicious by security tools.

“In the campaign discovered by Bolster, many of the malicious domains survived so long without being reported that Google Search indexed them and are now likely to rank high for specific search terms. This is a particularly effective strategy in luring unsuspecting users to visit a phishing site, as most people associate high ranking in Google Search with credibility and trustworthiness” (Bleeping Computer, 2023).

Security Officer Comments:
The domains impersonating brands like Nike, Puma, Clarks, among many others had notably similar designs to the official sites. To trick unsuspecting users, the phony sites had “Aboud Us” pages, contact details, and working order pages, where victims could actually add items to cart and checkout. However, after putting in their payment details and placing their order, the sites would either never ship the products or send Chinese knockoffs to Customers. Furthermore, since the payment details were mostly likely stored by the threat actors, these details could then be used to make other illicit purchases without the victims’ knowledge.

Suggested Correction(s):
“When searching for the official website of a brand, skip all promoted results on Google Search. If still unsure, check the brand's Wikipedia page or social media channels for the legitimate URL” (Bleeping Computer, 2023).

Link(s):
https://www.bleepingcomputer.com/