Skip to main content

‘Tis the Season to Scam Shoppers: Counterfeiters Coming for Your Customers This Holiday

The holidays are close at hand, which means counterfeiters are primed and ready to siphon off your hard-earned customers and conversions.

Fighting fake products and copycat websites can feel like a never-ending game of whack-a-mole in which the next threat springs up seemingly as soon as you’ve squashed the last one. Cloning legitimate retail websites and products can bring in big business for bad actors: Worldwide counterfeits reached $1.2 trillion last year and are projected to total $1.82 trillion by 2020, according to the Global Brand Counterfeiting Report, 2018.

Counterfeiting drains profits from brands but can pose real hazards to end consumers. Goods made with dangerous and even banned chemicals and other questionable ingredients present health risks. Legitimate brands stand to see their reputations tarnished by association—all the consumer sees is the brand mark or logo, even if what they happened to purchase was actually a knockoff.

While many miscreants online are out to sell unsuspecting customers phony goods, a growing number of cyber crooks are setting up shady sites for simpler, though equally sinister, reasons: They’re after your payment data and passwords, which can turn a tidy profit on the dark web.

To some, their attempts may seem unsophisticated, but clearly the ruse is effective enough. Among the most common approaches to naming lookalike sites? Adding “best” or similar in the beginning of the URL so that (legitimate) becomes (fake), or swapping in characters that are easily mistaken for another, like the capital letter “I,” lowercase “l” and the numeral “1.”

More troubling, though, is the rise of website security certificates slapped onto an online portal, designed to fool consumers into thinking they’re accessing a legitimate e-commerce page. In analyzing the top 20 retailers in the United States, United Kingdom, Australia, France and Germany, cybersecurity expert Venafi discovered that certificates for lookalike domains outnumbered the authentic sites, 40,651 to 18,759—a ratio of more than 2-to-1—with most of the lookalikes’ certificates stemming from Let’s Encrypt, a free, automated service that eliminates much of the friction for hackers. A lookalike isn’t always malicious, but the overall correlation is troublingly high.

Related Stories

“Domain spoofing has always been a cornerstone technique of web attacks that focus on social engineering, and the movement to encrypt all web traffic does not shield legitimate retailers against this very common technique,” Jing Xie, senior threat intelligence analyst for Venafi, explained.

It might be tempting to expect companies that issue security certificates to take responsibility for vetting the credentials they dispense, but retailers must do more to combat cybercrime and protect their customers, Xie added.

“No organization should rely exclusively on certificate authorities to detect suspicious certificate requests,” Xie said. “For example, cyber attackers recently set up a look-alike domain for NewEgg, a website with more than 50 million visitors a month. The lookalike domain used a trusted TLS certificate issued by the CA who followed all the best practices and baseline requirements.

“This phishing website was used to steal account and credit card data for over a month before it was shut down by security researchers,” Xie said.