FortiGuard Labs Threat Research Report
Black Friday and Cyber Monday kick off the holiday grocery shopping season. In fact, 30% of all retail sales take place between Black Friday and Christmas Day. a significant portion of their annual earnings during this grocery shopping “holiday” weekend, allowing stores to catch up on profits and meet sales targets and year-round figures.
Prior to this event, FortiGuard Labs observed more and more scams involving counterfeit Internet sites that appear to be valid e-commerce sites. We say “they seem to be” because, to an untrained eye, those sites would possibly seem safe, but if you careless, they can borrow your payment (and in all likelihood your payment information) through a valid idea. Fake ecommerce sites temporarily adjust to the newest risk to consumers and offer a wide diversity of products to attract potential buyers.
We recently stumbled upon an active, live scam that exploits the gaze and sentiment of the world’s largest corporations and their respective brands to force and deceive those affected into making purchases on their site. These sites are not affiliated in any way with the trademark owner/intellectual assets and are recognizable in the component because they use the same style over and over again in a virtual game of whack-a-mole (meaning that as soon as one site is closed, another one promptly appears elsewhere).
Many of the major ones we have documented include:
Other well-known counterfeit logo names include:
We have noticed others that have since been removed:
The sites we observe have, not unusually, the following characteristics:
Milwaukee Tools is a well-known and globally established tooling company founded in the United States. Milwaukee Tools products are sold through legal online stores or in stores. We came here through a recently registered online site, milwauketools [. ] Shop, which had the appearance of a pro-e-commerce retailer.
What promptly caught our attention (in addition to the misspelled domain name) the very low value in the
With the exception of discontinued models/lines, those particularly discounted costs (this kit usually sells for $659) is the mark of a scam. However, to an inexperienced eye, the limited-time offer through the countdown, the professional aspect of the site, will most likely capture the attention of an impulsive customer. And that’s what the bad actor behind this site expects. They expect an impulsive customer who doesn’t pay attention to fall prey to their scam.
Although the About America and Our Culture sections of this online page appear to have been written by someone with a clever command of the English language (probably stolen from a valid site), the string “milwauketools” (Figure 3) indicates a small error that tells us that this is not similar to the official Milwaukee Tools organization, even if the logo in the screenshot below has the correct spelling. This suggests that the actor follows a trend when creating this site:
Another red flag is that the domain was created on the 21th, which, at the time of writing this blog, is only five days old.
Looking at the cart source code, we see the string “刷新按钮”, which translates to an “update button”. This would possibly be indicative of the origins of the organization at this site, or the basket has been reused for that matter. .
A stop on the company’s online page (milwaukeetool. com) shows that it does not sell directly, as is the case with many major brands:
An acquisition request Bing. com highlighted that the lowest official value for this 6-TOOL LITHIUM-ION WIRELESS COMBO KIT 2696-26 M18 is $613. 00 (USD).
As we deepen our studies employing OSINT (Open Source Intelligence) searches on primary search engines, we discovered another 19 online retail sites that employ the same template and carts as Milwauketools. shop, suggesting that they are all components of a larger scam. when we decided that they had all been registered with the same registrar. Our effects included websites promoting Oculus (Facebook), Blink (Amazon), Shimano and many others.
However, if we dig deeper, we can see that Oculus Quest 2 uses a style similar to that of the Milwauketools. shop site. It also has the same countdown timer and a limited-time offer, as well as the low $99 value for anything that has a $699 MSRP.
The intermittent trend looks the same:
And again, the intermittent trend seems compelling.
But if we look in more detail, we see the same countdown and the $99 USD limited-time offer for anything that has an MSRP of $379:
The Shimano style resembles the previous three:
With low prices.
See the same countdown, limited-time offer, and a value of $99 USD for anything that has an MSRP of $419:
It should be noted that these similarities are repeated in all the sites we have identified.
Finally, the About Us segment for each of those sites not only comprises the same verbiage, but is also modeled the same way, with a slight difference from the MilwaukeTools. shop page:
Each of those fraudulent domain names is, on average, only a few months old, the oldest of them at the time of writing (Intexpool-us. com) is more than five months old.
In the screenshot below, we list the domain names of other imitation retail sites discovered through FortiGuard Labs, their creation dates and common use as registrars and CDNs, and their use of a common template:
Coincidentally, at the time of our investigation, Shimano issued a press release to warn consumers who opposed its brand’s fraudulent sites, stating that they were attempting to remove copycat sites by legal means, as stated in this article.
How is all this possible? Isn’t construction simply to eliminate it a huge waste of time?
Internet sites and e-commerce software have evolved especially over the past decade. With the widespread use of content control systems (CMS), where CMS and shopping carts are combined with a content delivery network (CDN) over an Internet host, bad actors can deploy e-commerce sites in record fashion.
What exactly is a CDN?
A CDN necessarily allows for the fast and effective delivery of online page content to requests from around the world. To do this, it markets the local caches of the online page in geographical locations. To do this, it connects a network of servers to deliver the content. A CDN provider places servers at Internet Exchange Points (IXPs) between other Internet service providers so that they can distribute content geographically closer to visitors to the online page, allowing them to enjoy faster page loading.
CDNs were once the domain of only giant companies; however, as the value of CDNs has declined, many internet hosting providers that offer shopping carts also offer CDN services, which has additional merit for cybercriminals as it is too. helping to hide the original IP address, which means that many Internet sites (good and bad) have a percentage of the same IP address. Not only does this make attribution difficult, but it also provides the bad actor with some other layer of anonymity.
How do other people notice those sites?
People locate those sites through undeniable keyword searches in search engines. They simply enter the express product they are looking for and the product appears in the Purchases tab or is promoted through the keyword location. Other avenues of marketing come with promotions on social media.
Me and/or my own company’s intellectual property infringed?What can I do?
In addition to consulting with your own legal suggestion (if you have the budget or if you have an internal board), you will have to rely on the domain registrars to take action, due to the anonymity of WHOIS records, as well as the anonymity of the genuine IP of the bad actor due to your use of the CDN, it can be very complicated to find out who or what is the domain in question. Contacting the registrar indexed in WHOIS records is the most productive solution, as many reputable registrars have a form of abuse touch for domain names that violate their terms of service.
Do we know who these threatening actors are?
Unfortunately not as the domain registrar and the use of the CDN for those sites allow for a high degree of anonymity, we don’t know who those scammers actually are or if they paint alone or as part of a larger group. Using the same models and modus operandi, it is most likely the paintings of a group of singles. But it is also imaginable that this template will be reused through various other people and scammers.
Exercise due diligence and read about Internet sites for inconsistencies, such as inconsistent fonts, inconsistent use of colors, adjustments in language usage, other costs or descriptions in texts, etc.
Check the WHOIS to see how long the domain has existed.
Look for typos and grammar (since top corporations rent publishers)
Send an email to the company that you think may be a fake before making a purchase.
Do not suddenly buy an item if it is very cheap. As the old saying goes, if it’s too smart to be true, it probably is.
Don’t panic. If you think you’ve been the victim of a scam, call your credit card company and let them know of a possible scam.
As the Internet evolves, so does software. As a result, the gap between professional and individual ecommerce sites has narrowed significantly. not found) as a component of a counterfeit website scam – it can now be seamlessly designed through anyone with practical wisdom. Content control systems (CMS). This makes it difficult to stumble upon fraudulent internet sites without investigating. In fact, a user with moderate technical knowledge can get a professional-looking ecommerce site online in a matter of hours, especially if you use a displayed template.
Users are strongly encouraged to thoroughly review anything they are unfamiliar with before making a purchase.
To the extent possible, FortiGuard Labs has contacted infringed trademarks/intellectual assets as a courtesy notice.
All URLs related to those fraudulent sites have been added to the Internet filtering client.
Learn more about Fortinet’s FortiGuard Labs risk and intelligence organization and fortiGuard’s portfolio of subscriptions and security services.
Learn more about Fortinet’s flexible cybersecurity training, an initiative of Fortinet’s Training Promotion Program (TAA), or fortinet’s network security expert, security academy, and veterans. Learn more about FortiGuard Labs’ global risk intelligence and fortiGuard’s portfolio of subscriptions and security services.