Black Friday and the Proliferation of Fake Ecommerce Sites

FortiGuard Labs Threat Research Report

Black Friday and Cyber Monday kick off the holiday shopping season. In fact, 30% of all retail sales occur between Black Friday and Christmas Day. And since the advent of Cyber Monday, brick and mortar and ecommerce stores alike stand to generate a significant portion of their annual revenue over this shopping "holiday" weekend, often allowing retailers to catch up on revenue and meet goals and sales numbers for the year.

In the lead-up to this event, FortiGuard Labs has observed more and more scams involving counterfeit websites that appear to be legitimate ecommerce sites. We say "appear to be" because to the untrained eye these sites may look safe, but if you aren't paying attention they can steal your payment (and possibly payment information) via a purchase you thought was legitimate. Fake ecommerce sites are quickly becoming the latest threat to consumers and they cover a wide range of products to lure potential buyers.

We recently came across a live, active scam that leverages the look and feel of the world's largest companies and their respective trademarks to compel and lure victims into making purchases from their site. These sites are in no way affiliated with the trademark/IP owner, and are recognizable in part because they use the same template over and over in a digital game of whack-a-mole (meaning that as soon as one site gets shut down another one immediately pops up somewhere else).

Several of the high-profile brands we have documented include:

• Blink (Amazon)
• Oculus (Facebook)
• Shimano

Other well known brand names infringed include:

• Coleman (Camping Gear)
• Ninja (Home Appliances)
• Nu Wave (Home Appliances)
• Ryobi (Power tools)
• Makita (Power tools)

We also observed others that have since been taken down:

• Keurig
• Nespresso

Common Framework

The websites we've observed have the following characteristics in common:

• The domain names have only been registered for a few days to a few months
• All sites are registered with the same registrar
• They use .TOP and .SHOP top level domains (.com is also common)
• They use stolen imagery
• They contain numerous grammatical errors and inconsistencies in statements
• Social Media buttons do not resolve anywhere or go to accounts that either do not exist or have been deleted
• Their webhosting providers utilize content delivery networks (CDN) to remain anonymous (via an IP address that cannot be traced)

Milwauketools.shop (Recently registered on 10/21/21)

Milwaukee Tools is a well-known and globally established tool company based out of the United States. Milwaukee Tools products are usually sold via authorized retailers online or in stores. We came across a recently registered online site, milwauketools[.]shop, that had the look and feel of a professional ecommerce retailer.