Website Phishing Campaign Faked 100+ Apparel Brands

by | Jul 14, 2023

A large-scale phishing campaign has been active for the past year, targeting over 100 major apparel brands with a global presence. The cyberattack involved the creation of thousands of realistic-looking fake websites. They include region-specific product listings, language localization, and an operational checkout system to encourage victims to make purchases. Due to SEO, some ranked higher in Google searches than the official brands’ websites, making it an effective ploy to steal web traffic in some regions.

This phishing campaign highlights the risk to consumers online and shows a growing online threat to businesses. With cybercriminals able to quickly design and localize convincing websites, they can create web search competition against legitimate companies. That means not only losing potential customers and clients, but also devaluing a brand when a person’s first experience with it is a scam.

How This Website Phishing Campaign Works

The scammers made thousands of fake websites for this phishing campaign on different domains. They were built with variations of using the brand name combined with other words targeted at different regions. From there, they optimized the product listings to feature the location name, converted the text to the local language, and loaded the site with products specific to the brand.

This phishing campaign aims to get people far enough in the checkout process to create an account and make a purchase. To buy something on the fake website we explored, you must create an account first. Even if someone doesn’t buy anything, they’ve been able to gather the user’s personal data.

If a purchase is made, since it’s being done by the target directly, there’s less chance of it getting flagged by the bank as suspicious activity. From there, the scammers send a cheap knockoff product to discourage a credit card chargeback, or they send nothing at all. Any details shared during the purchase process may be sold or used for future cyberattacks.

Brands Impacted by the Phishing Campaign

The threat research team at Bolster shared the names of around 80 brands impacted by the phishing campaign. 

Aigle Converse La Sportiva Puma
Alphalete Danner Lora Jewel Reebok
AllBirds Desigual Lowa Boots Rieker
Ariat Demonia Melissa Rocky Boots
Arc’teryx Dr. Martens Mephisto Russell and Bromley
Asics Etsy Mizuno Saunk
AYBL Etnies Muck Boots Salewa
Be Lenka Fila Miu Miu Salomon
Bo+Tee FitFlop Native Shoes Sketchers
C&A Clothes Fjallraven New Balance Superga
Casio Fossil New Era Cap Superdry
Caterpillar Groundies Nine West Teva
Clarks Guess Nike The North Face
Columbia Sportswear Gola NoBull Timberland
Kenneth Cole Hoka NVGTN Toms Shoes
Kipling Inov-8 O’Neill Sportswear Tommy Hilfiger
Kate Spade Irish Setter On running Tretorn
Kappa Keen Footwear Pandora Jewelers UGG
Vibram Palladium Boots Veja Shoes Vans
Vivobarefoot Wolverine Young LA

Most of the brands are part of the apparel industry, covering areas like fashion clothing, outdoor clothing, accessories, sportswear, and footwear. All of them have a strong online presence, making them valuable targets for cyber threats to impersonate.

Some Active Fake Websites Aren’t Marked as Unsafe

Google’s Safe Browsing Advisory system can flag unsafe websites. Even if they’re still active, it provides a clear warning for users and greatly decreases the chance of a user falling prey. However, only some still-active fake websites have been marked as dangerous by that system.

That could be due to the scale of the attack or the fact that some rank well in search engines. Either way, if independent cybersecurity teams can detect this phishing campaign, it’s concerning that Google can’t act on it quicker. Some websites have been up for a year, leaving some customers still exposed. Yet, with over 200 million active websites, it’s difficult to develop a process to fairly index and moderate every single one.

The Phishing Campaign Targeted Top Rank Web Searches

Around 65% of spear phishing campaigns are delivered by email, requiring little more than a list of email addresses to start an attack. Fake websites are nothing new either, and they’re commonly linked to phishing emails to gather personal information. What makes this attack unique is it specifically targets web searches by designing sites that are not only realistic looking but can also rank well in search engines.

The above image shows a search for Clark-branded shoes in South Africa. The top search result is a fake website with a complete checkout system, sizing options, official product images, and over 1,400 shoes listed. The real website sits at the second rank spot, meaning a lot of natural online traffic is being tricked by this phishing campaign. If you spend enough time browsing the fake website, you’ll notice some red flags, but many users won’t.

The Role of SEO In Impersonating Websites

For businesses, search engine optimization (SEO) involves optimizing a web page to make it easier to find a product or service at a given location through a search engine like Google. For example, if searching “IT services Ocala,” our page for managed IT services in Ocala will be a top result. Unfortunately, search engines can also be tricked by malicious websites that use similar keyword-focused techniques.

We dug into the SEO analytics for the official Clarks website for South Africa and compared that to the fake one, which is the number 1 search result as of writing. The results were surprising.

Clarks South Africa – Real Website

The above image shows some SEO analytics for the South African portion of the real Clark’s website. It ranks for 42 top 3 keywords. Breaking that down further, there are 17 rank 1, 17 rank 2, and 8 rank 3. Those numbers represent a mixture of different terms people would search online and how close to the top of the search results they would appear in. Even though it’s a major brand, since the keywords are filtered down to South Africa, nothing looks too far out of place until you look at the statistics for the fake website.

Clarks South Africa – Fake Website

The second image shows the SEO analytics for the impersonation website targeting the same brand and product in the same region. It has nearly double the total keywords, organic traffic, and traffic value. While there have been declines over the past month, it still sits above the official website. Looking at its top 1-3 keywords, there are 25 rank 1, 14 rank 2, and 12 rank 3. That shows it’s very competitive for similar web searches and outperforms the other for at least 25 different terms.

Additional SEO Thoughts

The actual Clarks website has relatively few referring domains for the South African region, meaning not many external websites are linking to it. Their website as a whole has a lot more, though. In contrast, the imitation one has nearly four times the number of domains linking to it for that location. For both, there is a mixture of low-value and high-value links. That likely comes from websites automatically using the top-ranking site within specific search terms and not validating it. Additionally, scammers may have partnerships to generate backlinks within their domains or through online services.

While the fake one still has the edge on the current search engine rankings, it’s worth discussing its shorter history and the recent decline. Extending the history length beyond the images above, the official Clarks website has been ranking for 3 years for South Africa and 7 years overall. The imitation has only been around since April of 2022 and didn’t start seeing much traffic until 6-8 months later. Since it copies similar content as other Clarks-themed scam websites and isn’t routinely updated with new original content, Google’s ranking algorithm should eventually catch up with it. But for now, it’s still a problem.

Beyond that, while both sites rank well for what they’re targeting, it’s concerning that a fake website can be that competitive with the business they’re imitating. It’s not only costing Clarks a portion of their sales in South Africa, but it’s also scamming customers out of getting legitimate products and their financial data. The issue is not the fault of any of the brands targeted. Instead, it shows a flaw with how search engines index and prioritize content.

The Phishing Campaign Valued Quantity Over Quality

Since the phishing campaign involved over 6,000 domains, there was no realistic way to handcraft every website. From the handful we checked, a unique website template was built for each brand. They then used those to produce copies of each website, which were then modified for language and product localization. While we didn’t check for translation accuracy, free online tools like Google Translate are commonly used to convert scams into multiple languages. It’s not perfect, but the translations of product listings are usually understandable enough by local speakers.

From an SEO standpoint, they used a similar optimization format across many of their websites. Since that would lead to cross-competition between their fake sites, they likely weren’t expecting all of them to rank highly or last long before being taken down. However, when you flood the internet with thousands of fake websites, a handful are likely to be an SEO success, and those alone are enough to make for an effective phishing campaign.

Website Builders Make Phishing Campaigns More Common

There is an abundance of website builders, which are tools to make it easy to create and maintain professional-looking websites. While that’s great for businesses, that ease of usage also makes phishing campaigns such as this one more common This phishing campaign wouldn’t be nearly as effective without a convincing website and a working checkout system to take payments.

SEO Can Help Protect Businesses Against Fake Websites

Since this attack was designed to use SEO, one of the best ways to protect your business is to use SEO first. That doesn’t mean flooding the internet with thousands of websites; one is more than enough for most organizations. The goal is to establish high ranks for your products, services, and brand. Once you have a foothold, it’s more difficult for scammers to imitate your website and steal web traffic.

Phishing Awareness Training Can Reduce User Risks

Like with many online threats, this phishing campaign wouldn’t work unless people fell for it. People are more likely to miss the warning signs since it uses popular apparel brands, convincing websites, and higher web search rankings. That’s why businesses must teach employees about online threats through awareness training. It involves educating employees on cyber threats and safe practices to reduce risks.

Failing to educate people may cost much more than simply getting a knockoff pair of shoes. It can give cybercriminals a starting point, leading to more damaging cyberattacks and misused financial data. While this phishing campaign was aimed at apparel brands, like with any footwear, digital threats can come in almost any size and shape.

If your business needs help with cybersecurity, awareness training, or has concerns with phishing campaigns, get in touch through our contact form or call us at +1 (800) 297-8293

Get IT Support