A large-scale phishing campaign has been active for the past year, targeting over 100 major apparel brands with a global presence. The cyberattack involved the creation of thousands of realistic-looking fake websites. They include region-specific product listings, language localization, and an operational checkout system to encourage victims to make purchases. Due to SEO, some ranked higher in Google searches than the official brands’ websites, making it an effective ploy to steal web traffic in some regions.
This phishing campaign highlights the risk to consumers online and shows a growing online threat to businesses. With cybercriminals able to quickly design and localize convincing websites, they can create web search competition against legitimate companies. That means not only losing potential customers and clients, but also devaluing a brand when a person’s first experience with it is a scam.
Table of Contents
Brands Impacted by the Phishing Campaign
Some Active Fake Websites Aren’t Marked as Unsafe
The Phishing Campaign Targeted Top Rank Web Searches
The Role of SEO In Impersonating Websites
The Phishing Campaign Valued Quantity Over Quality
Website Builders Make Phishing Campaigns More Common
SEO Can Help Protect Businesses Against Fake Websites
Phishing Awareness Training Can Reduce User Risks
How This Website Phishing Campaign Works
The scammers made thousands of fake websites for this phishing campaign on different domains. They were built with variations of using the brand name combined with other words targeted at different regions. From there, they optimized the product listings to feature the location name, converted the text to the local language, and loaded the site with products specific to the brand.
This phishing campaign aims to get people far enough in the checkout process to create an account and make a purchase. To buy something on the fake website we explored, you must create an account first. Even if someone doesn’t buy anything, they’ve been able to gather the user’s personal data.
Brands Impacted by the Phishing Campaign
The threat research team at Bolster shared the names of around 80 brands impacted by the phishing campaign.
| Aigle | Converse | La Sportiva | Puma |
| Alphalete | Danner | Lora Jewel | Reebok |
| AllBirds | Desigual | Lowa Boots | Rieker |
| Ariat | Demonia | Melissa | Rocky Boots |
| Arc’teryx | Dr. Martens | Mephisto | Russell and Bromley |
| Asics | Etsy | Mizuno | Saunk |
| AYBL | Etnies | Muck Boots | Salewa |
| Be Lenka | Fila | Miu Miu | Salomon |
| Bo+Tee | FitFlop | Native Shoes | Sketchers |
| C&A Clothes | Fjallraven | New Balance | Superga |
| Casio | Fossil | New Era Cap | Superdry |
| Caterpillar | Groundies | Nine West | Teva |
| Clarks | Guess | Nike | The North Face |
| Columbia Sportswear | Gola | NoBull | Timberland |
| Kenneth Cole | Hoka | NVGTN | Toms Shoes |
| Kipling | Inov-8 | O’Neill Sportswear | Tommy Hilfiger |
| Kate Spade | Irish Setter | On running | Tretorn |
| Kappa | Keen Footwear | Pandora Jewelers | UGG |
| Vibram | Palladium Boots | Veja Shoes | Vans |
| Vivobarefoot | Wolverine | Young LA |
Most of the brands are part of the apparel industry, covering areas like fashion clothing, outdoor clothing, accessories, sportswear, and footwear. All of them have a strong online presence, making them valuable targets for cyber threats to impersonate.
Some Active Fake Websites Aren’t Marked as Unsafe
That could be due to the scale of the attack or the fact that some rank well in search engines. Either way, if independent cybersecurity teams can detect this phishing campaign, it’s concerning that Google can’t act on it quicker. Some websites have been up for a year, leaving some customers still exposed. Yet, with over 200 million active websites, it’s difficult to develop a process to fairly index and moderate every single one.
The Phishing Campaign Targeted Top Rank Web Searches
Around 65% of spear phishing campaigns are delivered by email, requiring little more than a list of email addresses to start an attack. Fake websites are nothing new either, and they’re commonly linked to phishing emails to gather personal information. What makes this attack unique is it specifically targets web searches by designing sites that are not only realistic looking but can also rank well in search engines.
The Role of SEO In Impersonating Websites
For businesses, search engine optimization (SEO) involves optimizing a web page to make it easier to find a product or service at a given location through a search engine like Google. For example, if searching “IT services Ocala,” our page for managed IT services in Ocala will be a top result. Unfortunately, search engines can also be tricked by malicious websites that use similar keyword-focused techniques.
We dug into the SEO analytics for the official Clarks website for South Africa and compared that to the fake one, which is the number 1 search result as of writing. The results were surprising.
Clarks South Africa – Real Website
Clarks South Africa – Fake Website
Additional SEO Thoughts
The actual Clarks website has relatively few referring domains for the South African region, meaning not many external websites are linking to it. Their website as a whole has a lot more, though. In contrast, the imitation one has nearly four times the number of domains linking to it for that location. For both, there is a mixture of low-value and high-value links. That likely comes from websites automatically using the top-ranking site within specific search terms and not validating it. Additionally, scammers may have partnerships to generate backlinks within their domains or through online services.
While the fake one still has the edge on the current search engine rankings, it’s worth discussing its shorter history and the recent decline. Extending the history length beyond the images above, the official Clarks website has been ranking for 3 years for South Africa and 7 years overall. The imitation has only been around since April of 2022 and didn’t start seeing much traffic until 6-8 months later. Since it copies similar content as other Clarks-themed scam websites and isn’t routinely updated with new original content, Google’s ranking algorithm should eventually catch up with it. But for now, it’s still a problem.
Beyond that, while both sites rank well for what they’re targeting, it’s concerning that a fake website can be that competitive with the business they’re imitating. It’s not only costing Clarks a portion of their sales in South Africa, but it’s also scamming customers out of getting legitimate products and their financial data. The issue is not the fault of any of the brands targeted. Instead, it shows a flaw with how search engines index and prioritize content.
The Phishing Campaign Valued Quantity Over Quality
Since the phishing campaign involved over 6,000 domains, there was no realistic way to handcraft every website. From the handful we checked, a unique website template was built for each brand. They then used those to produce copies of each website, which were then modified for language and product localization. While we didn’t check for translation accuracy, free online tools like Google Translate are commonly used to convert scams into multiple languages. It’s not perfect, but the translations of product listings are usually understandable enough by local speakers.
From an SEO standpoint, they used a similar optimization format across many of their websites. Since that would lead to cross-competition between their fake sites, they likely weren’t expecting all of them to rank highly or last long before being taken down. However, when you flood the internet with thousands of fake websites, a handful are likely to be an SEO success, and those alone are enough to make for an effective phishing campaign.
Website Builders Make Phishing Campaigns More Common
There is an abundance of website builders, which are tools to make it easy to create and maintain professional-looking websites. While that’s great for businesses, that ease of usage also makes phishing campaigns such as this one more common This phishing campaign wouldn’t be nearly as effective without a convincing website and a working checkout system to take payments.
SEO Can Help Protect Businesses Against Fake Websites
Since this attack was designed to use SEO, one of the best ways to protect your business is to use SEO first. That doesn’t mean flooding the internet with thousands of websites; one is more than enough for most organizations. The goal is to establish high ranks for your products, services, and brand. Once you have a foothold, it’s more difficult for scammers to imitate your website and steal web traffic.
Phishing Awareness Training Can Reduce User Risks
Like with many online threats, this phishing campaign wouldn’t work unless people fell for it. People are more likely to miss the warning signs since it uses popular apparel brands, convincing websites, and higher web search rankings. That’s why businesses must teach employees about online threats through awareness training. It involves educating employees on cyber threats and safe practices to reduce risks.
Failing to educate people may cost much more than simply getting a knockoff pair of shoes. It can give cybercriminals a starting point, leading to more damaging cyberattacks and misused financial data. While this phishing campaign was aimed at apparel brands, like with any footwear, digital threats can come in almost any size and shape.
If your business needs help with cybersecurity, awareness training, or has concerns with phishing campaigns, get in touch through our contact form or call us at +1 (800) 297-8293
