6,000 sites used to impersonate 100 top brands and steal your banking info — how to stay safe

banking trojan on phone illustration
(Image credit: Shutterstock)

Shopping for your favorite clothing and apparel brands online could put you at risk of having your credit card data stolen by hackers, thanks to a widespread brand impersonation campaign currently making the rounds online.

The campaign, which has been underway since June of last year, is impersonating more than 100 popular brands including Nike, Adidas, Puma, Skechers, New Balance, Timberland, Reebok, Vans, The North Face, Fossil, Guess, Kate Spade, Casio and more using fake websites.

Discovered by the automated brand protection firm Bolster and detailed in a new report, the campaign uses at least 3,000 domains and around 6,000 sites to dupe shoppers into giving up their hard-earned cash and financial details to scammers. While some of the shoppers who have purchased goods from these fake sites received low-quality knockoffs, others got nothing at all after completing their orders.

To make matters worse, just like with other online shopping sites, these fake sites also collect the email addresses, credit card details and other personal information from unsuspecting shoppers. With these details in hand, the scammers behind the campaign can commit fraud or even identity theft.

Tricking users into shopping at fake online stores

As BleepingComputer points out, the domain names used in this campaign all follow a similar pattern where the brand name is combined with a city or country followed by a generic top-level domain (TLD) like “.com”.

For instance, one of the fake sites masquerading as Puma used the domain “www.puma-italia.com” in order to trick Italian shoppers into thinking they were shopping at Puma’s official online store. 

Many of the malicious domains were aged for such a long period of time that Google actually indexed them and they’re now more likely to rank higher up in Google Search.

Unlike other fake sites that are thrown together quickly, the ones used in this campaign are well made and appear quite convincing, especially when compared to the official sites of the brands that are being impersonated. Bolster’s researchers also revealed that multiple fake sites were created to impersonate the same brand with more than 10 each for Nike, Puma and Clarks discovered during their investigation into the matter.

In order to prevent their fake sites from getting flagged as suspicious, the scammers behind this campaign used a technique known as domain aging where a site intended to be used for scams is registered and remains inactive for a long period of time before being used in any attacks. Oftentimes, scammers will let a domain age for at least two years before using it according to a report from Confiant released last year.

In this new campaign though, many of the malicious domains were aged for such a long period of time that Google actually indexed them and they’re now more likely to rank higher up in Google Search. As such, these fake sites are more likely to appear towards the top of the search results page and have a higher chance of being clicked on by unsuspecting shoppers.

How to stay safe from fake sites impersonating your favorite brands

A woman looking at a smartphone while using a laptop

(Image credit: Shutterstock)

While you can find some great deals and get products from a wider range of brands online, you also need to be careful. Sites offering brand name products at a huge discount are easy to spot as fakes but other fake online stores can be much more convincing.

To avoid falling victim to fake sites that use typosquatting in their domains to appear legitimate, you need to carefully inspect the URL of any online store you’re thinking of shopping at. Although a website may appear legitimate at first glance, it’s worth taking the extra time to check a brand’s social media channels or even their Wikipedia page to make sure the URL is legitimate.

At the same time, you want to avoid clicking on any of the top links in Google Search. Hackers have been known to abuse Google’s search engine in their attacks and they even started buying Google Ads to trick unsuspecting users into navigating to their phishing sites.

For additional protection, you should consider using the best antivirus software on your PC, the best Mac antivirus software on your Mac and one of the best Android antivirus apps on your smartphone. Likewise, the best identity theft protection services can help you recover after falling victim to online fraud or identity theft.

Shopping online is incredibly convenient but rushing to get a deal that’s too good to be true could leave your wallet empty and your personal information exposed online or even for sale on the dark web.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.