Fraudulent e-Commerce Websites Exploit the Post-New Year’s Day Sales Drive

As we welcome the New Year, we must be aware that the bad guys will use every opportunity to exploit events of a positive and negative nature. Yes, even the recent disastrous weather experienced on the east coast of the United States was exploited to try and obtain valuable information that could be used for identity and monetary theft from grief-stricken or worried families and friends.

The New Year and its first month brings with it the familiar drive of businesses trying to clear stock, slashing prices to entice us to part with our money and to snap up a bargain in the process. Our desire for a great bargain is something not unknown to the bad guys – they are very aware that we might just be tempted to go for that seemingly ‘too good to be true’ bargain. The associated costs to fraudulent websites are minimal compared to the numbers game the bad guys play; they cast a wide net and you may be the catch of the day.

Let us explore this further through an example. A Swarovski (the brand name of a popular crystal jewelry manufacturer) fraudulent site was detected by the Websense® ThreatSeeker® network. The site hxxp://www.swarovskisale.co/ purports to be selling discounted Swarovski jewelry. The first indicator that something may not be all that it seems is the Top Level Domain, .co. Proving popular among the bad guys due to its lexical relationship to the .com TLD, the .co TLD is assigned to Colombia.

The policies regulating the registration of the .co TLD allow for all persons or entities with no domicile in Colombia to register a .co domain. We searched our Websense Security Labs™ database to see if this brand name was being abused; a number of results were returned. Further investigations of the registrants' records revealed that a common thread among the results was that the sites are registered to a common entity.

The registration details appear to be random text, while the email address follows the theme seen here: louisvuitton563@hotmail.com. Using that information, a search of the Websense Whois DB revealed 1500+ websites following this pattern and/or including these same registration details.

Here are some examples:
mulberryorderonline.com
nikenfljerseyspro.com
nikenfloutlet.com
taschenlouisvuitton-de.info
uggbootssoutlettonline.com
prada-fr.info
abercrombies-fra.info
abercrombies-fre.info

At the time of writing this blog, the majority of the examples listed above were parked with GoDaddy and registered in October 2012. We can assume here that these sites will be used in the near future in spam or phishing campaigns.

In conclusion, the old adage of caveat emptor still applies even in the virtual shopping world. Be aware when online; if it sounds too good to be true it most probably is. Websense can help to protect you from these fraudulent sites. Security Labs researchers work constantly to conduct the type of research we have outlined here to protect our customers.

Author: Stephen Meyer.