Retailers beware: Hackers are using look-alike domains to steal your customers’ data

Retailers beware: Hackers are using look-alike domains to steal your customers’ data

More and more consumers are turning to the internet to buy everyday goods and gifts – in the 2019 holiday period alone online shopping rose by 13.6% – but as they do, so too will cyber criminals. Retailers need to be aware of the continued rise of look-alike domains, how these sites use security tools to seem legitimate and how to combat the rise of sites spoofing retailer’s identities to steal customer credentials and data.

Phishing for customers

One of the big trends that impacts consumers is phishing attacks, which can specifically catch out bargain-hunting consumers. These attacks are being made even more effective in recent years through the use of certificates that give them an even more authentic look. As a result, we are seeing a growing number of malicious, look-alike domains used in phishing attacks.

Cyber attackers are creating fraudulent domains that are almost identical to real retailer sites, with very similar URLs which simply substitute a few characters to look the same at a glance. The malicious websites they point to closely mimic the legitimate, well-known retail websites, making it difficult for customers to detect them. Many of these malicious pages use a trusted certificate to provide a ‘secure’ connection, making the site appear safe to online shoppers. Customers then unknowingly provide sensitive account information and payment data to the cyber attackers.

We see this regularly with PayPal, one of the most frequently spoofed global brands and a company used by many retailers. In Q3 of this 2019 alone, there were 16,547 unique PayPal phishing URLs set up. Many of these fake sites will be using certificates to create a ‘secure’ connection, with research showing more than half of phishing websites do so in order to appear legitimate.

Seeing double?

It is becoming increasingly difficult to detect phishing websites as companies push to encrypt more web traffic. While this generally improves security for users, many retailers don’t have the technology in place to find these malicious sites and remove them. Phishing websites put customers’ data at risk causing damage a legitimate retailer’s reputation and cut into their bottom line.

Recent research shows just how prominent these look-alike domains are. The research analysed suspicious domains, often used to steal sensitive data from online shoppers, targeting 100 major retailers. These retailers – in the UK, US, France, Germany and Australia – had over 100,000 look-alike domains, all using valid certificates to make their site appear safe and trusted.

This problem of look-alike domains is worsening – in the past year, the number of look-alike domains for retailers has more than doubled. This has brought the total number of certificates used for look-alike domains to more than five times the number for authentic retail domains. Of all the countries involved in the research, the UK had the largest ratio of look-alike domains targeting retailers. There are over seven and a half times more look-alike domains than valid retailer websites here.

Protecting your customers

Thankfully, there are several steps online retailers can take to protect their customers from the risks of look-alike websites:

  • Detect malicious certificates. All publicly trusted certificates are published to open logs. Monitoring and analysing these logs enable organisations to detect look-alike domains and certificates before they are used in attacks against customers.
  • Report suspicious domains. Google Safe Browsing is an industry anti-phishing service that identifies and blacklists dangerous websites. Retailers can report a suspicious domain at
  • Leverage technology solutions. Brand protection services may help retailers find malicious websites and stop the unauthorised use of their logos or brands. Solutions that provide anti-phishing functionality can help in the search for look-alike domains.
  • Add Certificate Authority Authorisation (CAA) to domains and subdomains. CAA lets organisations determine which certificate authorities (CAs) can issue certificates for domains they own. This lets website owners set policies for entire domains or for specific hostnames.

The future of e-commerce

 As the research has shown, we should expect even more malicious look-alike websites pop up in the future trying to deceive consumers, especially in the UK. In order to protect themselves, retailers need the means to discover website domains that are likely to be maliciously targeting their customers.

We can assume key dates on the shopping calendar – Black Friday, Cyber Monday, the Christmas shopping period and January sales – are likely to cause a spike in phishing websites. But retailers can’t afford to be complacent with their reputation on the line. Those who are serious about security, should be leveraging industry advances to spot high-risk certificate registrations. It’s only by recognising the danger early, and crippling malicious sites before they cause damage, that retailers can protect their customers from harm, and protect their brand in the process.

Author: Jing Xie, senior threat intelligence researcher, Venafi

Copyright Lyonsdown Limited 2021

Top Articles

Double trouble: the rising threat of double-extortion ransomware

Ransomware attackers continue to threaten businesses at an increasing scale, speed and sophistication.

The blurring line between nation-state and cyber-criminals

Russia is widely known to be involved in a plethora of cyber-criminal activity.

XDR: Delivering value where SIEMs fail

Implementing an XDR solution means faster detection, and remediation of cyber incidents

Related Articles

[s2Member-Login login_redirect=”” /]