Ecommerce Website Spoofing and Unauthorized Third-Party Resellers

This post contains the text from the White Paper: Ecommerce Website Spoofing and Unauthorized Third-Party Resellers. Download the PDF.

Introduction

Ecommerce sites will always be popular targets for cybercriminals who attempt to steal users' personal and financial information.

One of the emerging ways they do this is by creating fraudulent websites that mimic legitimate ones. This practice, known as website spoofing, has serious consequences for individuals and businesses alike.

Another recently discovered similar threat occurs when an ecommerce website advertises the sale of merchants’ products, as would an authorized third-party reseller, but the site’s intent is solely to steal customer credit card data.

This white paper discusses the dangers of both ecommerce site spoofing and unauthorized third-party resellers, how they work, and what individuals and businesses can do to protect themselves.

The Dangers of Ecommerce Website Spoofing and Unauthorized Third-Party Resellers

Ecommerce site spoofing poses a significant threat to both individuals and businesses. Cybercriminals can use spoofed sites to steal users' personal and financial information, such as credit card numbers, bank account details, and login credentials. They can then use this information to make fraudulent purchases, steal money from bank accounts, or commit identity theft.

For businesses, ecommerce site spoofing can damage their reputation and erode customer trust. Customers who fall victim to these scams may blame the business for not providing adequate security measures and may be less likely to do business with them in the future. Additionally, businesses may suffer financial losses due to chargebacks and lost sales.

The most significant danger is that these attacks can happen to any website–even if that website has no obvious security vulnerabilities. Plus, the attack is often so subtle that it can go undetected for long periods of time.

In one case, we saw that the merchant’s IT staff even knew about the spoofed website, but thought they owned it because their code updates, sales, and other changes were instantly reflected in the fake website. They didn’t worry about it because orders placed on that website appeared in their database. Most importantly, they got paid. Yet, the illicit website was harvesting the customer credit card data of every transaction going through the spoofed website.

Another danger is that these attacks leave almost no detectable footprint on the merchants’ web servers. This can happen because the attack does not exploit any particular security flaw. Web spoofing takes advantage of how websites work in general. So, even if logs are monitored and alerts reviewed, it is possible that even seasoned IT staff will not spot anything unusual happening.

These attacks can even evade professional investigators. In one of our recent cases, the merchant had multiple previous forensic investigations performed. None of those investigations revealed evidence of a data breach or even a major security vulnerability. In fact, our own investigation agreed with the two previous conclusions. We found nothing wrong with the merchant’s website.

This lack of evidence was not due to not looking hard or deep enough. There was simply nothing to be found. It was not until we started looking outside the standard forensic data set that we found a large number of unauthorized resellers advertising the merchant’s products to collect credit cards from deceived customers.

How Ecommerce Website Spoofing Works

Ecommerce site spoofing typically involves the creation of a fraudulent website that closely resembles a legitimate ecommerce site, including making the domain name and URLs visually resemble the originals, but make minimal alterations (e.g., one character) so that at first glance it would appear to be for the legitimate website. They often also use fake SSL certificates to make their sites appear more legitimate.

Attackers can even write clever scripts that instantly mimic changes made to the legitimate website so that their fake website looks and acts just like the merchant’s website. If a product goes on sale on the real website, it automatically goes on sale on the spoofed website. This has often fooled merchant’s IT staff into thinking they owned and controlled the spoofed website because their changes were instantly visible.

Bad actors may even create domain names that appear to be owned by the merchant by using the same domain registrar and hosting provider. For example, if a merchant owns the domain name retailwidgets.com, an attacker might register retailwidget.com with the same registrar and host it on the same hosting provider.

Cybercriminals may use a variety of tactics to lure users to these sites, such as sending phishing emails, using social engineering techniques, or even getting their forged website ranked on popular search engines so that searches for particular products would put their website or products in with the search results.

Once a user lands on a spoofed site and initiates a purchase, they will be prompted to enter their personal and financial (e.g., credit card) information. The site may also install malware on the user's device, which can steal information or allow the cybercriminal to control the device remotely. However, the fake website will not immediately charge the customer’s credit card. Instead, they simply collect the transaction information.

Once the cybercriminals have all the information, they can manually (or use automated scripts to) place a real order on the merchant’s legitimate website, and then the crime is complete. The merchant gets paid, the customer gets exactly what they ordered, and the bad actor gets stolen credit card data. Everybody is happy until the stolen credit card is eventually used to purchase goods somewhere in the world, and the customer then learns that their credit card is being used fraudulently.

When a credit card transaction is reported as fraudulent, the card brands use algorithms that triangulate that purchase back to the merchant most likely to have lost control of the credit card.

In the case of website spoofing, or unauthorized resellers, the credit card was actually stolen before the legitimate transaction ever occurred on the merchant’s website. However, the merchant still gets flagged for that transaction, even though the credit card was not stolen by any security breach on their website or through any lack of due diligence on their part to protect the transaction data.

Protecting Against Ecommerce Site Spoofing

Individuals and businesses can take steps to protect themselves against ecommerce site spoofing. Here are some tips:

For Customers:

1. Verify URL: Before entering any personal or financial information on a website, check the Domain Name to make sure it is legitimate. Look for the padlock symbol and "https" in the URL, which indicate that the site is using SSL encryption. Even if the domain looks legitimate, make sure it is the exact domain name that you normally use to shop. Be aware of look-alike domains.
2. Be cautious of emails: Don't click on links in emails from unknown senders, as they may be phishing emails designed to lure you to a spoofed site. Attackers may pose as a legitimate vendor with whom you regularly do business.
3. You can intentionally put in the wrong CVV number on the first order attempt. The transaction should decline. If you get a message that your transaction was approved, it may be a fraudulent website. Call the company immediately using a known good phone number and have them verify your order and the domain name. If your transaction declines, as it should, simply put in the real CVV and finish your order.
4. Keep software up to date: Keep your operating system and antivirus software up to date helps protect against malware.
5. Use a VPN: A virtual private network (VPN) can help protect your online activity by encrypting your traffic and masking your IP address.

For Merchants:

1. Know your domain names: Know which domain names are legitimately being used to sell your products. Merchants often use multiple domain names to catch more traffic. Know which ones you own and which you don’t. Attackers will often try to register domain names that are similar to yours.
   You may wish to register obvious domain names similar to your own. However, owning many domain names may also make it easier for an attacker to sneak a new domain into the mix.
2. Monitor and retain IP addresses for each order. If you start receiving multiple orders from the same IP address, but with different shipping addresses, you may be the victim of a spoofed website or unauthorized reseller.
3. Know your authorized resellers: Know who is and isn’t authorized to resell your products. Regularly use search engines to find where your unique products are being sold.
4. Add planted products to your catalog: Add products to your offerings that are unique only to your website–real or fake. (If they’re fake, have 0 supply.) Regularly search the Internet for these unique products being sold by unauthorized resellers. Investigate anytime your unique product is found.
5. If you find a bad actor using a look alike domain name to sell your products, report it to the domain registrar, hosting provider, and legal authorities.
6. Add passive bot blockers to your checkout process: Stopping automated payment form submission will force bad actors to manually submit any fraudulent orders they captured from their spoofed domains. This will greatly slow the rate at which they can commit the fraud.
7. Know the average pacing and time periods that your orders are placed: If you receive dozens of orders at 3 AM all within seconds of each other, when normally you receive none, or few at that hour, investigate thoroughly.
8. Educate employees: Businesses should educate employees on the dangers of website spoofing and provide training on how to recognize and avoid these scams.

How Unauthorized Third-Party Resellers Work

Websites that sell goods that they did not produce are not uncommon and are typically completely legitimate. This is known as an authorized third-party reseller. Amazon is a perfect example of this, but there are countless smaller sites that legitimately sell products or services that they do not own, but are authorized to sell. However, serious hazards arise when the site selling the goods is not authorized to do so. These posers may be selling counterfeit goods, or they may just take your money and not deliver anything at all.

Recently, another version of unauthorized reselling has come to light. In these instances, a bad actor puts up a convincing website selling your products, with all of the earmarks of being a legitimate reseller. They will take the orders and the customer credit cards; the customer actually receives the bona fide product, but here’s the catch—the bad actor simply goes to a legit seller’s site and places the order using the customer’s information (e.g., credit card, name, shipping address).

The customer receives the goods, so they are no more the wiser. The entire intent of the bad actor is to capture customer credit card data and their personally identifiable information (PII).

Here is where things get really bad: When the bad actor begins to use or sell the stolen credit card data, the legitimate merchant is identified as having potentially been breached and is mandated to pay for an expensive, in-depth investigation looking for the source of the data breach. And no matter the expertise of the investigating body, they are not going to find evidence of a data breach because the credit cards were stolen from the website operated by the bad actor, leaving no indicators of compromise on the legitimate website.

Hazards of buying from unauthorized third-party resellers

1. Counterfeit products: Unauthorized third-party resellers may sell counterfeit products, which are often of inferior quality and can be dangerous to consumers. Counterfeit products can also damage the reputation of legitimate businesses, as consumers may blame them for the poor quality of the product.
2. Fraudulent activities: Some unauthorized third-party resellers engage in fraudulent activities, such as selling non-existent products or collecting payments but not delivering the products (OR, simply stealing the credit card and then placing the order on a legit site, as described above). This can lead to financial loss for consumers and damage the reputation of legitimate businesses.
3. Pricing inconsistencies: Unauthorized third-party resellers may sell products at prices significantly higher or lower than the prices set by legitimate businesses. This can create confusion among consumers and disrupt the pricing strategy of legitimate businesses.
4. Unauthorized use of intellectual property: Unauthorized third-party resellers may use the trademarks, logos, and other intellectual property of legitimate businesses without permission. This can lead to legal disputes and damage the reputation of legitimate businesses.
5. Lack of customer support: Unauthorized third-party resellers may not provide customer support, such as returns, exchanges, and warranties, which can lead to frustration and dissatisfaction among consumers.

Overall, it is important for consumers to be cautious to avoid purchasing products from unauthorized third-party resellers and for legitimate businesses to take steps to protect their brand and intellectual property from unauthorized use.

Protect Yourself Against Unauthorized Third-Party Resellers

Here are some tips to protect yourself from the ill-effects of buying from an unauthorized third-party reseller:

For Customers:

1. Research the seller: Before making a purchase, research the seller to ensure that they are authorized to sell the product. Look for reviews and feedback from other customers to determine their reputation.
2. Verify the product: Verify that the product you are purchasing is authentic by checking the manufacturer's website for authorized dealers or resellers.
3. Protect your personal information: Only provide personal information to reputable sellers and be cautious of sharing your credit card information or other sensitive data with third-party resellers.
4. Check the return policy: Make sure the seller has a clear return policy and that it is consistent with the manufacturer's policy.
5. Use a secure payment method: Use a secure payment method such as PayPal or a credit card to protect yourself in case the product is not as described or does not arrive.
6. If an unknown website lists a phone number, call it. Most fraudulent websites do not list a legitimate phone number. If you do get an answer, ask about a product that does not exist. If they are a scam, they will try to sell it to you and get your credit card information. Hang up on them, and report the website to the domain registrar, hosting provider, and legal authorities.
7. If a deal is too good to be true, it probably is. Many fraudulent websites aggressively advertised on social media with incredible deals. Many of these products are fakes, if you are lucky enough to receive a product at all. Other products, such as software or hardware, contain malware and are sold cheaply, primarily for the purpose of getting you to plug it into your home or work network.

For Merchants:

1. Consider having a list of your authorized third-party resellers posted on your site.
2. Know your authorized resellers: Know who is and isn’t authorized to resell your products. Regularly use search engines to find where your unique products are being sold.
3. Add planted products to your catalog: Add products to your offerings that are unique only to your website–real or fake. (If they’re fake, have 0 supply.) Regularly search the Internet for these unique products being sold by unauthorized resellers. Investigate anytime your unique product is found.
4. If you find a bad actor using a look alike domain name to sell your products, report it to the domain registrar, hosting provider, and legal authorities.

By taking these steps, you can protect yourself and your business from the potential negative effects of buying from unauthorized third-party resellers.

Conclusion

Ecommerce website spoofing and unauthorized third-party resellers are serious threats that can have significant consequences for both individuals and businesses. They are hard to detect and investigate.

By understanding how these scams work, implementing strong security measures, and educating employees, you can take the necessary steps to protect yourselves, your customers, or your businesses from the consequences of falling victim to these scams.