Thinking | 15 December 2023

Fashion fraudsters exposed: the battle against domain spoofing

Have you discovered an imitation website using your brand name as its domain? Has a customer reported receiving fraudulent communication claiming to be from your brand?? Although any organisation can be subject to a cyber attack, there are certain kinds of scams that are becoming increasingly common for brand owners within the retail and fashion industries.

We consider the intersection of fashion and cybersecurity, where the runways and the digital domains collide, and where we strive to keep the couture truly 'haute' and not 'fraud.'

What types of cyber scams are there?

Cybercriminals (commonly known as ‘threat actors’) have an array of tools and tactics at their disposal to conduct scams. These scams are not entirely new, but they are becoming increasingly sophisticated. This includes ‘domain spoofing’.

Domain spoofing is ‘a form of phishing where a cybercriminal impersonates a known business or person with fake website or email domain to fool people into the trusting them.’^[1]

The most common forms of domain spoofing within the fashion industry are email spoofing, website spoofing and domain name system (DNS) poisoning.

Email spoofing occurs when a cybercriminal sends emails that appear to come from a reputable business to a (usually stolen) customer or marketing distribution list. To seem legitimate, spoofed emails can be carefully tailored to mimic an organisation’s design and branding. These emails often contain a malicious hyperlink or file to lure the recipient to an illegitimate webpage.

Greta was contacted by a regular client of her clothing brand, Greta’s Gowns. Her client told her they received an email appearing to be from Greta’s Gowns promoting a spring sale. The client clicked the link to peruse the sale when they saw a download appearing in their browser window. Turns out, the link downloaded a malicious virus onto the client’s computer.

Website spoofing is a form of cyber attack where the criminal registers a domain name that is similar to a legitimate domain name. This is then used to create a webpage that closely resembles the legitimate site. Often, cybercriminals will use email spoofing in tangent with website spoofing. The spoofed email can include a hyperlink to lure users to the fake webpage, where they may be offered malicious downloads or asked to provide sensitive personal information, such as login credentials or financial information.

Spoofed webpages can be used for advertising fraud, as scammers submit false domains to ad exchanges, misleading advertisers to bid for space on the fake site rather than the genuine one. We saw this happen with popular Australian women’s wear label Witchery in September last year, where sophisticated scammers posted fake links on Facebook and Instagram advertising clearance and sale websites for the brand.^[2]

Greta noticed a new website had replaced hers in the coveted top search result position on Google. When she looked closer, she noticed the website closely resembled her own: gretagown.com instead of gretasgowns.com.au. Curious, Greta clicked the link, only to see her spring collection campaign imagery featured on the fake site in very poor quality, with seriously discounted prices. Greta was shocked at this blatant infringement of her copyright, and worried how this would affect her brand’s reputation or put her customers at risk of fraud.

DNS poisoning is a more covert form of cyber attack, where users trying to reach a legitimate site are automatically redirected to another legitimate site. For example, a user may enter witchery.com.au into a web browser, but a page created by the cybercriminal loads instead. The criminal’s page is usually similar to the actual page, but with obvious differences in font styles or page layout.

This creates an opportunity for attackers to use phishing techniques to obtain personal information such as log-in credentials or credit card information. It is a form of IP spoofing that is much harder to detect and is usually employed as a form of censorship. The unexpected online traffic flooding to the redirected site can cause it to crash, known as a distributed denial-of-service (DDoS) attack. This exhausts the targeted website or server until its resources are exhausted and it slows down or completely crashes.

What are the risks to your business if you are targeted by a threat actor?

Online presence can be make or break for your business. If you lose control of your brand’s digital identity, your reputation and bottom line can really suffer. How will customers be able to connect with your brand or buy your product if they can’t find your (legitimate) website? Like physical assets, protection of your digital assets (including the domain name) needs to be prioritised to maintain your brand’s value and minimise risk.

Spoofing is an impactful tool used by threat actors. It can be used to:

distribute malware and perpetuate other types of cyber attacks;
protect the scammers’ identities from law enforcement;
redirect users to unintended sites to inadvertently collect advertisement revenue, or fool advertisers into bidding to place their ads on unintended webpages; and
appear legitimate to avoid being blacklisted by firewalls or other common securities controls.

If your brand has been compromised, you risk:

Reputation. Your credibility will be all but lost if your customers are receiving scam communications, malicious links, or entering their payment details on scam websites.
Revenue. There is the potential for loss of profits if sales are being channelled to scam bank accounts through a fake website instead of your own.
Customers. As can be seen in other recent high-profile data breaches, several issues may arise if you suffer a data breach. This can include loss of customers and potentially penalties or enforcement action under the Privacy Act 1988 (Cth) and loss of customers. Impacted customers, depending on the type of personal information compacted, can then become the victim of financial fraud or identity theft.
Intellectual property. Digital assets copied from your website or brand communications could be an infringement of your copyright.

I’ve been domain spoofed. What do I do?

If you have been domain spoofed, you may require the assistance of IT experts to take down any fake websites or email addresses.

However, prevention is always better than cure: ensure you have website security measures in place to protect your brand and digital assets. The Australian Cyber Security Centre has some great resources, such as up-to-date content relating to business email compromise. Your brand community can be invaluable in situations like this – encourage your customers to reach out early if they see anything suspicious or unusual linked to your online presence.

If you have been the subject of a domain spoofing attack, you should consider seeking legal advice, and there are ways you can report the issue:

The .au Domain Administration authority. If you have been the subject of an attack on your domain (and you have an .au domain name), first notify the registrar of record. If it is not resolved, you can request a review by the .au Domain Administration This relates to breaches or potential breaches of the .au licensing rules. Their Dispute Resolution Policy also has information about intellectual property infringements.
ScamWatch. By reporting to ScamWatch, the attack will be alerted to the Australian Competition and Consumer Commission (ACCC).
The Australian Cyber Security Centre (ACSC). By notifying the ACSC through the ReportCyber, the incident will be notified to law enforcement, which can assist impacted businesses in various ways.

Having an online presence is paramount for new and established brands; stay vigilant and invest in protecting your digital identity.

This article was prepared with the assistance of Tracey Hoffman, Law Graduate.

[1] What is Domain Spoofing? - CrowdStrike
[2] Popular women's fashion label Witchery targeted in online scam