[Brand Impersonation] – Media World E-Commerce Fraud

BRAND IMPERSONATION (3)

Media Markt is a German multinational chain of over 1000 stores (Media-Saturn Holding) selling consumer electronics across 14 European countries. Media Markt is known as Media World in Italy and Saturn in Luxembourg.

During our PreCrime internet scout of December 20th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting users of Media Markt (Media World).

The Attack

Legitimate site :

mediaworld[.]it

mediamarkt[.]de

Malicious domain created on December 18, 2022, identified by Bfore.Ai on December 20, 2022

mediaword[.]net

 

Screenshot 2022-12-20 at 14.06.38
Malicious site
Screenshot 2022-12-20 at 14.26.08

Legitimate site

How does this attack work ?

The URL leads users to a website showing a Media World website where users can buy products such as iPhones and PlayStations. The website baits users into buying something from the website by claiming that they can “take advantage of our promotion and get a discount of up to 15%“. When looking through the site many of the prices are indeed lower than on the original website as shown below.

Screenshot 2022-12-20 at 14.08.33

Malicious site
Price at 323,49 EUR

Screenshot 2022-12-20 at 15.09.12

Legitimate site
Price at 349,99 EUR

How do they trick users into believing the attack is real?

  • Users may be led to the malicious website through a phishing campaign, wherein they are baited into visiting the site by promising them products from Media World/Markt at lower prices. This is a tactic often used by threat actors who seek to exploit weaknesses in human cognitive functions.

  • Copying the branding from Media World/Markt including using the same logo, colours and font.

  • Using a domain name similar to Media World/Markt. The threat actors have removed the letter ‘l’ from the domain, which can be very easy to overlook.

Image

Why is this a threat ?

Any user purchasing a product from this website would likely either never receive the product they purchased or get a fake replica of the product instead. This would result in the consumer losing their money and could cause reputational damage to the company and specifically the product.

If successful, this attack would provide threat actors with access to sensitive personal information about the individual or corporate user, allowing threat actors to steal their money and identity.

Recommendations
  • If deals are too good to be true, they most likely are!

  • If in doubt whether an email is legitimate, never click on any links. Go to the legitimate website’s domain instead via a search engine.

  • Always double check the domain name to make sure it is the legitimate one.

  • Never use the same credentials for work and personal accounts.

  • Incorporate Multi Factor Authentication where possible to keep your accounts safe.

Technical Report

The technical report below helps emphasize the differences in terms of DNS records between the malicious domain, and the legitimate domain.

Domain

mediaword[.]net

mediaworld[.]it

Registrar

GoDaddy.com, LLC

Telecom Italia s.p.a.

Registrant Organisation

Domains By Proxy, LLC

Mediamarket S.p.A.

Registrant Country

United States

Italy

Name Servers

NS51.DOMAINCONTROL.COM

NS52.DOMAINCONTROL.COM

DNS3.INTERBUSINESS.IT

DNS11.INTERBUSINESS.IT

MX record

N/A

mx1.hc378-85.eu.iphmx.com

mx2.hc378-85.eu.iphmx.com

Last seen active

20 December 2022

20 December 2022

IP address

23.227.38.74

Ontario, Toronto, Canada

AS13335 Cloudflare, Inc.

Organization: Shopify, Inc.

208.91.197.13

Tortola, British Virgin Islands

AS40034 Confluence Networks Inc

Organization: Confluence Networks Inc

192.185.59.117

Georgia, United States

AS19871 Network Solutions, LLC

Organization: WEBSITEWELCOME.COM

69.172.201.217

New York, United States

AS19324 Dosarrest Internet Security LTD

Organization: Aptum Technologies

172.65.227.140

Ontario, Toronto, Canada

AS13335 Cloudflare, Inc.

Organization: Cloudflare, Inc.

Domain Age

2 days old

Created 18 December 2022

8,959 days old

Created on 10 June 1998

Certificate

Issued by: Let’s Encrypt

Issued to: *.mediaword[.]net

Domain validated

03-11-2022 -> 01-02-2023

Valid for 3 months

Issued by: DigiCert Inc

Issued to: Mediamarket S.p.A.

Organisation validated

25-08-2022 -> 26-09-2023

Valid for over 1 year

Screenshot 2022-12-20 at 13.55.32

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Online Impersonation Ebook Blog Ad (1)

Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.