It isn’t just Santa that is preparing for the holiday season.
The past decade has seen a proliferation of online platforms granting independent manufacturers the opportunity to sell their products to an increasingly global audience of buyers. Amazon remains the undisputed leader with 4.7 million visits a month, followed by eBay at 1.2 million and Rakuten with 0.56 million visitors to round out the top three.
A merchant’s choice of platform is generally dictated by the type of product they’re selling. The Amazons and Rakutens of the world can accommodate large scale manufacturers. On the other end of the spectrum, platforms such as Etsy have sprung up to support artisan merchants that produce high quality goods in much lower volumes.
These virtual shops increasingly offer seamless integrations with popular social media platforms such as TikTok. For example, a recent article from Influencer Marketing Hub details some key statistics showing TikTok’s impact on generating billions of dollars in sales across key categories such as personal care, women’s fashion, and more.
Unfortunately, an unintended consequence of the need to attract buyers is the creation of a massive attack surface. A huge vulnerability that fraudsters are only too happy to exploit, creating detriment for consumers, merchants and financial institutions. With the latter incurring the direct (reimbursement) and indirect costs (operational) of managing disputes and chargebacks.
Martha Keith’s Martha Brook retail business is a great example of a company that has thrived in the online world. Martha Brook’s high quality, low volume stationary has found a global fanbase, reaching customers thanks to her own business-to-consumer (B2C) website. However, Keith’s success was in no small part due to her extensive use of social media, the success of which likely also brought her to the attention of threat actors. With the Christmas holiday quickly approaching, a popular Martha Brook stationary advent calendar sold out in less than two weeks.
At a cost of £109, this popular advent calendar contains a range of stationary and small gifts such as pens and pads of decorative paper. In a recent article from British journal The Times, a story chronicles her efforts to tackle the cloners, which reportedly involved the daunting task of attempting to take down 121 websites spoofing the Martha Brook brand, all of which popped up within a 17 day period.
The threat actors responsible for this campaign didn’t merely lift a few still images, they took and reused all of her own social media content. Keith became aware of the issue two days before the product sold out, with customers alerting her to fake ads on Facebook, TikTok and Instagram. These were followed by hundreds of convincing listings on Amazon, all of which reused content from Keith’s own website.
Keith sought to mitigate the attack by posting a warning on her own website, which amazingly the threat actor copied verbatim and applied to their copycat sites. Fortunately, Keith’s own customers provided her with significant amounts of information, alerting her to websites and ads that were marketing her products.
Determined to pursue the threat actor, Keith sought the assistance of the London Metropolitan Police and the British consumer protection group, Trading Standards, neither of whom provided much support. Undeterred, Keith sent cease-and-desist letters to each website, citing a breach of trademark and copyright. Unsurprisingly none of these actions elicited a response from the threat actor.
As a consequence she turned detective and was able to identify a number of businesses that appeared to be associated with the websites that were marketing her products.
Outdoor-happiness[.]co[.]uk, a website that was registered on 4th June 2024, refers to Landbase Trading Co., LTD, or rather it contains an image of that information. An observer could assume this was done in an effort to prevent the business being indexed by search engines.
First registered in March 2021, LANDBASE TRADING CO., LIMITED (13277590) has changed its registered office multiple times and previously provided a Zze Ecommerce Pte. Ltd. as a person with significant control. Publicly accessible data on LANDBASE TRADING CO., LIMITED provided an address in Cardiff, Wales. The newspaper discovered this address was occupied by a number of medical students, none of whom had any knowledge of the Director Maoyun ZHOU who provided the UK’s Companies House with an address in Qingdao City, China.
The website also asserted that the business was run by a husband and wife called Shawn and Erin, allegedly operating from a rustic farmhouse in Texas. The accompanying photograph was actually of a New York photographer called Emma Bauso with her partner and two children.
Despite all Keith’s efforts, the fraudulent product remains on sale for £23.99, ironically a 48% discount against the original price of £46.99. The site in question is also being advertised on social media platforms, with the threat actors continuing to abuse Keith’s own content.
Gohomie[.]co[.]uk was registered in November 2020 and appears to be hosted with Shopify, who are in turn utilising Cloudflare. As with the example that The Times provided, the site asserts via an image that it is associated with a company, this time ICE INNOVATIONS LIMITED of Hong Kong.
Elsewhere, ICE INNOVATIONS is reported to be associated with a range of tactics to lure in and deceive consumers. Phishing, social media ads, and search engine manipulation appear to be the predominant means by which the threat actor is funnelling consumers to their websites. Those that do attempt to purchase the fraudulent merchandise reportedly often receive nothing, cheap imitation, used or defective products.
In 2023, the UK’s National Cyber Security Centre (NCSC), in conjunction with the National Fraud Intelligence Bureau (NFIB), run by the City of London Police put a figure of £10.6m ($13m) on festive scams. In the same year, in the United States, the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) received 12,000 reports from victims reporting non-payment/non-delivery scams, resulting in losses over $73 million.
So what can merchants and consumers do to avoid being abused by such threat actors?
Merchants | Consumers |
Listen: Customers are your eyes and ears, they are often a great source of open source intelligence. | Be savvy: Don’t assume ads on social media platforms will lead you to a legitimate merchant. Especially if the call to action seems too good to be true. |
Protect: Protect your intellectual property (IP). Whilst the threat actor may not care about your IP, the platforms they are abusing will. | Take your time: Don’t assume PayPal or your credit card company will reimburse you. The scammers are masters at managing disputes, sending the wrong item is one tactic they use to frustrate chargebacks. |
Research: Conduct your own surveillance of online environments using transparency tools such as Meta’s ad library. | Check the merchants: Conduct research before purchasing. Remember the fake ads and ecommerce stores in the Martha Brook story used images that contained the brand of Martha Keith’s legitimate business. |
Watermark: Consider watermarking your social media content with your legitimate website. | Report: If the worst does happen, contact your bank and local internet crime reporting centre. |
The holiday season sparks a lot of joy and excitement and many consumers splurge on merchandise and experiences to enjoy with their family and friends. The “perfect storm” of urgency, excitement, and the desire to get the best prices provides malicious actors with the ingredients to spoof, impersonate, and scam unsuspecting customers. Merchants may not be on the line for the money lost to a fraudulent translation, but their reputation will bear much of the blame when their brand is convincingly associated with a scam.
Written by: Jonathan Frost