Fake Web Stores, Evolving Cyberattacks Pose New Perils for Holiday Shoppers

Mushrooming fake store sites, deceptive domains, and compromised e-commerce sites are just a few of the threats facing online shoppers and businesses this holiday season, according to reports recently released by two cybersecurity companies.

A report released Tuesday by London-based Netcraft, a cybercrime disruption and digital risk protection company, revealed a 110% increase in fake stores from August to October of this year compared to the same period in 2023.

“We see this every year,” said Netcraft Software Engineering Lead Will Barnes.

“The previous peak in the number of fake store domains was last November,” he told the E-Commerce Times. “We’ve just seen a new peak in October and expect it to be even higher in November. This is generally a high period for this type of crime.”

The surge in fake stores is being powered by the use of large language models by threat actors, according to the report. It explained that LLMs are used to generate long- and short-form text for the product descriptions on these sites.

“We first observed LLM-generated retail product descriptions in July 2024, and similar behaviors continue into the holiday shopping season,” the report noted. “This includes examples of fake stores appropriating product listings directly from Amazon and using LLMs to rewrite the copy for enhanced search engine performance.”

Better Bogus Product Descriptions

In the past, Barnes explained, scammers would use off-the-shelf e-commerce software to create their stores. Product descriptions on the sites were either empty or ripped off legitimate sites.

“With the use of large language models, what we’re seeing is completely original, convincing looking text, that’s just completely made up, or a rewording of the original listing to make it so that it’s not obviously just ripped,” he said.

The use of LLMs allows threat actors to provide higher quality images of products and brands, as well as enable them to create more compelling sales pitches in email messages, noted Jim Routh, chief trust officer at Saviynt, an identity governance and access management solutions company, in El Segundo, Calif.

“Both of those capabilities enhanced through the use of LLMs is lowering the time it takes to create fraudulent storefronts online while increasing the probability of victims for the cybercriminals,” he told the E-Commerce Times.

“The simplified ability to create websites quickly and with little effort, either through the use of generative AI or even basic scripts, is allowing bad actors to quickly and easily create these stores at a large scale,” added Erich Kron, security awareness advocate for KnowBe4, a security awareness training provider, in Clearwater, Fla.

“The holiday season is a perfect time for bad actors to create these stores while people are caught up in the rush of shopping for loved ones and friends,” he told the E-Commerce Times.

Chinese Fake Store Mill

Kimberly Sutherland, vice president of fraud and identity strategy at LexisNexis Risk Solutions, a global data analytics and services company, noted that using URLs that closely resemble a brand’s store to steer shoppers to a fraud site isn’t new. “However, consumers could usually tell when they were on a fraudulent site,” she told the E-Commerce Times. “It didn’t quite work or feel exactly as expected.”

“Now, in all forms of scams, consumers are having difficulty determining if something is inaccurate,” she said. “Fraudsters are using AI tools to improve not just the way that they send an email or a text message with more accurate content, but now they’re also able to use a generative AI tool to create full web pages that look exactly like brand pages.”

A source of tens of thousands of fake stores is an e-commerce tech platform called Shopyy, according to Netcraft. Shopyy, based in China, offers a broad portfolio of technical solutions to help retailers build and optimize online stores, promote their products, and accept different payment types, Netcraft’s report explained. Shopyy also provides hosting and domain registration on behalf of store operators.

“Unfortunately, the customization and convenience that benefits genuine retailers can be misused by cybercriminals,” the report noted. “While some legitimate businesses use Shopyy as their e-commerce platform partner, we’ve detected thousands of Shopyy-powered fake stores, increasing month-over-month since April 2024. Between November 18 to 21 alone, Netcraft’s systems identified more than 9,000 new fake store domains hosted through Shopyy.”

“These sites often impersonate established brands to take advantage of their intellectual property, brand reputation, and existing customer base,” it continued. “Instead of offering the same quality products and services, they trick unsuspecting shoppers into paying for fake, substandard, or non-existent products.”

Cutting-Edge Techniques Deployed

Fake stores are just part of an evolving attack surface open to online raiders. “The holiday season presents an irresistible opportunity for cybercriminals to capitalize on increased online transactions,” Fortinet noted in a blog posted Tuesday.

“Tools and services now available on the darknet empower attackers to target e-commerce platforms and unsuspecting shoppers more effectively than ever,” it continued. “This year, threat actors are leveraging cutting-edge techniques, including AI-powered phishing lures, sophisticated website cloning tools, and remote code execution (RCE) exploits to gain unauthorized access to shopping platforms.”

“AI-driven methods allow attackers to craft convincing emails and replicas of legitimate websites to steal data or trick users into disclosing sensitive information,” it added.

In a report released Nov. 15, Fortinet noted that cybercriminals are using AI models like ChatGPT to craft convincing phishing emails, mimicking legitimate communications from retailers and banks, which increases the effectiveness of their scams, especially during peak shopping periods.

“These phishing attacks can automatically generate customized content, adapt in real time, and learn from successes and failures to improve effectiveness,” said Stephen Kowski, field CTO at SlashNext, a computer and network security company in Pleasanton, Calif.

“Unlike traditional phishing, AI phishing can scale to produce thousands of unique, targeted messages and quickly pivot based on defense,” he told the E-Commerce Times.

Algorithm Poisoning and Loyalty Harvesting

The Fortinet report also noted that threat actors are ramping up efforts to exploit online shopping trends. It warned that thousands of holiday-themed domains mimicking trusted brands like Amazon and Walmart are being registered to deceive consumers with fake offers and promotions.

Popular platforms such as Adobe Commerce, Shopify, and WooCommerce are prime targets due to weak configurations and outdated plugins, it continued. Attackers are deploying sniffers to capture customer data and using RCE exploits to gain administrative access to shopping platforms.

Jason Soroko, a senior fellow at Sectigo, a comprehensive certificate lifecycle management provider in Scottsdale, Ariz., warned businesses and consumers about some potential threats facing them online.

“The Thanksgiving shopping season exposes retailers to ‘algorithm poisoning,’ where attackers manipulate dynamic pricing algorithms,” he told the E-Commerce Times. “By injecting false demand signals or exploiting vulnerabilities at the API level, they could trigger price drops or modify inventory systems, leading to any number of issues. Monitoring APIs for anomalies is a critical countermeasure.”

“Loyalty account harvesting also is a potential, as attackers use credential stuffing to exploit weak passwords, stealing rewards points for resale or fraudulent purchases,” he added. “Many loyalty programs lack multi-factor authentication, making them easy targets. Retailers must enforce MFA, promote strong password practices, and adopt passwordless technologies to safeguard customer accounts.”

Kron noted that the holiday shopping season is often a source of anxiety for a lot of people as they search for gifts. “Black Friday has become synonymous with deep discounts and obscene savings as well as the availability of sought after, but hard to find items, largely due to the early days of this event,” he said.

“Although the deals do not seem to be anywhere near what they used to be, and the fact that retailers are spreading out Black Friday savings across the entire month of November, people still feel the excitement of potentially spotting a great deal,” he continued. “When we are under significant stress in the form of fear or even this type of excitement, we tend to miss details that might otherwise be a strong warning sign to look out for scammers and cybercriminals.”