Fake websites are wreaking phishing havoc

Phishing attacks involving fake Web sites that impersonate well-known brands are now occurring at a level of scale that once seemed unimaginable.

Cybersecurity researchers at NordVPN earlier this month revealed they have been able to identify more than 120,000 malicious websites impersonating Amazon, that were set up in the last two months. In total, security researchers have seen 92,000 phishing sites with an Amazon name, with 21,000 fake Amazon websites attempting to install malware. Another 11,000 sites were selling fake goods.

At the same time, analysts from Silent Push, a provider of cybersecurity intelligence services, reported the discovery of thousands of fake Web sites impersonating well-known brands such as Apple, Harbor Freight Tools, Wayfair, Guitar Center, Lane Bryant and Wrangler Jeans. These fake sites even appear to be processing transactions through PayPal and Google for goods that are never delivered. That approach enables the cybercriminals to sell credit card information without raising suspicions for transactions that, as far as a financial services firm is concerned, never occurred.

All the fake Web sites identified by Silent Push are tied to the same online marketplace, which appears to link these developers to the People's Republic of China. It’s not clear to what degree threat actors are using artificial intelligence (AI) coding tools to build fake Web sites, but it's safe to assume that AI is accelerating the development of these phishing sites. The number of malicious Web sites like these will continue to increase as the use of AI drives down the cost of development. More troubling still, it’s only a matter of time before threat actors also use AI to create millions of fake identities.

All these fake Web sites are being used to both distribute malware and fraudulently collect credit card credentials. The stolen credit card details will then be used to commit fraudulent purchases from legitimate Web sites, making it impossible to calculate the total financial damage of these attacks. The Federal Trade Commission (FTC) estimates that US consumers alone reported losses of over $12.5 billion to fraud in 2024, with online shopping issues ranked as the second most reported fraud category. This is a sharp rise from the $10 billion reported in 2023. Adding consumer losses to the amount of money lost by retailers and manufacturers, we can imagine these crimes cost the victims trillions of dollars each year. 

While most retailers and manufacturers in collaboration with issuers of credit cards valiantly attempt to stem the tide of fraudulent transactions, the number of fake Web sites is rapidly becoming overwhelming. Even if half of these fake Web sites are uncovered, the costs being incurred are exceeding what many companies can be realistically expected to absorb. Worse yet, it also makes many more customers wary of shopping online altogether.

Hopefully, AI technologies will also soon make it simpler to identify fake Web sites as they come online. In the meantime, cybersecurity teams would be well-advised to pay closer attention to threat feeds in an era where the amount of advance warning provided is measured in minutes and seconds.