Predatory grin of "Black Friday"

Today Black Friday started - a massive sale from which the traditional Christmas discount season begins in the United States and Europe. In recent years, the excitement on BlackFridaySale has been observed not only in stores, but also on the Internet. Group-IB experts have discovered more than 400 clone sites that replicate AliExpress’s popular online trading platform and another two hundred sites created for well-known brands and online stores. The purpose of such fraudulent resources may be the sale of counterfeit goods, theft of money or user bank card data.

AliExpress and 400 thieves

Group-IB has found about 400 resources that replicate AliExpress’s popular online trading platform. The attackers copied the website of the online store, brand, logos and company colors and registered a similar domain name. Damage to a single buyer can reach tens of thousands of rubles. Up to 200,000 people can visit one such site every month.

Shortly before Black Friday, the Brand Protection team identified a large network of similar sites - 198 pieces that illegally use trademarks and brands of famous brands. Most of the domain names were purchased at the end of August 2018 and almost all of the content - photos of goods, their description and prices were copied from official resources. It is noteworthy that all these resources had the same hosting provider - ISPIRIA Networks Ltd, located in Belize (Central America).

The purpose of clone sites can be both advertising and promotion of their own products, and the sale of counterfeit goods. Fraudsters sell household and computer equipment, clothing and shoes, jewelry, accessories, cosmetics, medicines and much more, often with a huge discount - up to 80%. According to Group-IB statistics, every 5 counterfeit goods were bought on the Internet, on average, Russians spend 5,300 rubles to buy counterfeit products.

It happens that fraudsters sell non-existent goods. For example, they offer a version of the game "Red Dead Redemption 2" on a PC, despite the fact that the game was released only on the PlayStation 4 and Xbox One.

Phishing Triumph: 1274 attacks per day

Of particular danger to customers are resources created by hackers to steal money or data (logins, passwords, bank cards) - we are talking about phishing sites. According to experts of Group-IB Brand Protection, 1,274 phishing attacks are recorded daily. The total revenue of phishing resources on average for the month of work is 3 million rubles, and about 200 thousand people become visitors to such sites every month.

Fraudsters use the same promotion channels as legal resources: newsletter messaging, banner ads, search engine optimization (SEO) and social networking. From November 7 to 21, Group-IB recorded more than 120,000 publications with references to this action on social networks (97%) and on other web-sites (3%). BlackFriday ads appear on social networks, in posts at top bloggers and on the trading floors themselves. The attackers often buy a domain that is very similar to the original ones, set up a “redirect” on it and promote this link. Clicking on this link, the user is on the page with a completely different address.

How to avoid becoming a victim: protecting the brand and your wallet

Group-IB experts have prepared several recommendations for users and for brands how to protect themselves on the Internet.

For brand:

1. Preventively register similar domain names to prevent fraudsters from using your trademark in the site address. For example, if your site is located at, then attackers can take the address or and act on your behalf.

2. Constantly keep track of your brand in domain name and phishing databases. Access to such databases are organizations that are engaged in the protection of companies from online fraud.

3. Look for fraudsters masquerading as your brand in search engines. To make search output more objective, requests must be sent from different geolocations and from different devices.

4. Track ways to promote fraudulent resources: contextual advertising, posts in social networks and instant messengers.

5. Identify all sites related to the fraudulent resource. As a rule, attackers create several clone sites at once. Detect them will help the technology analysis of links and affiliation sites.

6. Track mobile applications not only in official stores, but also in informal ones, as well as on forums, in search engines, in social networks and on sites where they can be distributed.

7. Constantly monitor the use of your brand and key persons in social networks. Look for references to the company and F. I. O. top management among groups and accounts.

8. Block fraudulent resources: contact companies with specialized competencies.

For buyers:

1. First of all, you need to pay attention to the address bar in the browser and its contents;

2. If the site name contains a dash or several points (ali-express, *, then it’s better not to order anything there. Find the official website through a search engine;

3. Check the address bar every time you go from page to page;

4. Check the date of creation of sites where you plan to make a purchase. To do this, use the free Whois-services, where at the website address you can find out the date of registration, and information about the domain owner (as a rule, the “age” of the website with fakes is always small, sometimes they are created a few days before sales).

5. Do not trust poorly working sites, the official site, even in case of peak load should work correctly;

6. You buy goods only in official stores;

7. Do not follow the links in the publications on discounts;

8. Get a separate card for online purchases and do not leave its data on suspicious resources. In the end, it is better not to buy a product than to lose all the money from your card.