Retail brands are increasingly targeted with fraudulent advertisements, fake social accounts, and falsely branded websites. These multipronged counterfeit campaigns redirect sales and compromise consumer data using brand recognition, the same component critical to driving sales within the retail industry. The massive expansion of ecommerce and online consumer-to-retail interaction creates a complex attack surface difficult for security teams to navigate. In this article we address how to collect intelligence on the top threats targeting retail brands.
Fraudulent Advertisements
Losses due to fraudulent advertisements are estimated to reach $100 billion annually by 2023. Falsely branded ads on social platforms use stolen images and content to lure victims to counterfeit websites and promote fake sales or limited time discounts associated with the targeted retail brand. Fraudulent ads are convincing, easy to create, and continually modified to evade detection. Rapid identification of these ads is critical to minimizing their impact, as the gap in time between abuse and removal can be costly.
Stolen trademarked materials are continually substituted or modified on counterfeit ads to appear generic and avoid timely identification/takedown. These ads evade detection by using imagery scraped from legitimate websites, but do not include brand-owned materials like logos. As a result, these ads may still be recognizable as the targeted retail brand, but lack the evidence needed to qualify for brand infringement on the platform.
Detection of fraudulent activity requires the continuous monitoring of digital advertisements on relevant social platforms using a combination of automation and human analysis. Identification of malicious ads should begin with automated searches within the platform’s ad library using exact and fuzzy matching of brand-specific key terms and meta descriptions.
The logos, copy, and imagery of each suspicious advertisement should be inspected for misleading or unauthorized information by expert analysts specializing in both the retail brand and the platform through which the suspicious ad is displayed. The ad URL should also be examined to identify whether the domain is legitimate or spoofed using brand key terms.
Security analysts specializing in the brand should be prepared to manually search large volumes of potential abuse for suspicious imagery and content on newly created advertisements. Once a malicious ad has been identified, evidence of abuse should be collected and submitted for takedown.
Misleading Social Media Account Pages
To create a fraudulent advertisement on social media, threat actors usually must first create or compromise an abandoned account on that platform. While large volumes of these accounts overtly use stolen imagery and copy, many are abandoned pages lacking identifiable branding that could be flagged as fraudulent. To prevent brand abuse and fraudulent ad creation through these pages, security teams need to distinguish between legitimate, mimicked, and compromised accounts.
Detecting a page tied to a malicious advertisement should be done through a combination of technology and expert human analysis. Automated searches within the space should continuously monitor for pages using key brand-related terms.
Security teams should manually search social profiles abusing their organization by monitoring for exact and fuzzy mentions of the brand and proprietary terms. They should also monitor for materials scraped from their legitimate website that may lack explicit mentions of the retail brand. Analysts specializing in both the brand and social platform should inspect each page for unauthorized logos, trademarked material, and copy.
Counterfeit Websites & Look-alike Domains
Fraudulent advertisements typically redirect victims to counterfeit storefronts on the open web. These sites use look-alike domains, unauthorized content, and stolen imagery to convince victims of their legitimacy and to conduct malicious activity. To detect and evade counterfeit sites, security teams should use a combination of automated technology, like crawlers, and human review, actively monitoring the open web for abuse of intellectual property, unauthorized association by third parties, and traffic diversion using your brand name.
Counterfeit sites often use look-alike domains to impersonate a targeted organization’s legitimate webpage. Security teams should continuously monitor for domains impersonating their brand by consuming URL data available through:
- Domain registrars
- SSL transparency logs
- Active DNS queries
- Passive DNS data
Analysts should then pivot from confirmed malicious domains to uncover additional threats with manual review of the domain to identify other domains on the same IP. From there, related IP addresses and name servers can reveal threats associated with the initial fraud.
Automated and analyst anti-evasion techniques should be established to collect content, as threat actors seek to restrict access to security teams by way of user-agent blocking and screen size or viewport device restriction. Once suspicious activity has been identified, security teams should score each flagged item to identify legitimate threats from benign activity. Unauthorized use of a brand should then be verified and its severity assessed.
As retail brands are increasingly targeted by multifaceted counterfeit campaigns, security teams should familiarize themselves with the specific threat types associated with these attacks and the environments with which they live. Intelligence should be collected using a combination of automation and human experts capable of identifying real threats and gathering the evidence needed for swift takedown.