US RUNNING SHOES FAKE SITE NO 2 IN GOOGLE SEARCH
12/2/2024
This site was reported to Brooks EU as fake on 17 Jan 2024. It is still active today (12/2/2024).
Background
When searching for Brooks running shoes (search term “brooks nl”), the second entry on the google page is a fake phishing site.
This site is extremely well done to look like it mimics the real brooks site (real site is https://www.brooksrunning.com/en_nl). Fake site is www.brooks-netherland.com.
This site is unique in that it extends normal phishing schemes by:
Grabbing user credentials.
Doing a credit card transaction for non-existent running shoes.
It never creates a user account on the site.
It does very little input validation on the shopping basking and payment details.
No postcode check
No credit card number check
It does support 3D security to successfully take money from the user account.
It also sends shipping emails for the fake goods sent.
It then also actually ships a very low value item (sunglasses) from China for which the user then have to pay import duty.
There are no DMARC, SPF, DKIM records associated with the domain and email is quite unhealthy.
Analysis
The comments in the code shows that at least some of the code was written in China.
The site forms part of a network of sites that share payment processing capabilities.
The fact that the site does ship something on order complicates the fraud detection process as it can argue that it did provide a product.
Brooks confirmed that this is not an authorized reseller but has failed to take any action against this site.
The DNS name for the site was registered 6/11/2023 so once can expect that site has operated undisturbed for nearly 3 months now.
The site is hosted by a South African ISP (Fibergrid) with international co-location capabilities. The actual site is located in Canada.
The DNS was registered via Alibaba in China.
The site has not been blacklisted by any reputation scoring tools and currently is listed second (after a paid ad by the real Brooks company) in the Google index.
Recommendations
This site is most likely damaging the Brooks reputation immensely as a large number of Brooks clients will never receive their products ordered from this site.
It seems that Brooks is not in a position to take this site down.
To following steps will take down the site:
Going forward the company should do the following:
Engage in a dark web monitoring service to monitor for the re-emergence of these types of domains.
Upgrade their internal security and RM processes to respond much faster to public disclosure events.
Engage with the market to make their concern and strategy known to their clients and that they are protecting their brand by removing these attacks as soon as they become aware of them
Appendix - Research
NameALIBABA.COM SINGAPORE E-COMMERCE PRIVATE LIMITED
Whois Servergrs-whois.aliyun.com
Referral URLhttp://www.alibabacloud.com
Statusok https://icann.org/epp#ok
Important Dates
Expires On 2024-11-06
Registered On 2023-11-06
Updated On 2023-11-06
Name Servers
NS1.ECPAGE.COM47.75.3.214
NS2.ECPAGE.COM54.193.69.207
Email is unhealthy
ISP that is hosting the site is Fibergrid
ISP Location
N°5 Sturdee Avenue, Suite 3012196, Rosebank, Johannesburg, South Africa
Support mail from
Goodserviceforcustomer.com (non-existant domain)
Actually from
online@goodserviceforcustomer.com
Users AmazonSES For mail
Fake delivery email
The site most likely originates in China (Comments in code in chinese and DNS registration done through Baidu)
Site is still active
Verification posted to
https://topstorefsale.com/godpay/confirm/en-us/731707685004890675
This leads to another fake site
https://www.topstorefsale.com/