AliExpress is among the most visited business-to-customer (B2C) e-commerce sites globally, with millions of visitors daily. Therefore, a recent cybersquatting campaign targeting the platform could lure many victims into buying counterfeit products, divulging their login credentials, downloading malware, and many other actions that could jeopardize their data and devices.

WhoisXML API researchers decided to see how such a cybersquatting campaign extends to the e-commerce industry by uncovering domains targeting some of the most visited e-commerce websites. Our findings include:

• 13,700+ domains and subdomains added since 1 May 2022 and possibly imitating AliExpress, Amazon, Avito, eBay, Etsy, Rakuten, and Walmart
• 7,600+ properties actively resolving to 4,200+ IP addresses
• 7% of the cybersquatting properties were flagged as malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Top E-Commerce Platforms Targ

This study focused on Similar Web’s top 10 e-commerce and shopping websites with the most traffic. These are shown below, comprising seven major companies.

Using the company names as search strings on Domains & Subdomains Discovery, we found 13,737 cybersquatting properties, with close to a 1:1 ratio between the domains and subdomains. Only 13 of the domains could be publicly attributed to the e-commerce companies as they shared the same registrant email address as the legitimate domains.

Active Resolutions

About 56% of the resources actively resolved to 4,228 unique IP addresses. In particular, Bulk IP Lookup revealed more than 12,000 resolutions, more than half of which were geolocated in the U.S., the U.K., and Canada, while the rest are distributed across more than 65 other countries. The chart below shows the geolocations of the cybersquatting properties.

Malicious Cybersquatting Properties

Note that the cybersquatting properties were added between 1 May and 1 June 2022 and can be considered newly registered domains (NRDs). Have they been used in malicious campaigns? What content do they host, if any?

Alarmingly, 960 resources have been flagged as malicious by various malware engines. There were more dangerous subdomains than domains, with some subdomains reaching fifth-level domains.

Even more disturbing is that some of the malicious domains still hosted live content despite having already been reported. Some content looked very similar to that on the home pages of the imitated websites. An example is amazoninvest[.]fun whose screenshot appears below.

Other domains hosted login pages, which were more likely to lure victims into typing in their usernames and passwords. Some examples are shown below.

Some content was equally suspicious, such as that seen on a supposed PayPal login page hosted on an eBay cybersquatting domain, bettina-ebay[.]de.

Uncovering More Properties

About a dozen malicious domains were eBay domains that contained the text string “kleinanzeigen,” the German word for classified ads. Using this string, we discovered more suspicious NRDs and new subdomains, most notably those beginning with “ebay.”

Below are some domains containing “kleinanzeigen” added since 1 May 2022.

These subdomains contained the exact text string and were added during the same period.

Threat actors know that by targeting e-commerce sites in cybersquatting campaigns, they also target hundreds of millions of users. They could be in for a very lucrative payout with just a few domains and subdomains.

Monitoring the Domain Name System (DNS) for signs of cybersquatting can help protect users and businesses alike. Deepening the analysis with geolocation, web content, and other contextual information can help uncover more suspicious footprints.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.