Months after TikTok launched its marketplace in September 2021, several users have raised concerns about the authenticity of the products they purchased. The complaints mainly pertain to beauty products, such as sunscreens, lip glosses, and makeup brushes. Aside from being ripped off, consumers may be exposed to more danger.

The City of London Police, through Cosmetics Business, cited that counterfeit beauty products may contain banned or restricted substances harmful to people.

The issue isn’t only happening on the social media platform. For years, counterfeiters have used fake websites that impersonate cosmetic brands. In line with this, WhoisXML API researchers monitored the Domain Name System (DNS) for activities related to some of the top cosmetic brands. Our findings include:

• 1,900+ digital properties added from 1 June to 18 July 2022 that use the names of popular beauty brands, including Avon, Clinique, L’Oréal, Nivea, and The Body Shop
• These recently-added properties are part of a larger data set of 11,000 brand-targeted cybersquatting resources added since the beginning of the year
• About 1% of these domains have figured in malicious campaigns, some of which are still actively resolving to six unique IP addresses
• The content of some domains reveals they are selling beauty products

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Potential Cybersquatting Properties Targeting Famous Beauty Brand

Since the start of the year, more than 11,000 cyber resources containing the names of the brands in the study have been added to the DNS. However, our data sample comprises properties added from 1 June to 18 July 2022 to make insights more time-sensitive.

The study also centers on 16 cosmetic brands, as seen in the chart below.

Adding Context to the Propertie

To learn more about the cosmetic-themed domains and subdomains, we ran them on Bulk IP Lookup. About 88% of the domains actively resolve to 1,415 different IP addresses. Most of these are geolocated in North America, with 54.41% in the U.S. and 12.15% in Canada. The rest of the top 10 geolocations pointed mostly to Europe, while two did to Asia. The rest of the resolutions were spread out across 45 other territories.

We also took note of the digital resources’ Internet service providers (ISPs) and found that Cloudflare accounted for the greatest number of connected IP addresses at 18.23%. Google followed with 12.65%, Amazon with 10.47%, Microsoft with 5.73%, and Wix with 4.74%. The rest of the leading ISPs can be seen in the chart below.

Are These Domains Selling Counterfeit Products?

We performed a screenshot analysis of the resolving properties with the help of Screenshot API. While several domains were parked or resolved to index and 404 pages, some sold beauty products, although their WHOIS records could not be attributed to the legitimate brands.

These contents were replicated across other cybersquatting domains, as seen in above. All domains didn’t have enough metadata to be classified under the Beauty and Style & Fashion categories, some of the official Estée Lauder domain classifications.

Malicious Usage

Aside from counterfeit products, we also looked out for properties used in phishing, spamming, malware distribution, impersonation, and other malicious activities. About 1% have been reported as malicious, despite having made their way into the DNS only in June.

Five of these properties still resolved to IP hosts. Alarmingly, the malicious subdomains clinique[.]ahmedou[.]ml continued to host a login page.

Fake cosmetics can be detrimental to people’s health. At the same time, fake sites can negatively affect the reputation of the impersonated brands. Preventing counterfeiting involves monitoring the DNS for possible vehicles like those featured in this study.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.