Font Size: A A A


The 12 red flags

Steve Ginty, director, threat intelligence at the cyber threat intelligence firm RiskIQ goes through 12 red flags that an e-commerce site is being targeted by threat actors.

Every year, bad actors capitalise on the e-commerce industry. They use the brand names of leading e-tailers to fool shoppers looking for shopping deals, sales, and coupons, luring them to fake mobile apps and websites, where their details are stolen from them. Evidencing the vast pool of targets cybercriminals can exploit, a recent consumer survey found that 83 percent of people spend at least 50 percent of their budget online. Cybercriminals will look to intercept this money in every way they can, using the fraudulent imitation of brands as a way to illicitly gain consumer trust.

At certain times of the year, this threat is particularly acute. For example, during Black Friday or the holiday shopping period. This is due to the vast quantity of money spent during these periods, with criminals wanting their slice of the pie. Indeed, research has found a significant uptick in fraudulent activities online during the holiday shopping season.

There are 12 main red flags that threat researchers and the security teams of e-commerce sites should watch out for to determine if a web domain is being used to fraudulently target the public. Free tools, available to even inexperienced users, can illuminate these 12 red flags, which, if seen, should raise concern over dangers of the site in question before it harms consumers and damages your brand.

1. A website has only been up for a short time
Threat actors are standing up new websites every second to fool their victims. When a website’s DNS show’s that it’s only been resolving for a short period, it fits the mould of threat infrastructure.

2. A website has an SSL certificate from a free certificate authority
Threat actors often quickly spin up cheap infrastructure to commit attacks at scale. Free certificate authorities provide SSL certificates that help their malicious sites appear legitimate at a cursory glance. When a site has one of these free certs, it’s a good idea to inspect the website further.

3. A domain is hosted in an unexpected country
It’s important to check domain registration to see where the website is based. If there is a variance in alignment to what one should expect, then this is a major red flag. For example, if a website purporting to be a UK e-commerce site is registered in Russia, this should be an indicator of fraudulent activity.

4. The site is a copy from elsewhere
Threat actors copy legitimate sites component-for-component to make their phishing sites look as authentic as possible. Often, they’ll use free software like HTTrack to make these duplicates. If a site has an HTTrack or mark of the web, proceed with caution – the mark of the web is a security feature introduced by Internet Explorer in which the origin of a file can be determined if it is a copy.

5. Open-source intelligence (OSINT) flags the website as fraudulent
Threat researchers worldwide work around the clock hunting threats and identifying threat actors and their tools. A plethora of open-source intelligence is available that could offer valuable insight into a site’s reputation or associations with threat infrastructure, for example, if it’s been put on a blocklist. These tools can be put to important use in detecting if a website is fraudulent or not.

6. A site is known, and it has a bad reputation
Threat researchers wanting to go beyond OSINT can use tools that curate threat intelligence and other data to develop a reputation for malicious sites and apps that have been seen in the wild. By looking up a suspicious URL, it may be able to instantly know if the site in question has a good or bad reputation.

7. The site associates with known bad actors
Some say a person is judged by the company they keep. Websites and apps are no different. Even if nothing is known about a particular site or app, there may be a rap sheet about its associated web infrastructure, like a domain or IP. Free tools that map the web’s infrastructure can show if a site links to IPs, domains, or another piece of web infrastructure that is known to be linked to a threat actor group.

8. A site is registered to a person and not a company
Check the WHOIS information of a website. If the registrant isn’t the company that would be expected – for example, Walmart – it should be viewed with suspicion. It’s especially suspicious when the registrant is an individual with a private email address like

9. A site shares components with known threat infrastructure
Threat actors are efficient and reuse their tooling to spin up malicious sites and apps as quickly and prolifically as possible. As a result, websites targeting a brand will likely share web components like tracking pixels with other malicious sites. Tools that map the infrastructure of the web will show which other sites share these components. It is then possible to check the reputation of these sites that share components with the site in question.

10. A site doesn’t have much attached to it
Threat actors move quickly and do not like to spend much time on an individual malicious site. As a result, many sites spun up to phish users or fool them into downloading malware will be spartan, with very few components attached to them compared to typical, reputable websites. For example, if a site thought to be reputable lacks tracking pixels or plug-ins, it is likely not what it appears to be.

11. A website shares elements with other sites
In their eternal quest to make malicious pages look legitimate, threat actors will often borrow elements from other pages, such as images, iframes, or redirects. Host pairs, two domains – a parent and a child – that share a connection, can show what a site is pulling from other sites. Host pairs can go both ways – it is possible to see what a malicious page is pulling from a legitimate one and what malicious pages may be pulling from legitimate e-commerce sites.

12. A website shares elements with a company e-commerce site
With advanced threat intelligence platforms, it’s possible to see when a domain is stealing images, stylesheets, and other elements from a specific reputable site to create fake pages. Security teams of the company targeted should be able to track their assets and flag whenever another domain is using them.

These 12 red flags are an easy, useful way for security teams and threat researchers protecting e-commerce sites to identify cyberthreats that are endemic throughout the year. Furthermore, they can be detected through free tools by beginners and experts alike. In early detection through a threat intelligence platform, organisations can protect both their own brand and the consumer. After all, when a brand is used maliciously to target the platform, the legitimate company will suffer from the blow to public trust.


Related News