Fake IKEA, Zalando, Dr. Martens, Mango Online Stores Campaign Targets Global Retail Sector
Published
Key Takeaways
- Coordinated operation: A massive phishing campaign has been identified involving the registration of 244 fake online domains this year to impersonate legitimate retailers.
- Tactics and infrastructure: Scammers use automated domain registration, privacy shielding, and shared Chinese infrastructure to evade detection and blacklisting.
- Financial fraud and malware: The primary goals are financial fraud through counterfeit checkout systems and, in some cases, malware distribution via redirect payloads.
A new threat research advisory has detailed a large-scale fake online stores campaign targeting the global retail industry, with a network of 244 fraudulent domains registered since the start of 2025. This coordinated operation is designed to impersonate major retail brands, facilitate financial fraud, and distribute malware.Â
The actors behind the campaign synchronize domain creation with major shopping events like Black Friday to maximize their impact on unsuspecting consumers.Â
Fake Online Store Campaign Infrastructure
The campaign leverages a sophisticated and industrialized infrastructure-as-a-service model to support its operations, a recent BforeAI PreCrime Labs report said.Â
Analysis revealed that the domains were spread across 43 unique registrars, with the majority traced back to Chinese infrastructure providers like West263 International Limited and Alibaba Cloud. Major brands impersonated include:
- Zalando,Â
- Birkenstock,Â
- Dr. Martens,Â
- Lululemon,Â
- Mango,
- IKEA.
Threat actors use heavily privacy-protected WHOIS data to obscure their identities, fast DNS setup, quick redirect changes, and shared infrastructure. This automated domain churn is a key tactic in these retail phishing scams. They also lure victims via TikTok, Facebook, and Google Shopping ads promotions.
Mitigation Efforts and Cybersecurity in Retail
In response to the discovery, all confirmed fraudulent domains were escalated to their respective registrars and registries for immediate suspension. While many of the identified domains are now non-resolving, the report stresses the need for continuous monitoring.Â
This campaign demonstrates the resilience and automation capabilities of modern phishing operations, which require a proactive and coordinated response from security vendors, registrars, and hosting providers.
Reports in October warned that scammers impersonate luxury brands via over 1,300 suspicious domains ahead of the holiday season.Â
Researchers highlighted that targeted holiday phishing spiked in November, featuring fake Dolce & Gabbana and Pandora storefronts and cryptocurrency schemes, while mobile threats surged as phishing and malware risks escalated.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular