Skip to content
Naked Security Naked Security

Ho Ho OUCH! There are 4x more fake retailer sites than real ones

Beware, holiday shoppers! The phishers hiding under typosquatting domains are waiting for your keyboard fumbles.

Two more weeks until Cyber Monday!

Ready to shop? Got your list ready? Eyes peeled for deals? Psyched about brewing a nice pot of coffee, sitting down at your keyboard, typing in your favorite retailer’s site, tap-tap-tapping in your payment card info, hitting the buy button, and presto!

You’ve been phished!

OK, maybe you won’t stumble onto a copycat retailer site, but boy oh boy, the chances of that have blossomed like a jungle of parasitic mistletoes. According to research from Venafi, the total number of Transport Layer Security (TLS) certificates used by typosquatting domains to give themselves the aura of being safe and secure is now 400% greater than the number of authentic retail domains.

The specific numbers: Venafi found 109,045 TLS certificates on lookalike domains, compared with 19,890 on authentic retail sites. Over half of the certificates used on the imposter domains were certificates from Let’s Encrypt: an automated certificate authority that pumps out free certificates… including, say, the 15,270 “PayPal” certificates issued in 2017 to sites used for phishing.

The numbers are a bit mind-boggling: it means that there are now 4x the number of fake sites as legitimate retail sites. The number has more than doubled since 2018.

Be careful what you type

It also makes keyboard fumbles more dangerous than ever. You know how that goes: you quickly type a URL you use all the time, but this time, you fumble and accidentally swap, add, or delete a single letter and hit enter. Suddenly, you’re not in Kansas, anymore, Toto. You’re lucky if you get a 404 message. You’re also at great risk of ending up at the phishers’ Nightmare Before Christmas site, with at least some of those lookalike sites just waiting to phish your credit card away.

Venafi found that there are over 49,500 typosquatting domains targeting the customers of the top US retailers. As far as the UK goes, there are over 6x times more imposter domains than valid domains among the top 20 online retailers.

Mind you, not all of those sites are necessarily run by phishers. In the past, we’ve looked at typosquatting domains and found that, despite what you’d expect from sites that purposefully register misspellings of common URLs, they weren’t rife with malware.

In fact, cybercrime made up just under 3% of the findings. Pop-ups and ads were far more common (15%) while IT and hosting – pages offering to sell you interesting domain names – made up 12%.

But Venafi said that it has indeed seen “rampant growth” in the number of malicious, lookalike domains that are specifically used in predatory phishing attacks.

Jing Xie, senior threat intelligence researcher at Venafi, said in a press release that the growth of TLS certificates showing up on typosquatting sites is a result of the push to encrypt more, and potentially all, web traffic, which he called:

A trend that generally improves security for users but inadvertently introduces a new challenge to existing methods of phishing detection.

It’s tough enough to detect the imposter retailer sites by look alone, given that they carefully mimic logos, color schemes, other aspects of branding, and how the real sites work. What makes it even tougher is that they’re hiding under the wolf’s clothing of TLS certificates.

The padlock is not a guarantee of a safe site

As we’ve previously explained, TLS certificates are used by websites communicating over encrypted, HTTPS connections. They’re used to sign a website’s public encryption key, which ensures that your communication with that website is private and secure: you know which site you’re talking to, and that nobody else is listening in.

But you can’t always trust a site just because it’s got a certificate: The proliferation of typosquatting retailer lookalike sites is only the latest example of why.

In June, the FBI issued a warning that too many web users view the padlock symbol and the ‘S’ on the end of HTTP as a tacit guarantee that a site is trustworthy.

Given how easy it is to get hold of a valid TLS certificate for nothing, as well as the possibility that a legitimate site has been hijacked, this assumption has become increasingly dangerous.

Unfortunately, cybercriminals have spotted the confusion about HTTPS, which accounts for the growing number of phishing attacks deploying it to catch people off guard. From the FBI alert:

They [phishing attackers] are more frequently incorporating website certificates – third-party verification that a site is secure – when they send potential victims emails that imitate trustworthy companies or email contacts.

What to do?

Of course, it pays to be careful as you type, but just try telling your pumpkin-pie-stupefied fingers that.

Failing typing perfection, you could try using a password manager. They’re a good line of defense because they don’t get fooled by URLs that look right to error-prone human eyes: rather, they spot the URL tweaks introduced by typosquatters that are often too subtle for us to pick up on.

If you do spot a phishing scams – please do your bit to help everyone else. You can report potential cyberthreats to Sophos via our Submit a Sample page. In the UK, report phishes to law enforcement via Action Fraud. In the USA, use the FBI’s Internet Crime Complaint Center.


Other ways to listen: download MP3, play directly on Soundcloud, or get it from Apple Podcasts.)


“Suddenly, you’re not in Kansas, anymore, Toto. You’re lucky if you get a 404 message.”

It wouldn’t be a 404. That implies the domain exists, but not the page. Luck is not finding the domain at all. You would get:
This site can’t be reached’s server IP address could not be found.


Good point about password managers spotting bad URL’s. I’ve seen that happen to me when I fumble-fingered a URL.

So, I started bookmarking every web site that I normally use and when I want to go to, I can either use the bookmarked URL in my browser or log on with my Password manager. I prefer using the password manager because it is synced across all my devices. That way I don’t have to bother with syncing bookmarks across my devices.

Works for me!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!