Building fake, fraudulent online stores has never been easier: fraudsters are registering domain names for a pittance, using the SHOPYY e-commerce platform to build the websites, and leveraging large language models (LLMs) to rewrite existing product listings to perfect their search engine performance.
“We first observed LLM-generated retail product descriptions in July 2024, and similar behaviors continue into the holiday shopping season,” Netcraft Software Engineering Team Lead Will Barnes has shared.
From August to October 2024, the company has seen a 110% increase in domains hosting fake stores, and expects more activity before the end of November.
Creating fraudulent online shops
“SHOPYY (also referred to as SHOPOEM) is a Chinese e-commerce platform offering a broad portfolio of technical solutions to help retailers build and optimize online stores, promote their products, and accept different payment types. SHOPYY also provides hosting and domain registration on behalf of store operators,” Barnes explained.
“SHOPYY’s sprawling store portfolio, which spans multiple hosting providers and domain registrars, creates opportunities for criminal exploitation. Such a large and distributed infrastructure means abuse reporting and effective controls are harder to orchestrate, which is likely why the majority of stores on SHOPYY appear to be fraudulent. Between November 18 to 21 alone, Netcraft’s systems identified more than 9,000 new fake store domains hosted through SHOPYY.”
The fraudsters are scraping Amazon product listings, cloning them and offering the products at discounted prices. Many of the sites use LLMs to rewrite the listings with new product descriptions, to reduce duplication and refine listings for SEO purposes.
The fake stores use widgets to show promotional text to match the upcoming holiday or shopping day (e.g., Black Friday, Christmas, etc.), and fake “Trusted Store” seals.
The fake “Trusted Store” seal (Source: Netcraft)
“This same seal is used on a range of fake shopping sites with different behaviors, suggesting it may be a plug-in available as a SHOPYY feature,” the researcher noted.
Finally, parking the store on .shop domains helps fool customers into believing the online store is legitimate.
“The fraudsters leverage various tactics to guide traffic to fraudulent sites, many of the most common include SEO, paid ads, social media, email, and other forms of phishing,” Barnes told Help Net Security.
The fake shops are stood up to target English-speaking shoppers, primarily in the US, as the product listings are scraped from Amazon’s US site and show prices in US dollars.
Advice for retailers and consumers
Barnes said that while fake online stores see seasonal increases and spikes, they are big business for criminals all year round, and online retailers must stay vigilant to protect their products and brand from online impersonation.
Netcraft has taken down hundreds of thousands of fake shops to date, he added.
“We [execute takedowns] by finding malicious content across more than 100 attack types (including fake online shopping); identifying hosting providers, domain registrars, webmasters, social media platforms, and others involved in the attack’s infrastructure; working directly with infrastructure providers via notifications, APIs, and direct contact to present convincing evidence of attacks to have infrastructure blocked and removed; and by ongoing monitoring of attacks during and after the takedown process to ensure it is truly eliminated.”
Consumers should practice healthy skepticism when shopping online. “If a deal is too good to be true, it likely is,” Barnes pointed out.
He also advised validating deals through independent search: “If you’ve received an email or seen an ad, don’t click on links but seek to verify by searching for deals and discounts through official web properties.”
Product listings on fake online shops can occasionally be tell-tale signs of fraudulent activity. Sometimes, the LLM leaves artifacts that describe its own response to the prompt provided by the fraudsters.
“These errors may be due to the sheer scale of these activities, which makes human action uneconomical. Language differences between the threat actor and their victims can also mean that text errors are overlooked,” he says.