Putting A Halt To Scraping And Fake Websites

By Sam Crowther, Kasada

As consumers look to purchase the perfect gift for their loved ones, they may not realize they’re browsing fake websites designed to look like the real deal.

Most common in the luxury space, bad actors scrape retailers’ websites, set up identical online shops on spoofed domains, and use paid search ads to be easily found, all to sell discounted counterfeit goods, which results in lost revenue for the retailer. These attacks harm the victim company’s brand and reputation as consumers think they are interacting with the real company, not a counterfeit.

If you’re in the luxury goods industry, then you likely already have a target on your back - and now is the time to do something about it.

What Is The Underlying Problem?

For many retailers, over 50% of their website traffic consists of bots, and scraping bots are a significant portion of that traffic. These bots scrape information such as prices, images, web data, contact info, and more from your site. Not all of these bots are bad, however. The good scrapers should be allowed and are used for purposes like search engine indexing and permitted scraping by partners and aggregator services.

Fraudsters, on the other hand, extract data from your website. They “scrape” it using low-cost bots and tools readily available on the internet. Web data for everything on your site - from clothing to electronics, job postings to hotel room availability, cars to real estate listings, and many other types of content - is regularly scraped. Some of the more malicious uses of this data include price undercutting, SEO manipulation (intentional use of duplicative content), data theft, and brand damage.

In the retail industry, we’re talking about scraping content, images of goods, and pricing information that can be used to undercut your business. This information lets fraudsters create a fake clone of your website to either sell counterfeit goods or not sell any real goods at all and just collect payment information - either way hurting your brand in the eyes of a consumer that was ripped off.

Put simply, companies do not want their data being extracted and monetized by unauthorized third parties, nor do they want to pay the additional computing costs incurred by the constant scraping activities of automated bots going to work on their website.

How Are Fraudsters Creating Fake Websites For Profit?

As soon as fraudsters have your site’s data in hand, they’ve already begun to monetize it. There is a typical life cycle for fraudsters looking to acquire and use scraped data to create a fake website that looks exactly like yours:

• Create Custom Bots - fraudsters create their own stealthy scraper bots to look like good bots such as search crawlers or hide behind residential proxy networks and highly customized DevTools to evade detection.
• Scrape Website - scraping bots automate the extraction of HTML, information stored within databases, and data from APIs. Scraping provides the foundation for replicating the website elsewhere.
• Spoof Domain - a fake URL that looks as similar as possible to the legitimate domain name is registered along with valid TLS certificates for encryption.
• Launch Fake Website - the attacker uses the scraped content and spoofed domain to launch a website that’s nearly indistinguishable from the actual one. The real website’s search ranking often tanks due to duplicate content.
• Secure Traffic - a variety of techniques direct unsuspecting users to the fake website. For example, online digital advertising, social media posts, and spear phishing emails.
• Generate Profits - counterfeit goods are sold at deep discounts. Credentials are stolen using skimmers to resell and perform account takeover (ATO). Malware is injected to conduct click-fraud and other acts of malintent.

These actions can become very costly for businesses, but not for the fraudster at all. Customers complain and request refunds for counterfeit or unfulfilled purchases, meaning that retailers are faced with the choice of revealing they were the victim of fraud and having the customer file a claim, or refunding or exchanging goods for the consumer at a loss. Regardless, brands are forever tarnished by the fake site and scraped data.

How Can This Fraud Be Stopped?

The onus for stopping this type of fraud falls on the retailers themselves. Automated scraping bots simply won’t be stopped by sites that state it as being illegal to scrape their site in their terms and conditions. Asking traffic to identify itself as human vs. a bot (as seen with the ever-popular CAPTCHA) won’t work either. Fraudsters that can gain access to a site and scrape it certainly know how to disguise their intentions and evade a CAPTCHA. Bots will scrape your site and have the information they need before you even know it.

To stop scraper bots, retailers need a strong defense solution that recognizes and halts automated bots from gaining entry in the first place. Preventing this kind of fraud isn’t easy, but with modern anti-bot approaches, it is possible to detect and deter fraudsters from being able to successfully scrape your data. Anti-bot solutions can be a big benefit here, as it’s unlikely that any retailers have the workforce or revenue these days to hire a team of security experts that can constantly monitor for automated bot attacks. Services that rely on machine learning (ML) and artificial intelligence (AI) to identify counterfeit websites won’t work either, as these are reactive, operating after the counterfeit site is already up and running and while the retailer continues to pay the tax on web infrastructure caused by the synthetic traffic.

Proactively taking action to stop fraudsters from successfully scraping and spoofing your site is critically important to maintaining your business and brand reputation.

About The Author

Sam Crowther is an entrepreneur with a passion for cybersecurity. The Kasada founder got his start in the industry as a high school student when he joined the cybersecurity team of the Australian Signals Directorate (ASD). From there, he moved to a red team role at a global investment bank, an experience that inspired him to start his own company. With funding from leading U.S. and Australian investors, Crowther launched Kasada in 2015 to provide innovative web traffic integrity solutions to companies around the world. Based in New York and Sydney, Crowther loves creating simple technical solutions to complex problems and is motivated by challenging preconceived ideas and beliefs to have a positive impact on the world.