Index ¦ Archives ¦ Atom

What's the word for a large collection of fraudulent web stores?

It started simply enough...

Innocuous Beginnings

Our local small-town ski shop posted on their socials the other day, "We have recently found a fraudulent duplicate online web store. Please be sure you are using our correct web address. If you purchased something from the fraudulent site please contact your credit card company immediately."

I was curious, so called them the next day. At least one of their customers had attempted to make a purchase though the site, with no goods being delivered. They didn't know what to do about the situation, so I offered to take a look and got the fake site URL, which was the same as their legitimate site but had a hyphen between two words.

According to whois, the domain registrar was and the technical contact was in China. DNS services and webfront were Cloudflare. The fake store was using a copy of the real store's logo, had the same product listings (some with unrealistic discounts applied), and even some of the same <head><meta> tags. The fake store's SEO was pretty good, and a lot of their pages were Google indexed.

I drafted up a DMCA takedown notice, sent it off to via their abuse report form, and within 12 hours they'd put the domain into "client hold" status, essentially disabling the domain. Within 24 hours, cached DNS records were mostly timed out and the fraudulent site was no longer accessible. I also put in a removal request with Google, and the content aged out of their indexes pretty quickly.

DMCA Takedown

It only really took about 30 minutes work (and, perhaps, 20 years of accrued knowledge of how the internet works and how abuse is reported / handled).

Done? (meta: how does your average retailer who doesn't have a friendly security person reading their socials deal with this situation?)

Upon Further Investigation

Talking with a co-worker, he security-nerd-sniped me by being curious about what the site content was like & if there were any unique characteristics that could be used to track down other instances. Looking at some of the page content that I'd saved, I noticed that one component in particular was misspelled, likely in a unique way.

Probably-Unique Typo

A Google search for stripe-card-woocommrece found two entries for similar-looking sites. Using (specifically,'s associated API query), I was able to pull out a list of 320 unique sites that has this same misspelled component in them.

Example One

I haven't checked them all, but I've checked a reasonably-sized sample. It's a combination of generic and copycat sites, all laid out in the same fashion, and all reflecting the patterns identified in the first case. It's generally a domain name registered at (sometimes different for domains), whois record with a China-based technical contact, with DNS & webfront at Cloudfront, backed by WooCommerce/WordPress, and that typo'd stripe-card-woocommrece in their index.html.

The copycat sites had copied logos and product listings. There was a very similar page layout & footer across all the sites. Some have been translated into different languages.

Example Two

The search also took me to This is a purpose-built Wordpress crawler that catalogs plugins across Wordpress instances, and tells me that stripe-card-woocommrece WordPress plugin is used on 235 websites.

I couldn't be bothered figuring out how to scrape the full list of domains out of this site, but from a manual check there seemed to be some unique items on both lists ( was a particularly good one from this list).

Example Three

Neither GitHub nor GitLab have that stripe-card-woocommrece string indexed, so looks like we're not going to get lucky and find a public repository with this code in it.


Follow The Money

Another co-worker was curious (stop being curious and causing more work for me, co-workers!) about if and / or how these payments were being processed.

The shopping cart / checkout screens and payment forms on these sites feel reasonably well done and don't have any crazy red flags. They generally offer Mastercard, Visa, and Paypal payment methods.

Looking at one of the fake storefronts,

  • Doing a Visa payment with a test card # (good ol' 4242 4242 4242 4242) redirects to prompting for re-entry of a verification code rendered on the same page (oops, no padlock.. I guess they aren't "protected by 256-bit SSL technology" after all), which then redirects back to the storefront via (I suspect they may not be processing payments, but are perhaps collecting credit card details on the backend?)

Verification Code

  • Choosing Paypal does result in a redirect to and what looks like a legit login form, via The Paypal page has a 'Cancel and return to Todd Le' link at the bottom, pointing back to which then redirected through to (similar-but-different fake storefront).

Paypal POST

Looking at a second fake store front,, we see the same deal. A Visa payment with test card redirects through then before landing back at the fake storefront. Paypal behavior is the same, with the same 'Todd Le' cancellation link (perhaps there's a shared Paypal merchant account under the hood here?).

What Next?

I'm not quite sure but somehow helping out the local small-town ski shop has lead to this. Perhaps all these sites are legit but.. I don't think so. Is this level of probably-fraud just situation-normal for the internet these days?

Ehh, who knows! Find some way to flag copycats with the individual brands in question? Report en masse to, Cloudflare, and Paypal abuse/fraud teams? Go straight to the FTC?

Or just hit publish and move on with life.


The List

(...or partial list, according to

Some of the sites on this list seem to have been taken down already - perhaps some brands are better at monitoring their domain name space than others?

The uniformity-but-not of these sites is really quite impressive. I'm morbidly curious what their deployment pipeline / management tooling looks like.

© Jamie Finnigan; opinions my own and not my employers. Built using Pelican. Modified from theme by Giulio Fidente on github.