Executive summary
Malicious actors always try to be creative and find new ways to trick people into a scam. In this case a new website is offering 75% discount on all Timberland shoes. The information looks almost identical to the original page, but when looking closer questions start to pop.
Key takeaways:
- Fake websites and phishing attempts tend to rise before holidays.
- Santa’s 75% discount in the case below will probably lead to loss of money or people being disappointed by buying fake shoes
Analysis
Yesterday I received a message in one of my WhatsApp groups:
"75% discount on Timberland brand for 72 hours, Enjoy!" and a link to the website kopwor[.]com
To be honest, for a moment looking on that website, I thought how lucky I am with Santa’s presents this year with 75% discount on all Timberland shoes! In the first look on the website it seemed promising and legitimate, a wide variety of shoes and detailed information on all.
Figure 1. 75% discount on all shoes
Then I started to think, well let's check this website, first - I never heard about it, and second - it's too good to be true.
So let’s see what information we can extract from the website. First thing we can check when it was registered using a whois online service such as who.is or domaintools.com. Whois query tells us that the website was registered only 5 months ago on 2021-07-07 on "NameSilo". In addition, looking at website history using the wayback machine - an archive of internet websites - we see that on 2021-12-10 the website had no content.
The website is hosted on Cloudflare and using the host certificate service for SSL:
Figure 2. Website certificate
Looking at the page source we can notice some comments in Chinese:
Figure 3. Chinese comment on page source
Clicking on any of the links in the bottom of the page including “About Us” and “Shipping & Deliveries” returns "Page not found":
Figure 4. Missing web pages such “About Us”
If we go to purchase, there is no input validation:
Figure 5. No input validation
And last, let's compare one shoe from the suspicious website with Timberland's original website.
Let's look closer at: "Men's Timberland Premium 6-Inch Waterproof Boots” on kopwor website VS "Men's Timberland® Premium 6-Inch Waterproof Boots" on Timberland website. (notice the missing "R" symbol after Timberland name in shoe description in kopwor website)
Figure 6. Comparison between similar shoes on both websites
Original price US$ 198 on both, discounted price on kopwor: US$ 49.50.
in a quick look, we can see the similarities between the shoes - color is a bit different but overall their structure looks similar.
When looking more closely we can notice more significant changes, so let’s play "find the differences":
Figure 7. Closer look at both shoes
Some differences on the image marked in colors:
- Color of the stitches
- R mark sign size and location
- Couple of differences on the logo
- The color of the sole
In addition, there are some good websites such as scamadvisor that might help us with deciding on suspicious websites.
In our case it tells us the negative highlights of kopwor website:
- The registrar has a high % of spammers and fraud sites
- The owner of the website is using a service to hide their identity on WHOIS
- This website is (very) young.
- High number of suspicious websites on this server
Bottom line, either it's a phishing website aimed to steal user money, or it's a site selling fake Timberland shoes. Either way you should always look for suspicious signs when unknown websites offer amazing deals.
Currently the 72 hour sale is over, but discounted prices are still the same - another red flag.
Safe surfing and Happy holidays!
Recommended actions
- Be careful when buying from untrustworthy websites.
- Try to pay attention for important information, such as website certificates