Negative brand equity and misrepresentations are among the worst nightmares of today’s biggest brands — and more often than not, it’s connected to cybersecurity and data breaches.
For example, the latest stats show that one in every 99 emails you get each day has to do with phishing attacks, the majority of which come laced with malware specially crafted to harvest victims’ financial credentials or use popular brands as social engineering bait.
A great example would be an email offering a huge discount that the victim would find hard to resist. So she clicks on the link leading to a site where she’s asked to fill in personal details, including, for instance, her credit card that she plans to use to purchase goods. She never receives the items she supposedly bought and so complained to the store via all possible means — email, phone, and social media.
What’s worse, others who fell for the same ruse joined in the frenzy, dragging the brand’s name through the muck. What can the victim company do? Could it have prevented the phishing attack? These are just some of the things this article will answer, analyzing Zara’s real-life case study.
Table of Contents
- The Attack: The Curious Case of Zara
- The Real Deal: Behind the Scammers’ Curtains
- The Evidence: Could Brand Monitor or Brand Alert API Have Helped Prevent the Attack?
- The Verdict: Lessons Learned from Zara’s Case
The Attack: The Curious Case of Zara
In the recent past, phishing was largely limited to emails that people read on their computers. WIth smartphones and the millions of apps that users can choose from, that’s no longer so, as Zara’s case will show.
Zara is a Spanish fast-fashion retailer, very popular worldwide. Apart from having physical stores in some of the biggest shopping malls the world over, it also sells clothing and accessories via country or regional sites online. To date, it has a total of 202 both physical and virtual shops.
The Attack Vector
WhatsApp is a messaging app that’s currently being used by hundreds of millions of users worldwide. It can be used on not just smartphones, but also on personal computers, so just imagine the number of potential victims a cybercriminal can have.
Sometime in February 2016, several WhatsApp users received an instant message from someone they know and trust prodding them to forward it to 10 contacts. They were then asked to click a shortened link to a site where they could get their free Zara gift cards.
The Real Deal: Behind the Scammers’ Curtains
Here’s how the victims’ credit card and other personally identifiable information or PII ended up in phishers’ hands:
- 1. Potential victims get the following WhatsApp instant message from a contact.
- 2. They forward the message to 10 contacts as suggested (unwittingly getting the phishers more potential victims).
- 3. They then click the shortened link to the site to get their free gift card (typically US$500 worth).
- 4. The site (specially crafted to look like a real Zara page) asks them to fill in a form to receive the gift card and so they do.
- 5. They click “Submit”, which sends their details to the attackers. Their personal information could then end up for sale in the Deep Web or underground marketplaces, be used by the phishers themselves for fraud, or be held for ransom.
This isn’t the first time Zara’s or other popular retailers’ brand was used for a phishing attack. A similar ruse taking advantage of Zara was seen on Facebook even earlier, in March 2014. The message appeared on potential victims’ timelines. Those fooled into clicking on the link were led to a site that harvested their personal information, including credit card details.
Regardless of the platform and brand used, one thing always remains: it’s a sham! None of the victims ever gets free gift cards, of course, they just end up inviting more people to get phished and handing their personal information to eagerly waiting cybercriminals via their specially crafted data-stealing sites.
The promise of getting something for free always seems to do the trick when baiting digital citizens to give up their PII. They aren’t the only ones who suffer from phishing attacks though. The retailers’ brands and thus their reputations also become casualties. So now we come to the burning question: Could Zara have prevented the phishing attack from its end using Brand Monitor or Brand Alert API? Let’s find out.
The Evidence: Could Brand Monitor or Brand Alert API Have Helped Prevent the Attack?
Brand Monitor is a domain-monitoring tool that lets users keep track of their brands’ and other trademarks’ or intellectual properties’ exact matches and variations, including those with all possible typos, in order to protect their business online.
Let’s see how it could have helped in Zara’s case.
- 1. Sign up by clicking “Open Dashboard” on the Brand Monitor site. You automatically get your free credits.
- 2. Look for and click “Brand Monitor” on the left panel. You’ll automatically be taken to the “Basic” function. Type your brand name into the input box then click “Add to monitoring”. In this step-by-step guide, we’ll use the brand “Zara”. Note that you’ll need to wait for 24 hours to see the results because the monitoring is completed on a daily basis.
- 3. You can, however, already choose to use Brand Monitor’s Typos function. This will help if you’re looking to spot possible phishing sites spoofing your brand. To do that, click “Edit monitor”. You should see a prompt like this:
- 4. Simply click on the “Typos” toggle button to on (when the icon turns red) and you’re done. You’ll see how many misspelled versions of your brand name will be added to your tracker. In this case, 135 possible matches will be added to our Zara monitoring. Click “Save”. To see a list of the typos the tool automatically added to your tracker, click the “Typos (number) >” button, you should see something like this: All the possible variations of “Zara” that Brand Monitor automatically generated are made available on the drop-down list.
- 5. A day’s monitoring would give you results similar to this: Changes appear on the left panel, arranged by date.
- 6. Check if any of them are piggybacking on your brand or, worse, damaging your hard-earned reputation. Our Zara monitoring revealed that among the domain names we’re tracking, misspelled ones included, there were 6,557 new additions or modified domains while 1,827 were, for one reason or another, dropped by their owners. To see the entire list, click “Show more”.
7. Go through the list and build WHOIS reports on each if you have the resources to do so. If not, pick the most suspicious-looking ones and take a closer look at them. Quick tip: Focus on the list of active domains — the ones that have recently been put up or modified (those on the left-hand side). Compare each site’s content with yours. Look for typical signs indicating that cybercriminals or people with malicious intentions are trailing their sights on your business, which include:
- Misspelled domain name, a variant of yours with typos;
- A non-affiliated site, web page, email, newsletter, instant message, or social media post sporting your logo or its lookalike;
- A non-affiliated site, web page, email, newsletter, instant message, or social media post tied to an email address, any URL (shortened links included), online account, or person that your company doesn’t own or employ;
- A domain name that uses an uncommon gTLD such as “.xyz” that no company would normally use or a ccTLD that corresponds to a country that you’re sure you don’t sell to or do business in;
- A domain name that has random numbers or special characters that aren’t part of the brand or company’s name (This defeats the purpose of making it easy for users to find a legitimate company’s site online after all.)
Make sure though that none of the sites are yours or affiliated in some way with your company. You don’t want to make them inaccessible to users. You should find that a lot of the sites’ names may just have the same letters as your brand names or the companies that own them resell your products. Don’t be too hasty about suspecting them of foul play.
To widen your search, you can also add other keywords to your monitor. Good examples for a brand like Zara would be “fashion,” “retail,” “clothing,” and “accessories”. To do that, just click “Edit monitor”.
Click “+” beside “Add term” then type each additional keyword into the input box that appears. When you’re done, click “Save”. Brand Monitor will now show you results with the additional keywords in future reports. This is a great way to keep track of your competitors. You can also add their brands to your tracker if you wish to stay ahead of their sales and marketing efforts.
- 7.After compiling a list of suspicious-looking sites, find out more about each of them. To do that, click “>” next to the domain name. You should see a pop-up window like this:
- 8. If you wish to take a deeper dive, you can build WHOIS reports. A basic WHOIS report will serve our purpose. Let’s say you want to see more about “sara.xyz”. Click “Build WHOIS report” from among the choices. You should get something that looks like this: Note that we’re not saying “sara.xyz” is malicious. We just used it as an example for building a WHOIS report. As it turns out, the domain is currently for sale.
- 9. Should you find a domain that is malicious though, contact its registrar. If it’s not taken down, issue warnings of potential fraud to your customers on your shopping site or blog if you have one. Email subscribers to your newsletter or updates too. Tell them not to visit the potentially harmful site and that it isn’t in any way connected to your brand. Seek the aid of a law enforcement agency or the authorities. Alert them that the site may be used in a phishing attack.
If you’re the type of person who is more comfortable sifting through records offline but want to get the same benefits that Brand Monitor provides, use Brand Alert API, its RESTful API counterpart. It gives the same results as Brand Monitor in XML and JSON formats. Choose which works best for you.
For better security and peace of mind, use these other domain-monitoring tools from the Domain Research Suite that will seamlessly work with both Brand Monitor and Brand Alert API:
- Reverse WHOIS Search: You can use the WHOIS reports that Reverse WHOIS Search generates to obtain more information on a domain you’ve been keeping tabs on with Brand Monitor to verify its legitimacy when, say, you’re investigating it for copyright infringement or any fraudulent activity.
- WHOIS History Search: If you’re unsure of the reputation of a domain you wish to purchase and want to know its entire history, use WHOIS History Search with Brand Monitor. It gives you detailed insights on the domain’s entire life cycle, allowing you to make sure it never had ties to malicious online dealings that could harm your brand.
- WHOIS Search: If you’re interested in purchasing a domain that will fit your company’s needs to a tee, use WHOIS Search with Brand Monitor. It can alert you when the domain is up for grabs as when its owner has given up his rights to use it or its registration has simply expired.
- Domain Availability Check: Looking for a domain for your new product? Use Domain Availability Check with Brand Monitor. It gives you a list of all the domains that may meet your needs. If the domain you’re eyeing is currently in use, Brand Monitor can alert you when it becomes available.
- Domain Monitor: Use Domain Monitor with Brand Monitor to keep track of any changes to the domain that has piqued your interest.
- Registrant Monitor: Use Registrant Monitor with Brand Monitor to keep track of registrant-related changes tied to brands you’re viewing.
The Verdict: Lessons from Zara’s Case
Zara and other fashion retailers have proven lucrative phishing baits because the increase in people’s inclination to buy luxury apparel means they have good spending power. Targeting them directly can also provide perpetrators with intellectual property information that they can sell to the highest bidders (possibly a competitor). If their shopping site databases get breached, the attackers will get their greedy hands on the personal and financial data of their customers as well. And all that can land them in tons of cyber trouble. Not only would their customers suffer, their brand would certainly be damaged too.
Today’s brand protection guidelines shouldn’t just cover a company’s logo and other trademarks’ usage policies. The ubiquity of the Internet requires that they cover domain security as well. It’s not enough to expect customers not to fall for age-old phishing tactics, retailers need to do their part as well. That’s where tools like Brand Monitor and Brand API Alert will come in handy. They don’t just let you safeguard your virtual assets, they protect your customers and your good name too.