Internet’s Impact on Consumer Fraud
Similarly to the threat landscape, the online landscape is ever-changing – what was popular a few months ago, may not be trendy today. However, while newer platforms emerge, tenured platforms are experiencing growth among younger audiences – especially for e-commerce purposes.
Modern Retail reports that there are Gen Z’ers who prefer Pinterest over TikTok for shopping, and more brands consider Pinterest critical to their reach of the younger generations.
While online platforms do take action to prevent potential nefarious acts, brands can also defend themselves using domain and DNS intelligence to help protect themselves from spoofed websites as well as potential credential harvesting.
This is important for all industries to understand as consumer fraud facilitated by the Internet touches more than the retail sector as retail extends to other industries like financial services and technology. Proactive threat detection can benefit all sectors to help mitigate risks before they occur.
How Cybercriminals Use Online Platforms and Social Media for Scams
Malicious actors often use online platforms as their vector for phishing scams to lure victims into visiting dangerous links or downloading malicious files. Some phishing links could take victims to sites where they are promised specific goods, only to be sent cheap knockoffs, but others may use phishing attacks, malware distribution, domain spoofing and more in search of bigger game like financial information and credentials to do more damage.
In this article, we’ll look at Pinterest as an attack vector based on a malicious sponsored ad spotted in the wild. While the group in question has additional links to VKontakte (VK), TikTok, and X, this research will focus on what was seen organically on Pinterest. Again, while this is a retail-oriented example, we share how this technique’s impact could reach beyond retail into financial services and technology.
How Cybercriminals Use Pinterest for Scams: A Case Study
Threat actors using Pinterest to conduct business isn’t new – there’s reports going back to its inception that cyber criminals used it for their own personal gains. But they continue to use it because:
- It has a large user base – more than 39% of American adults use it.
- Depending on the organization, it’s often not blocked by firewalls or Internet filtering products by default.
Clicking on the “Pin” in question takes users to the domain “llbeanfactoryoutlets[.]shop,” a cloned site taking the original L.L.Bean website and modified for this threat actor’s own purposes with additional obfuscation in their javascript. The initial indicator that something could be awry with this domain is the top level domain (TLD) of .shop. Historically, a brand with longevity such as this one would likely use .com.
![Screenshot of llbeanfactoryoutlets[.]shop domain's homepage](https://www.domaintools.com/wp-content/uploads/Screenshot-2025-03-25-at-4.18.59 PM.png)
Domain and DNS Solutions for Brand Defense
Looking in DomainTools Iris Investigate, llbeanfactoryoutlets[.]shop was first seen on December 24, 2024 (bad actors burning the midnight oil on Christmas Eve – or possibly more likely, it was an automated registration with a specific time in the hopes no one would notice because of the holiday).
Going into the domain history tab, we can see a change in the IP address from Google to Cloudflare.
![Screenshot of the Domain History Tab of Iris Investigate showing a change from 34[.]149.140.193 to 104[.]18.73.116](https://www.domaintools.com/wp-content/uploads/Screenshot-2025-03-25-at-4.21.41 PM.png)
The Google IP address (34[.]149.140.193) was plugged into Farsight DNSDB Scout (DomainTools passive DNS tool) and the results garnered many other .shop TLDs. We investigated a few of the domains found to see if they follow the same behavior mal-activity
Another L.L.Bean domain was in Farsight DNSDB (llbean-usaaus[.]shop), so we went over to Iris Investigate and saw this domain was created earlier than the original domain in question (11/29/24). It always lived on the Cloudflare IP address though (no movement from Google to Cloudflare seen).
![Screenshot from Iris Investigate showing llbean-usaaus[.]shop’s Create Date as 2024-11-29.](https://www.domaintools.com/wp-content/uploads/Screenshot-2025-03-25-at-4.22.26 PM.png)
In Farsight DNSDB, we wanted to see more about what happened on 12/24/24 because that’s when the initial domain in question was seen. On that day, we can see that ariatpromotions[.]shop was also created and is also a direct cloned site of Ariat (another rugged brand that could have a cross-over audience with L.L.Bean).
Going back into Iris Investigate to see more in the domain history, we see that it moved from a Cloudflare IP address to the Google IP address – the opposite of llbeanfactoryoutlets – but there’s that connection between them.
![Screenshot from Iris Investigate showing the Domain History of ariatpromotions[.]shop switching from one IP to a new one.](https://www.domaintools.com/wp-content/uploads/Screenshot-2025-03-25-at-4.24.01 PM.png)
We see parallel activity on two different sites. What we can conclude from this information is a reasonable inference that this was likely set up by the same actor as the L.L.Bean domain, given its code is also in parity as is the method of cloning to imitate the legitimate site.
With an apparent link to outdoor/exercise retailers, we took the dates 12/24/24 through 12/29/24 looking at the Cloudflare IP address in Iris Investigate for an advanced search and came up with 321 records.
OSINT Discoveries Regarding llbeanfactoryoutlets[.]shop
Opening llbeanfactoryoutlets[.]shop’s source code, one can see the site character set is set to Mandarin, but renders in English (DomainTools researchers are located in the US), giving the inkling that this actor could be Chinese.
![Screenshot showing Mandarin in llbeanfactoryoutlets[.]shop’s source code along with a translation to English.](https://www.domaintools.com/wp-content/uploads/Screenshot-2025-03-25-at-4.25.14 PM.png)
Looking at other domains mentioned above (ariatpromotions[.]shop and llbean-usaaus[.]shop), these sites also have Chinese embedded in their code base – in certain instances visitors will get a popup to translate from Mandarin to English.
Additional evidence found in a Google search revealed a Reddit thread regarding this domain along with others.
![Screenshot of the comment made on Reddit pointing to the domain llbeancrazydealca[.]shop.](https://www.domaintools.com/wp-content/uploads/Screenshot-2025-03-25-at-4.26.32 PM.png)
The domain, llbeancrazydealca[.]shop was one not initially seen when pivoting in Iris Investigate, likely because of the time fencing that was put in place. Looking at it in Iris though, it is the domain that affirms the suspicion that there is a link to Chinese actors.
The IP address connected to this domain is the familiar 104[.]18.73.116 Cloudflare IP address, linking this domain to the others previously indicated.
Spoofed Domains Seen Today
What we shared above was more about the process of finding connected infrastructure in a certain time period. What are we seeing regarding llbeanfactoryoutlets[.]shop following the initial investigation?
In the Screenshot History section of Iris Investigate, we can see that a snapshot of the domain’s homepage was taken on February 18, 2025 (two days prior to my writing this). Though it doesn’t have the L.L.Bean branding as it did when first seen that Pin on Pinterest.
![Screenshot of llbeanfactoryoutlets[.]shop’s homepage no longer sporting L.L.Bean branding, but still marketing themselves as a clothing website.](https://www.domaintools.com/wp-content/uploads/Screenshot-2025-03-25-at-4.31.43 PM.png)
Confirming what we’re seeing in Farsight DNSDB, the time the domain was last seen was 2025-02-20 18:37:41 and it’s still housed on the Cloudflare IP address (104[.]18.73.116).
What’s interesting now is while in the initial investigation we saw a lot of .shop TLDs, but when we pivot off of the 104[.]18.73.116 IP address, we’re seeing more country code TLDS (ccTLDs) such as .ru (Russia), .cn (China), .is (Iceland), .us (United States), and .ca (Canada).
While llbeanfactoryoutlets[.]shop remains a .shop TLD, the threat actor behind this campaign could be attempting to evade detection by using ccTLDs or is changing their targeting to different geographic locations.
Checking back in again a few weeks later, llbeanfactoryoutlets[.]shop has been taken down, which was in effort from L.L.Bean’s CTI team.
This information is important for a brand to be mindful of especially when it’s a global brand. Having a wider market means a larger attack surface that could target your customers geographically. Having an understanding of this movement is crucial to your CTI team as they monitor emerging threats.
Known Chinese Cybercrime Groups Involved in E-Commerce Fraud
Based on the information available, we have a high-level of confidence that this group is operating out of China. Given the tactics, techniques, and procedures (TTPs) are aligned with previously-seen Chinese-based cybercriminal activity linked to fake e-commerce sites, brand impersonation, and credit card theft schemes along with the findings related to llbeancrazydealca[.]shop, we ascribe this actor is Chinese.
The “Fake Store Syndicates” (Chinese Underground Groups)
These groups operate large-scale networks of fraudulent shopping sites that mimic well-known Western brands (Nike, Adidas, L.L.Bean, Patagonia, Columbia, etc.) and bulk register domains with .shop, .top, .vip, .cn, etc. using Chinese domain registrars. These groups’ modus operandi includes stealing credit card details and reselling them on the dark web or using them for further fraud. They may also use fake storefronts to launder money.
Chinese Bulletproof Hosting & “Fraud-as-a-Service” Groups
These groups provide infrastructure to other cybercrime groups to run fake stores which include bulletproof hosting that’s resistant to takedowns. This is especially important for those in the financial services industry to be mindful of as their prime targets are US retailers and banks. Is there a connection to the infrastructure outlined here? We are moderately confident the behavior could be tied to a group such as this, especially given the findings of llbeancrazydealca[.]shop.
APT41 (Also Known as “Winnti Group”) – State-Backed but with Criminal Ties
While it’s still unclear regarding the exact cybercrime group this could be, one could make an inference that this activity is linked to APT41 (also known as Winnti Group), which is a state-backed group with criminal ties. This group is primarily linked to cyber espionage, though there are subgroups that engage in financial fraud.
Final Thoughts on Attribution
Because there is not enough evidence to support the activity seen belonging to a known or named group, DomainTools Investigations is referring to this group as “Evasive Dragon,” due to their ability to stay hidden.
Online Platform Scams’ Impact on Financial Services and Technology
While this example is from a retail perspective, we urge our audiences to visualize how this is applicable to other industries such as financial services and technology. The purpose of our case study is to make our audiences aware of potential trends that could emerge on online platforms, and how to stay ahead of threats before they happen. For example, Bank of America reportedly used Pinterest to reach broader audiences. Additionally, technology brands like HP and PayPal noted success with the platform as well.
Here are several examples of brands using Pinterest for sponsored ads seen recently:
These brands are seeing the value of promotion on Pinterest, and as stated earlier, the success rate of advertising on the platform is there. It is reasonable to consider that malicious actors will continue to see the potential in the platform as well, and therefore, it’s good practice to begin monitoring both activity seen there using domain and DNS intelligence.
The Business Impact of Online Scams
Online platforms are used in many business settings for multiple purposes. Marketing and brand teams are using online platforms to spread brand awareness, set up advertising campaigns, and look at peers in the industry for inspiration.
It is entirely possible for a team to use a platform like Pinterest for inspiration for a campaign or research into different tools, some of which may include a link to download onto a work computer.
Proactive Threat Hunting to Combat Credential Harvesting
This article discussed the rise in popularity of more tenured online platforms. Given the shift in trends, it is reasonable for those in industries such as retail, financial services, and technology to take proactive actions to protect their brands against potential phishing, malware distribution, and domain spoofing that could lead to potential credential harvesting for customers as well as employees. Early alerting when copycat/typosquatting domains are spun up can help CTI teams make faster decisions. DomainTools Iris Detect is a tool that teams can leverage for email alerts on typosquats.
Domain and DNS intelligence plays a crucial role in combating consumer fraud across these and other sectors by identifying and monitoring domains that mimic legitimate brands and provide organizations information on domains that allows them to make faster, more informed decision-making to protect both the organization’s people and data along with the credentials and financial information of their customers.
Free 15-Day Product Trial
DomainTools is offering a free 15-day trial of NOD/NAD/NOH/DomainDiscovery/DomainRDAP via the Feed API. If interested, select the button below to begin.
Best Practice Guide Technology
Best Practice Guide Retail
