Thursday, 21 September 2023

Wilko: a target for scams following administration

by David Barnett and Richard Ferguson

Introduction

In August 2023, the UK high-street retailer Wilko Limited (formerly Wilkinson) entered administration, ultimately leading to store closures and selloffs, and the acquisition by The Range of the IP rights to the Wilko brand and website[1]. Shortly after the start of the administration period, reports began to emerge of a range of brand-related scams, including fake Wilko-branded websites offering branded products at heavily discounted prices[2]. Similar or related scams were also observed on social media, particularly Facebook[3], resulting in the requirement for the administrators to launch a campaign of enforcement actions.

These reports are perhaps unsurprising in view of previous studies which have found that high-profile news stories often serve as the trigger for spikes in related infringements and scams, particularly where specific brands are concerned and customers can be targeted[4].

In this article, we present the results of some simple analyses to determine the scale of the issues relating to the Wilko brand immediately following the closure of its stores[5].

Findings

1. Manual searches

As of mid-September 2023, a number of active Wilko-related scams were easily identifiable via simple searches. As shown in Figure 1, the domain wilkoclosing[.]com was found to resolve to a live, Wilko-branded e-commerce site. The site had been live for long enough to have been indexed by search engines, and was returned at position 3 in Google in response to a search for 'Wilko clearance sale', and at position 4 for 'Wilko clearance bargains'. The domain was registered with privacy-protected contact details, giving the registrant location as Henan, China.

Figure 1: An example of a live fake Wilko site (19-Sep-2023)

On Facebook, similar searches yielded multiple reports of Wilko-related scams (Figure 2).

Figure 2: Reported instances of Wilko-related scams on Facebook (19-Sep-2023)

In the first instance, the advertisement linked to a website at willkofficial[.]com [sic], which was no longer live, but generated a browser warning of deceptive content.

A number of similar scam-related pages were also found still to be active on Facebook on the same date, some of which included clearly unofficial contact details (e.g. using webmail e-mail addresses) and/or linked to fake external websites (Figures 3 and 4).

Figure 3: Examples of fake Wilko-related pages on Facebook (20-Sep-2023)

Figure 4: Examples of standalone websites linked-to from pages shown in Figure 3
 - (i) vuoriclothingo[.]com, a fake Wilko-branded site;
 - (ii) pneial[.]com, a generic e-commerce template website, possibly indicating that the scam site is no longer active, or representing a case of traffic misdirection

It was also possible to find instances of Wilko-related e-commerce mobile apps on standalone app-download ('APK') sites. Whilst some such examples may be instances of the distribution of official apps, sites of this type are worthy of close monitoring, since they tend to incorporate less quality-control than the mainstream app stores, meaning the downloaded content applications may be unofficial, out-of-date (and lacking appropriate security patches) or associated with malicious content.

Figure 5: Example of a Wilko-related app identified on a standalone app-download site (20-Sep-2023)

2. Deep-dive domain analysis

We next considered the set of all domains containing the string 'wilko' (or 'willko'), based on zone-file analysis. Following the removal of all obviously non-relevant domains (e.g. those containing strings such as 'willkommen', names such as 'wilkowiecki' or 'wilkosz', or where the string is otherwise clearly being used as a personal name), this yielded a dataset of 772 potentially relevant names. We then further removed any which appeared explicitly to be official (i.e. owned by Wilko, based on registrant or registrar information), leaving a remaining dataset of 672 third-party domain names.

Of these, 430 had domain registration dates identifiable via an automated whois look-up. By aggregating the monthly numbers of registrations, a large spike in activity beginning in August 2023 was readily apparent (noting that the analysis was carried out in mid-September, and the full number for September was likely to increase).

Figure 6: Monthly numbers of registrations of 'wilko' (or 'willko') domains, since the start of 2020

332 of the 672 domains were found to return some sort of live website response (i.e. an HTTP status code of 200) although, of the remaining 340, 131 (39%) were found to have active MX (mail exchange) records, indicating that they have been configured to be able to send and receive e-mails and could therefore potentially be being utilised for phishing activity. Many of the inactive domains had names featuring keywords (such as 'clearance', 'offers', 'official', 'outlet' or 'sale') indicating that they may have been registered with the intention of being used for scams.

Of the 127 domains explicitly identified as having been registered since the start of August 2023, 67 (53%) were found to resolve or re-direct to active fake Wilko sites, with a further 23 (18%) featuring browser warnings of deceptive content or resolving to pages stating that the domains have been suspended. A number of additional examples were found to resolve to alternative content, such as third-party e-commerce or gambling-related sites, thereby potentially comprising instances of misdirection. Across the full dataset, a total of 98 domains were found to feature indicators of current or past scam-related content (Figure 7).

Figure 7: Examples from the dataset of live fake Wilko websites (domain names: 
wilkossky[.]comwilkobigsales[.]com
wilkooutletuk[.]comwilkobestsale[.]com
bigsalebywilko[.]comwilkosense[.]com)

Conclusions

The findings presented in this article illustrate that, where brands find themselves in the media, a spike in infringements and scams may not be far behind. The scale of the issue in this case - with almost 100 brand-related fraudulent domains identified for Wilko in mid-September - highlights the general importance to brand owners of a collaborative programme of domain name management and brand protection (monitoring plus enforcement) to avoid losses and protect customers.

In addition, some of the specific observations in this case raise some highly relevant general points about the way in which scams can be manifested:

  • Scams can operate over multiple channels (domain names, general Internet content, social media, mobile apps, etc.) and are often interconnected, highlighting the importance of a holistic approach to monitoring.
  • Fake websites can be hosted on brand-specific or general domain names, driving a requirement to combine domain-name monitoring (zone-file analysis, etc.) with alternative detection approaches.
  • In many cases, the scam content may make use of brand variations or misspellings, so as to drive customer confusion and/or evade detection, so it is important to utilise a monitoring technology able to address this.
  • Timely enforcement is key. If infringements are allowed to remain live long enough to be indexed by search engines, this can greatly increase their visibility and exposure.
  • Often, infringing sites will deliberately be hosted in jurisdictions or through Internet service providers who are notoriously non-compliant to takedown requests, showing the importance of the use of a range of enforcement techniques.

The post-pandemic retail sector in the UK has seen several high-street brands enter administration, with the IP often carved out from any bricks-and-mortar or plant-and-machinery (e.g. Made.com, Paperchase and Joules). These deals can happen quickly and sometimes be a fire sale. Regardless, brand protection should not be the preserve of a company's long-standing brands, and brand protection enquiries and online threat analysis should form part of any due diligence process. After all, if a brand's IP is valuable enough to buy, it should be valuable enough to protect from the outset.

References

[1] https://en.wikipedia.org/wiki/Wilko

[2] https://www.bbc.co.uk/news/business-66580724

[3] https://malwaretips.com/blogs/wilko-clearance-sale-up-to-90-off/

[4] https://www.linkedin.com/pulse/four-new-case-studies-domain-registration-activity-spikes-barnett/

[5] All observations and statistics are correct as of w/b 18-Sep-2023

This article was first published on 21 September 2023 at:

https://www.iamstobbs.com/opinion/wilko-a-target-for-scams-following-administration

No comments:

Post a Comment

Phishing trends 2024 - and a look at some new data for domain threat quantification

Overview This year's annual phishing report by Internet technology consultants Interisle [1] has provided a number of key insights into...