Skip to main content
banner image
venafi logo

Holiday Shoppers Beware: Look-Alike Domains Are Targeting Your Wallet

Holiday Shoppers Beware: Look-Alike Domains Are Targeting Your Wallet

image of a thief reaching out from a laptop screen to grab the arm of a businessman on the other side of the screen
November 12, 2019 | Emil Hanscom

The holiday shopping season is approaching, and many consumers will find their gifts online. After all, cyber Monday has practically turned into its own major holiday. Unfortunately, as online shopping continues to grow, so does the targeting of consumers through malicious look-alike domains.

Cyber attackers create fraudulent domains by substituting a few characters in the URLs. Because they point to malicious online shopping websites that closely mimic legitimate, well-known retail websites, it makes it increasingly difficult for customers to detect fake domains. Additionally, given that many of these malicious pages use a trusted TLS certificate, they appear to be safe to online shoppers who unknowingly provide sensitive account information and payment data.

But just how prominent are these look-alike domains?

Venafi recently conducted research on the explosion of lookalike domains, which are often used to steal sensitive data from online shoppers. We analyzed suspicious domains targeting 20 major retailers in the U.S., U.K., France, Germany and Australia and found over 100,000 lookalike domains that use valid TLS certificates to appear safe and trusted.

Major overall findings from the research include the following:
  • Growth in the number of look-alike domains has more than doubled since 2018, outpacing legitimate domains by nearly four times.

  • The total number of certificates used for look-alike domains is more than 400% greater than the number of authentic retail domains.
  • Over half (60%) of the look-alike domains studied use free certificates from Let’s Encrypt. 

Every region had its own challenges with lookalike domains. Below you can find interesting statistics and breakdowns from each country.

United States

One of the top U.S. retailers has over 49,500 look-alike domains targeting their customers.

United Kingdom

The United Kingdom has the largest ratio of look-alike domains targeting retailers, with are over six times more look-alike domains than valid domains.


The look-alike domains in Germany are more likely to use certificates from Let’s Encrypt than any other region. 85% of look-alike domains use Let’s Encrypt.


One of the top retailers in Australia had over 2,000 look-alike domains targeting their customers. This contributed to over half of the look-alike domains in the region.

Image removed.


France is the only country with a relatively low ratio of lookalike domains relative to legitimate domains

What can retailers do to protect themselves?

As the holiday shopping season approaches, the number of look-alike domains targeting online shoppers will multiply. Online retailers that discover malicious domains can take several steps to protect their customers, including:

  • Search and report suspicious domains using Google Safe Browsing. Google Safe Browsing is an industry anti-phishing service that identifies and blacklists dangerous websites. Retailers can report a suspicious domain at
  • Add Certificate Authority Authorization (CAA) to the DNS records of domains and subdomains. CAA lets organizations determine which CAs can issue certificates for domains they own. It is an extension of the domain’s DNS record and supports property tags that let owners set CA policy for entire domains or for specific hostnames.
  • Leverage technology solutions to search for suspicious domains. Brand protection services may help retailers find malicious websites and stop the unauthorized use of their logos or brands. Solutions that also provide anti-phishing functionality can help aid in the search for look-alike domains.
  • Detect malicious certificates using Certificate Transparency. All publicly trusted machine identities, such as TLS certificates, are published to open logs. Monitoring and analyzing these logs enable organizations to detect look-alike domains and certificates before they are used in attacks against customers.
"Rampant Growth" in Look-Alike Domains

“We continue to see rampant growth in the number of malicious, look-alike domains used in predatory phishing attacks,” said Jing Xie, senior threat intelligence researcher at Venafi. “This is a result of the push to encrypt more and potentially all web traffic, a trend that generally improves security for users but inadvertently introduces a new challenge to existing methods of phishing detection. Most businesses and many retailers don’t have the updated technology in place to find these malicious sites and remove them to protect their customers.”

Are you looking out for look-alike domains?

In addition to the threats posed by bad actors, are we doing the one thing that could be training our users to be phished? Find out.


Related posts

Like this blog? We think you will love this.
Featured Blog

The (Nation) State of Cyber: 64% of Businesses Suspect They’ve Been Targeted or Impacted by Nation-State Attacks

82% believe geopolitics and cybersecurity are intrinsically linked

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more