Scammers Exploit Tariff Anxiety with Fake Brand Stores

Note from Lionel:  This X-Labs post is a little different than a typical post since it’s not a deep analysis of a single campaign. This one is more general in nature. But since it represents a timely trend that we expect hackers to increasingly take advantage of over the next weeks and months, we thought it was worth blogging about. 

###

We all love a good bargain — but guess who loves them even more? SCAMMERS.

Today’s fake stores are more than just a fresh coat of paint

Over the past few days, the X-Labs team noticed a surge in fake online stores impersonating popular brands—from sports shoes to luxury handbags across various countries. The old school scammy-looking websites are a thing of the past. By comparison, these new fake stores use polished, slick-looking websites that are often convincingly cloned from legitimate brands offering deep discounts to lure victims in. 

Put another way, have you ever wondered why that pair of $300 shoes is selling for $50 on a site you have never heard of, you are probably not just paranoid —there’s a good chance you are being targeted. 

In this post, we will break down the mechanics of these fake online stores, we’ll arm you with a detection checklist and present a few real scam sites we investigated, complete with technical evidence and economic context.

How do these scam shops work?

Most of these fake sites follow a repeatable playbook:

• They register a cheap domain that mimics a real brand.
• They set up a fake store using stolen images, cloned product pages, and fake checkout forms.
• They advertise massive discounts.
• They hide behind Cloudflare or free SSL certificates.
• They collect payment info or personal data — and vanish after a few weeks

Fake store red flags

Fake online sites we caught (And how they trick you)

Fake site: salomosaleuk[.]com:

• Brand Imitated: Salomon (United Kingdom)
• Real Brand Domain: www[.]salomon[.]com
• Created On: 2021-05-27
• Target Region: UK
• SSL (Issuer): Let's Encrypt
• SSL Issued On: 2025-04-24  
• Registrar: NameSilo, LLC
• Key Red Flag: Fake discount, Phishing check-out 

Fake Site: veja-mexico[.]net:

• Brand Imitated: Veja
• Real Brand Domain: www[.]veja-store[.]com
• Created On: 2024-06-27
• Target Region: Mexico
• SSL (Issuer): Let's Encrypt
• SSL Issued: 2025-04-29
• Registrar: Gransy, s.r.o.
• Key Red Flag: Fake checkout, cloned assets 

Fake Site: caterpillarstore[.]cz:

• Brand Imitated: Caterpillar
• Real Brand Domain: www[.]caterpillar[.]com
• Created On: 2024-07-22
• Target Region: Czech Republic
• SSL (Issuer): Let's Encrypt
• SSL Issued: 2025-04-12
• Registrar: Gransy s.r.o.
• Key Red Flag: Scam Shop Design

Fake Site: longchamposterreich-at[.]at:

• Brand Imitated: Longchamp
• Real Brand Domain: www[.]longchamp[.]com
• Created On: 2024-12-05
• Target Region: Austria
• SSL (Issuer): Let's Encrypt
• SSL Issued: 2025-04-10
• Registrar: Gransy s.r.o.
• Key Red Flag: typosquatted domain

Fake Site: coachcanada-ca[.]com:

• Brand Imitated: Coach
• Real Brand Domain: coach[.]com
• Created On: 2024-10-12
• Target Region: Canada
• SSL (Issuer): Let's Encrypt
• SSL Issued: 2025-04-12
• Registrar: CNOBIN INFORMATION TECHNOLOGY LIMITED
• Key Red Flag: Uses “ca.com”, fake products

Fake Site: airupbottleuk[.]com:

• Brand Imitated: Air Up
• Real Brand Domain: air-up[.]com
• Created On: 2024-08-23
• Target Region: UK
• SSL (Issuer): Let's Encrypt
• SSL Issued: 2025-03-21
• Registrar: Dynadot Inc
• Key Red Flag: Typosquatted UK domain, fake store 

Fake Site: jottincanada[.]com:

• Brand Imitated: JOTT (Canada)
• Real Brand Domain: jottcanada[.]org
• Created On: 2024-05-21
• Target Region: Canada
• SSL (Issuer): Let's Encrypt
• SSL Issued: 2025-03-27
• Registrar: NameSilo, LLC
• Key Red Flag: Typosquatted domain, static shop 

Fake Site: drmartenshelsinki[.]top

• Brand Imitated: Dr. Martens – Sandals & Boots
• Real Brand Domain: drmartens[.]com
• Created On: 2019-09-15
• Target Region: Finland
• SSL (Issuer): Let's Encrypt
• SSL Issued: 2025-05-11
• Registrar: Name: Silo, LLC
• Key Red Flag: ".top" domain scam, fake checkout

Domain age alone can be misleading

These scam or similar sites are registered months or even years ago (sometimes parked or inactive initially). Only activated for scams later, when scammers issue a fresh Let's Encrypt SSL certificate (which is valid for 90 days only). They may also reuse old domains from previous scams or buy expired domains, making the creation date misleading. This is why relying only on domain age is not enough — you must also check SSL certificate issue date, because it often reveals when the scam site was set up and went live. So, in short, if there is a mismatch (e.g., old domain but new SSL cert), treat with suspicion.

Tricks scammers play

Scammers know exactly how to exploit the shortcuts we all take when shopping online. They count on the fact that most people feel safe as long as they see the little padlock icon in the address bar, without stopping to check what kind of SSL certificate it actually is — or when it was issued.

Similarly, we tend to trust websites that look familiar or have been around for a while, even though an older domain does not automatically mean it is legit. And let's be honest — very few shoppers bother to double-check if the site is really the official brand.

That’s why scammers use sneaky tricks like typo-squatting domains, adding country names, extra words, or swapping “.com” for “.net” or “.top” to make their fake sites look convincing at a glance. The truth is, authentic brand websites rarely change, and you can always cross-check them easily through social media or a quick Google search.

Just the tip of the iceberg

While we have shared some of the verified scam sites above, it is important to understand that there are many more active and emerging scam shops. Scammers spin up hundreds of similar fake stores every month, using the same templates, tactics, and deception — just under new domain names.

The sites we have highlighted here are real-time examples of a much larger. So, the list is not exhaustive.

Scammers are exploiting tariff tension

The timing of these scams is not accidental. In 2025, the U.S. introduced a wave of tariffs targeting imports on different countries including things like cars, footwear, apparel, electronics and much more. 

How tariffs affect you as a shopper: 

• Imported goods are getting more expensive across all the markets.
• Tariffs are adding to the global surge of premium brands.
• Legitimate retailers are raising prices, offering fewer discounts.

Scammers are ready to use tariff anxiety against you

Scammers exploit the frustration shoppers feel towards rising prices, offering impossible deals that feel like a clever workaround.
They use fake stories like “direct from manufacturer” or “local warehouse” — when in reality no such warehouse exists. 

Examples: 

• mizuno-turkiye[.]com pretends to offer Mizuno (Japanese brand) shoes at a wide discount in Turkey — despite increased import duties.
• coachcanada-ca[.]com poses as a Canadian outlet — when Coach’s real domain is coach[.]com
• veja-mexico[.]net claims local stock in Mexico — while prices are suspiciously lower than Veja’s official site.

Scammers know the tariff and economic confusion makes shoppers more vulnerable to fake offers.

Deals that ignore economics are probably a scam

With global prices climbing, no real brand is suddenly offering 60% or more discounts just out of good-will. So, if you stumble upon a site claiming to sell products at prices lower than what retailers themselves can get from factories or promising to dodge high tariffs by shipping directly to you via some sketchy “.com” or “.top” domain—chances are, it is a scam.

Tips for identifying a fake store

• Check the domain age: If the site’s domain is newly registered or less than a month old, proceed with caution.
• Inspect the SSL certificate: If it is using a free certificate like Let’s Encrypt, that is another red flag — especially for shopping sites.
• Look up the registrar: Domains registered through free are often linked to scam sites.
• Verify company details: No company info? That is a major warning sign.
• Google the site name + “scam." Chances are, if the site is dodgy, someone else has already called it out.

How to inspect SSL certificates to spot scammers

Most people just see the padlock icon and feel safe. But you can do a quick manual check of the SSL certificate with a few simple steps:

• In your favourite browser click the padlock icon next to the website URL.
• Click on “Connection is secure” - wording may vary by browser.
• Click on “Certificate is valid”
• If you find any free SSL certificate issuers like “Let's Encrypt”, then be cautious.
• Check the validity period — if it is recently issued or very short-term, be cautious.
• If the website claims to be from a big brand but the certificate is issued to an unknown entity, it is a red flag. 

When the padlock isn’t enough: Real vs. Fake 

Figures 1 and 2 below show a real site, followed by a fake online site.

Fig. 1 - Real site example

 Fig. 2 - Fake site example

Final Thoughts:

The world of fake online stores is not going away anytime soon. They are getting more polished and harder to spot. But if you know the red flags, economic context and patterns, you can protect yourself and others. If the deal defies logic, economics and brand policies— it is not a deal, it is a decoy. Stay sharp, stay sceptical and don’t let scammers win.

Protection Statement:

Forcepoint customers are protected against this threat at the following stage of attack.

• Stage 2 (Lure): Fake shops are blocked by real time web security scan.

IOCs:

Due to extensive list of Indicator of Compromise (IOCs) associated with this case, only key highlights are mentioned in this report for readability.

The full and detailed lists of IOCs is available upon request.

Fake Stores:

• hxxps[://]www[.]jottincanada[.]com/
• hxxps[://]www[.]mizunosingapore-store[.]com/
• hxxps[://]www[.]docmartensusa[.]us[.]com/
• hxxps[://]www[.]hubrooonline[.]com/
• hxxps[://]www[.]eccotenismexico[.]com[.]mx/
• hxxps[://]www[.]brooksaus[.]com/
• hxxps[://]www[.]drmartenshelsinki[.]top/
• hxxps[://]www[.]sebrooonline[.]com/
• hxxps[://]www[.]brooksrunningindia[.]co[.]in/
• hxxps[://]www[.]coachcanada-ca[.]com/
• hxxps[://]www[.]vibramdeutschland[.]de/
• hxxps[://]www[.]coachsingaporestore[.]com/
• hxxps[://]www[.]mizunoschweiz[.]org/
• hxxps[://]www[.]intimissimi-osterreich[.]at/
• hxxps[://]www[.]longchampsingaporesg[.]com/
• hxxps[://]www[.]viviennewestwodoutlet[.]com/
• hxxps[://]www[.]longchamposterreich-at[.]at/
• hxxps[://]www[.]tiendaipanemachile[.]com/
• hxxps[://]www[.]skmamustores[.]com/
• hxxps[://]www[.]salmononsireland[.]com/
• hxxps[://]www[.]salmononoutlet[.]com/
• hxxps[://]www[.]suprshoesnzsale[.]com/
• hxxps[://]www[.]caterpillarsuomi-fi[.]com/
• hxxps[://]www[.]salomon-argentina[.]com/
• hxxps[://]www[.]salmononwarszawa[.]com/
• hxxps[://]www[.]mizunophilippines[.]com[.]ph/
• hxxps[://]www[.]salomoespana[.]com/
• hxxps[://]www[.]ordoutdoorchile[.]com/
• hxxps[://]www[.]salomosaleuk[.]com/
• hxxps[://]www[.]rockportshoes-sg[.]com/
• hxxps[://]www[.]tevafrance[.]co/
• hxxps[://]www[.]airupbottleuk[.]com/
• hxxps[://]www[.]hokashoesirelandoutlet[.]com/
• hxxps[://]www[.]osiris-shoes-france[.]fr/
• hxxps[://]www[.]salomoneshopscz[.]cz/
• hxxps[://]www[.]suprasfootwearuk[.]com/
• hxxps[://]www[.]hokaayakkabturkiye[.]com/
• hxxps[://]www[.]uggonlinehungary[.]com/
• hxxps[://]www[.]rockportphilippines[.]com/
• hxxps[://]www[.]salewachile[.]com/
• hxxps[://]www[.]hokashoesphilippinestore[.]com/
• hxxps[://]www[.]mizunoitalia[.]it/
• hxxps[://]www[.]supraschuhedeutsch[.]de/
• hxxps[://]www[.]oncloudskor-sverige[.]com/
• hxxps[://]www[.]mizuno-turkiye[.]com/
• hxxps[://]www[.]tenisaltrashopmexico[.]net/
• hxxps[://]www[.]fingersshoesindia[.]com/
• hxxps[://]www[.]sportcipokhu[.]com/
• hxxps[://]www[.]botashunterchile[.]co/
• hxxps[://]www[.]onrunningsparis[.]com/
• hxxps[://]www[.]salmononsitalia[.]com/
• hxxps[://]www[.]merrelsandalsindia[.]com/
• hxxps[://]www[.]salmononssverige[.]com/
• hxxps[://]www[.]allbirdshoesingaporestore[.]com/
• hxxps[://]www[.]salmononfrance[.]com/
• hxxps[://]www[.]irelandstoreonlineshop[.]com/
• hxxps[://]www[.]hoka-skor-sverige[.]com/
• hxxps[://]www[.]hokaoneoneargentina[.]net/
• hxxps[://]www[.]rockportsko[.]net/
• hxxps[://]www[.]timberlandpropolska[.]com/
• hxxps[://]www[.]pandorajewelryindia[.]com/