Massive 540+ Website Spoofing Campaign Identified

A massive spoofing campaign has been detected targeting customers of Walmart and other well-known brand which attempts to get them to part with sensitive personal information.

The campaign was detected by DomainTools, which identified more than 540 malicious domains that had been set up by the same threat actor. The websites included job sites, online dating sites, movie download sites, and numerous sites targeting fortune 500 brands such as Walmart and McDonalds.

The campaign was uncovered during an investigation into a single domain that attempted to obtain personal information from jobseekers. The site – – appeared to be an employment application site for Walmart, which required applicants to enter a range of sensitive information. Other sites offered gift cards and other Walmart services and several brands were being targeted.

The more the researchers dug, the more sites they found. “The number of malicious domains that surfaced in this campaign is alarming and likely an indication of the threat actor or group’s resources and sophistication,” said Corin Imai, senior security advisor, DomainTools.

Many of the domains were registered to an address in Pakistan although most of the IP addresses were in the United States. Out of more than 540 domains tied to the scammer, only 181 of the sites had been identified as malicious and were included on blacklists. Most had been given average risk scores.

Most of the websites had been set up to collect personal information, although the sites could easily be repurposed to distribute malware. It is not known for how long the operation has been running and neither how successful the operation has been.

Domain Tools researchers note that the sites being used were receiving traffic in sufficient volumes to warrant further investigation into whether visitors are submitting their personal information. DomainTools notes that on the Walmart recruitment website, many visitors had gone through the whole application process and had divulged a considerable amount of personal information.

DomainsTools is continuing to investigate the campaign to determine its true intent and potentially, the individual responsible.

DomainTools notes that since the majority of domains are still active, companies are not being proactive enough searching for sites that are spoofing their brand. By taking a more proactive approach, companies can ensure that fraudulent domains are taken down before they affect the company’s customer base. Consumers must also take care to verify the legitimacy of a website before disclosing any sensitive information.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of