Fakes and Frauds: Fake Google Checkout Rips Off Users

Google’s payment service, Checkout, has been counterfeited to empty unwary users’ pockets through a sophisticated fraud. The online and in-store shopping website has been reproduced by fraudsters, who created a bogus page imitating the web giant’s online service.

Bitdefender launches today a series of articles focusing on the evolution of fraud in different domains. The first “Fake and Frauds” episode presents the most spectacular trends in the fake bank, bogus financial institution and online payment business. Fake banks target specific industries, companies, and users. Unlike phishing, they don’t spread through massive spam campaigns to avoid being reported to hosters or international institutions. Some websites are even created to only lure one individual, so money is made out of small and gradual attacks.

While phishing websites usually seek to reproduce the exact layout of the institutions, this type of fraud only uses logos and banners from authentic websites. In Google’s case, the original checkout.google.com webpage was changed into googlecheckoutonline.com to masquerade as the company’s payment service. Another important difference between online fraud and phishing is that fraudsters create new banks, shops, and organizations as often as they use renowned brands.

To get away without tracking, fraudsters registered the domain from a private e-mail: @privacyprotect.org. The fake Google Checkout domain was bought a couple of weeks ago and expires in a year. More than 90 per cent of the fake websites are registered for just a year. This can be a sign for users who check unknown or suspicious financial websites with WHOIS. In most cases, the one-year registration combined with an e-mail address registered with free providers such as Yahoo, Gmail or Hotmail indicates a scam.

We also came across the same percentage when it comes to domain names. While identity thieves break other websites for phishing, fraudsters create registered domains to fool users through more sophisticated methods. More than 90 per cent of fake banks and financial institutions are registered on the top-level-domain .com to make the scams more believable. According to Bitdefender analysis, the second choice for fraudsters is .net, with almost 4 per cent, followed by .biz, .org, and .uk, each with 2 per cent of the overall fake banks registered.

By faking Google Checkout, scammers may also grab important information such as Gmail passwords. Users make purchases from thousands of online stores sign into their Google Account.

Bitdefender research focused on fake banks, bogus financial and online payment institutions in September, and discovered a targeted campaign that lured Banco de Venezuela users. Several phony websites were created in days, with variations in the institution’s name: bancomvenezuela.com, banconvenezuela.com, bancovenezuelasoberano.com, 1bancodevenezuela.com or 3bancodevenezuela.com. The websites were all registered for a year from a Gmail address, apparently belonging to a Romanian fraudster:

Here’s the authentic Banco de Venezuala website:

Ironically enough, scammers often include security tips for those who bank online: “Electronic mail is not secure, and confidential or personal information should not be communicated in this manner,” one fraudster wrote on a bogus financial website.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

This article is based on the technical information provided courtesy of Alin Damian, Bitdefender Online Threats Researcher, and Razvan Visan, Bitdefender Head of Online Threats Lab.