Executive Summary: Domain Impersonation and Brand Abuse Targeting Fashion/Luxury Labels

Date: October 2025
Author: PreCrime Labs, BforeAI

The world of luxury fashion symbolizes, for many, prestige and aspiration represented through brand recognition and the latest trends. This same recognition and desire to be viewed as socially relevant stimulates a great deal of online interest in these brands, making them, and their customers, prime targets for impersonation scams, phishing campaigns, fraud, and other cybercrimes. Given the higher price tags associated with these brands, the payout for criminals is much higher, making these attractive targets. While the primary targets are typically the end user (the customer), the brands being impersonated often also suffer from both financial and reputational losses.

Between mid-August and late September 2025, the team at PreCrime Labs, the research division of BforeAI, identified a total of 1,330 domains, 1,213 of which specifically leveraged the names and likenesses of one of the 23 luxury brands examined for this research. Given that these domains were registered shortly before the start of the holiday shopping season, and none of these domains are registered through legitimate company names or emails, they should be regarded as potentially suspicious. These domains show coordinated registration patterns, with registrar preferences, top level domain (TLD) abuse, and linguistic tricks. While many are inactive parked domains, BforeAI’s PreCrime predictive security platform identified many of these infrastructures as staged for activation during the approaching high-traffic shopping season.

It is worth noting that the team also discovered that certain email addresses, for example, “murphywuonline@gmail[.]com” were found to be recurring across multiple domains promoting “cheap store” setups, indicating the presence of a coordinated operator or reseller network orchestrating these campaigns. There was also a notable increase in tactics leveraging the news: particularly around current geopolitical events like tariffs.

A clear spike in domain registration was observed in late September, totaling 800 domains and accounting for 67% of all the suspicious domains in the analyzed dataset. The highest number of domains (114) was registered on 11 September 2025, coinciding with the preparatory phase ahead of high-traffic retail events such as the Diwali, Hanukkah, and Christmas celebrations. Most of these domains remain dormant or parked, displaying placeholder content that suggests a deliberate pre-activation phase.

Based on historical patterns as seen in previous reports such as H1B fee hike and FIFA World Cup, these domains are likely to become active around major promotional and significant events such as Black Friday and other holiday sales, following a rapid, short-lived lifecycle typical of opportunistic phishing and brand impersonation campaigns.

The campaign at the core of this report primarily targets high-end fashion and luxury brands, using domain strings impersonating or abusing names such as Gucci, Prada, Louis Vuitton, Rolex, Chanel, Dior, Versace, and Dolce & Gabbana. Additionally, several domains incorporate “boutique” and “outlet” variations, often referencing luxury bags or branded apparel, to appear legitimate and attract potential buyers seeking discounted designer products.

Global Domain Registration Share by TLD Type

Common Patterns Identified:

Audience oriented campaigns:

Since the luxury and designer brands mentioned in this report are those whose clientele typically prefers in-person shopping experiences, rather than other brands that offer generous discounts online aimed at impulse purchases and online shopping, very few luxury brands were targeted using deep discount lures. For example, Van Cleefs and Tag Heuer had less than 10 domains identified in the given time range, as most of their business is conducted in-store.

Many phishing sites advertise minor discounts or offers, encouraging users to make small, seemingly harmless payments, which are less likely to trigger suspicion. For example, a small booking fee, or single-digit percentage discount that can be purchased online, while the majority of the payment is purportedly made in-store. Since, comparatively speaking, luxury retail brands are less frequently purchased online, offering coupons and discounts is a more successful way to attract visitors than pitching them a whole product.

A cluster of domains such as “luxury-watches-95078[.]bond”, “luxury-watches-83128[.]bond”, “luxury-watches-82135[.]bond”, “luxury-watches-47814[.]bond”, and “luxury-watches-14605[.]bond” suggest an automated or bulk domain registration. Sequential numerical patterns serve as a common indicator for malicious campaigns and this one was likely designed to create multiple lookalike domains rapidly for future malicious use.

Country-specific brand targeting:

Suspicious luxury/designer brand domains frequently include Despite the growth of e-commerce, in-store experiences remain central in established markets. Over 70% of shoppers in the US, China, and Europe still prefer buying luxury items in person.names of countries where luxury ownership carries high social value, suggesting that campaigns are designed to exploit regional prestige and aspirational buying behavior.

Correlation with social media presence:

Brands with active marketing and high visibility on social media face a greater risk of domain impersonation. For example, Rolex domains significantly outnumber those imitating Patek Philippe or Givenchy which have a greater understated online presence, suggesting that high visibility drives abuse.

Post-tariff “factory outlet” trend and geopolitical events:

Following the U.S. trade tariffs, numerous Chinese and exporter-linked sites began using “factory outlet” keywords, mimicking heavily discounted luxury sales. This trend is directly tied to past tariff-related market shifts and fake luxury resellers. With Gucci’s recent expansion into the café and coffee market, several “ragucci” domains have emerged, possibly exploiting consumer curiosity around this new brand venture.

Parked and whistleblowing domains:

Some parked domains are being repurposed as brand-damaging whistleblowing sites, such as “truthaboutrolex”, which could harm brand reputation even without direct malicious content.

Replica and “lucky winner” schemes:

Multiple domains in this campaign cater to replica (or “dupe”) buyers, fake giveaways, and slot-based/gambling prize lures, further blending scam operations with counterfeit e-commerce activity. Most of the related domains combine the brand name with keywords such as “outlet”, “store”, “vip”, or “official”. (some examples include: “guccishop.vip”, “pradasale.store”, and “lvstore.shop”). Other replica examples include subtle typosquatted versions or misspelled variants. (e.g., “versacce”, “pradaa”, “dolcee-gabbana”).

Over 100 domains were observed to use generic fashion keywords, such as “luxurybags” and “brandedwear” used with fashion brand names to show as aggregate sellers of different brands under a single domain.

Hosting and Infrastructure Insights

Given the recent timeline of identification, many of the domains were found in inactive or parked states during this initial phase. The hosting infrastructure primarily relies on low-cost hosting providers and content delivery networks (CDNs), with noticeable clustering across shared nameservers and shared IP addresses.

In terms of SSL/TLS configuration, there is a predominant use of Domain-Validated (DV) certificates, while Organization-Validated (OV) or Extended Validation (EV) certificates are rarely observed, a common indicator of fraudulent activity, as DV certificates are inexpensive and require minimal verification.

For retail brands, where customer safety and privacy are of critical importance, such campaigns present a heightened risk of phishing attacks. Once these domains become active, users may be deceived into making fake purchases or submitting sensitive personal data.

This also exposes brands to reputational risk, as resulting impersonation attacks could lead to loss of consumer trust, particularly if fraudulent transactions or data theft incidents are associated with the brand name. Additionally, the operational burden is significant, as ongoing manual monitoring, verification, and takedown efforts demand time and resources to track every campaign before it reaches the victims. Organizations with faster detection-to-response pipelines will hold a critical advantage in minimizing brand and consumer exposure.

• Preemptive defense: Proactively register high-risk brand variants and common keyword combinations (e.g., “outlet”, “sale”, “store”, “official”) to reduce opportunities for domain abuse.

• Enhanced registrar collaboration: Establish direct escalation channels with frequently used registrars such as GoDaddy, Namecheap, and Dynadot to enable rapid abuse reporting and takedown of impersonating domains.

• Customer and internal alerting: Develop pattern-based continuous intelligence monitoring dashboards organized by registrar, TLD, and keyword to track brand abuse. Issue customer advisories warning users of active phishing trends and deceptive discount schemes.

• Public awareness campaigns: Use verified social media and website channels to educate customers on safe purchase practices, emphasizing that luxury brands rarely offer large online discounts or “factory outlet” sales.

• Incident playbook development: Create an internal playbook detailing step-by-step processes for validation, escalation, and takedown once a fraudulent domain or campaign is discovered.

Conclusion and Analyst Insights

Campaigns targeting high-value luxury and designer fashion brands through various typosquats and spoofed domain versions must be addressed promptly, taking into account all possible abuse vectors, including phishing attempts, counterfeit product sales, wholesale scams, and fake discount offers. This increasingly calls for preemptive domain defense, registrar partnerships, and proactive communication. Actively notifying customers and creating awareness while monitoring threats constantly and can minimize impact and sustain harmonious relationships with customers.

Explore our latest PreCrime™ Labs report:

Suspicious Domain Activity in Lead up to 2026 FIFA World Cup Tournament

Phishing Campaign Imitating U.S. Department of Education G5

Ready to see BforeAI in action?
Get a personalized demo

Talk to one of our experts and deploy in minutes.
No implementation needed. Works right out of the box!