Egress’ Threat Intelligence team has detected a 128% increase in Shein brand impersonation emails since January 1st, 2023 compared with November 2022. The phishing attacks include use of lookalike email domain and websites, with the aim of stealing people’s log-in credentials and payment details, and taking fraudulent payments. The attacks leverage social engineering techniques, passed DMARC authentication, and were sent through third-party mailing platforms.
Quick attack summary
Vector and type: Email phishing
Techniques: Brand impersonation
Payload: Phishing link to ‘lookalike’ phishing website
Targets: Organizations in North America and the UK
Platform: Microsoft 365
The phishing emails are sent from lookalike, spoofed domains that impersonate Shein, such as ‘shien’ (instead of ‘shein’), or from unclaimed domains with the correct spelling, such as ‘shein.ru’, that are not used by the organization. Despite the use of spoofed domains, the emails passed DMARC authentication. They were also sent via legitimate third-party mailing platforms (we detected use of Salesforce and Mailchimp).
The phishing emails we analyzed were built using stylized HTML templates, including use of the legitimate Shein logo and email footer, potentially using the HTML from a legitimate Shein email as a template. In addition to this, all used social engineering to try to trick their victims, offering online discount vouchers to the recipients or requesting account verification, for example to complete account set up.
What the Shein phishing emails look like
Discount code
In the below screenshot, you can see the use of the ‘shien’ spoofed domain, which is set up to look like a legitimate No Reply email address in anticipation of the recipient not detecting the misspelling of Shien. The email is a copycat of a Marketing email that Deal Town, an online archive of email newsletters, records as being sent on June 17th, 2022. It’s likely the cybercriminals used the existing email as their template when creating the attack, even incorporating the incorrect spelling and grammar as it appeared on the original image, which was imported into the HTML (‘Have we meet?’ versus ‘Have we met?’).
This sophisticated brand impersonation lends credibility to the attack, supporting the cybercriminal’s aim of getting people to click on the link to the phishing website. To further entice the recipients, the attacker increased the discount from £4 to £40, although they were unable to edit the discount within the image.
Shein brand impersonation phishing email, using social engineering to trick people into clicking on a phishing link, with anti-phishing banners added by Egress Defend.
Shein brand impersonation phishing email, showing lookalike domain ‘shien.com’
Account verification
In the second example we analyzed for this blog, the cybercriminals used an account verification process as the lure. Sent from the ‘shein.ru’, the email address is made to look like it sent by Shein’s verification system and uses the Shein logo and email footer to add false legitimacy to the email. The cybercriminal has also used a font that closely resembles the brand logo font to continue the impersonation attempt.
People can feel pressure to verify accounts quickly, and the cybercriminal has also added a ‘Link valid for 30 days from registration’ to increase this pressure.
Shein brand impersonation email requesting the recipient click on a phishing link to verify their account, with anti-phishing banners added by Egress Defend.
Shein brand impersonation phishing email, showing lookalike domain ‘shein.ru’
On clicking the ‘Verify’ button, the recipient is routed to a lookalike website that steals the victims’ payment details. The website uses a phishing domain that incorporates the ‘Shein’ brand name and has a HTTPS certificate, aiming to trick victims into believing they’re secure.
While clearly an imitation of Shein and other legitimate fashion retailer websites, the phishing website we saw was in Portuguese and missing the Shein branding, and therefore was disjointed from the English language and highly stylized email templates. It’s likely the HTML for this phishing website is a template that the attacker has used across multiple attacks.
Snapshot of the Shein ‘lookalike’ website used as part of the verification phishing attack. The website uses the ‘shein’ name and had a HTTPS certificate.
Egress analysis: brand impersonation and social engineering, and techniques to increase deliverability
Brand impersonation and social engineering
Everyone loves a discount! This is especially true when times are economically difficult and people are struggling with the cost of living. Unfortunately, this makes people more likely to click on the fraudulent offers they receive via email.
Shein is reported to be the largest online-only fashion retailer in the world, with a valuation of $100bn. As a result, it’s a highly popular household name with a significant audience. Like every brand, Shein sends marketing emails, designed to engage customers and increase sales. For many people, Shein is a company that contacts them regularly and a new email probably wouldn't appear unusual.
Both Shein emails analyzed here demonstrate high levels of impersonation and social engineering. They’re built using highly stylized templates (one of which is likely a copycat from a legitimate email Shein sent last year) and sent from realistic spoofed domains and unclaimed ‘brand name’ domains. As a result, it can be incredibly difficult for someone to notice these are phishing emails. The verification emails also pressure the recipients into a response, with the notion that the link will expire after a certain time limit is hit.
Techniques to increase deliverability
The cybercriminal has used a combination of techniques to improve deliverability, making it more likely that these emails will be sent to the inbox (rather than quarantined by a SEG or sent to Junk by Microsoft).
Even though they’re using lookalike domains, the emails passed DMARC authentication, which means it’s more difficult for signature-based anti-phishing technologies (like secure email gateways SEGs) to detect them.
Finally, the use of legitimate mailing platforms (Salesforce and Mailchimp) to send these attacks increases their deliverability rate, making it less likely they’ll be filtered out by spam filters or signature-based detection.
Detecting brand impersonation attacks
It can be incredibly difficult for people to detect sophisticated impersonation attacks. In most cases, a retailer will provide a code, which can be applied at checkout to claim the discount. Consequently, if there’s any doubt about the legitimacy of an email, it’s possible to navigate to the real website via your browser or search engine and enter the code there.
These types of advanced attacks, which are designed to get through existing defenses and appear legitimate within the inbox, require intelligent anti-phishing technology to detect them. These solutions can inspect aspects such as domain age separate to DMARC authentication, as well as use linguistical analysis to detect impersonation attempts within the body of the email copy. Termed ‘integrated cloud email security (ICES)’, these solutions integrate directly within Microsoft 365 to provide an additional layer of defense against advanced phishing attacks.