Cloned websites – If in doubt, check the depth.
Sygnia has uncovered a live network of cloned, scam websites supposedly belonging to law firms. Business impersonation scams are nothing new, but this campaign, in total, comprises more than 150 related domains.
Sygnia’s research started when a single law firm contacted them after discovering several websites impersonating its brand. Sygnia investigated and rapidly found the activity to be part of a coordinated campaign involving more than 60 websites. As the investigation continued, it connected more than 150 related domains.
This network is not simply large but is also designed for persistence. “Infrastructure decisions favored evasion and durability over operational simplicity, consistent with a coordinated network rather than isolated or opportunistic impersonation activity,” states Sygnia’s report on its discoveries.
The domains are registered through multiple registrars across different IP ranges; each site uses a distinct SSL/TLS certificate; and many are deployed behind Cloudflare, obscuring the servers, hiding their relationships and making takedowns more difficult. Each cloned website aims to appear as a single domain rather than being part of a wider campaign.
The primary purpose of these clones appears to be a repeat victimization of subjects already victim to previous fraud. The lure is a cloned legal site offering to recover money already lost to prior fraud, noticeably stating that no payment will be required before the lost funds are recovered.
There is some indication of a relationship between this campaign and earlier fraud scams. For example, Sygnia found the phone number +354-42-12434 has been used over an eight year period within multiple scam campaigns, including a vehicle auction scam (vehicles paid for, but not delivered), and also asset recovery scams tied directly to Sygnia’s current investigation.
A US phone number +1-347-871-7726 was used in a COVID-era panic buying e-commerce scam — and has again been found in asset recovery scams linked to the current investigation. On the surface, this could suggest that a single gang is behind multiple online scams over many years. Sygnia, however, is not able to claim this is the case.
“The repeated appearance of the same phone number across multiple fraudulent domains suggests reused infrastructure within the campaign. However, as phone numbers can change ownership, this should be treated as an indicator rather than definitive evidence of a single actor,” says Amir Sadon, Sygnia’s director of IR research.
One current puzzle with this campaign is how the threat actors intend to monetize their efforts. Assurances within the cloned legal sites that payment would be required only after funds are recovered adds apparent authenticity to the sites, but would likely raise an immediate red flag with the target as soon as there is any attempt to request money.
Sadon has no definitive answer to this. “We cannot conclude at this point how the criminals monetize from this campaign since we haven’t deeply engaged with them,” he told SecurityWeek. “However, we suspect they may be tricking their victims into sharing information that can then be leveraged for profit.”
AI-powered scam campaign
So, what can we learn from this newly discovered but extensive and technically complex infrastructure involving 150 or so separate domains? Firstly, we will likely see more similarly large and sophisticated campaigns going forward. The ability for AI to assist in cloning websites at speed, scale and low cost will increasingly be used by criminals. “The use of AI and automation tools makes it easier for attackers to create these sites quickly and at scale while maintaining a convincing appearance. This increases the likelihood of similar campaigns,” suggests Sadon.
“AI is likely to lower the barrier to entry for cybercrime while increasing its scale, speed, and personalization. It enables less-skilled actors to carry out more sophisticated attacks, particularly in areas like phishing, social engineering, fraud, malware development, and reconnaissance,” he continued. “At the same time, AI allows criminals to automate operations and adapt more quickly, meaning the overall volume and diversity of cybercrime is expected to grow – even if the number of highly skilled actors remains relatively stable.”
The visible quality of the end product and the almost certain increase in online fraud will be a growing problem for business and users, neither of whom will have the forensic and investigative skill of firms like Sygnia. Both should consider taking some responsibility on themselves to prevent victimization. Firms could make occasional searches to see if they have been cloned – and Google’s image search could help in finding if their logo is being used elsewhere.
“During our investigation, one of the techniques we used looked for the reuse of unique elements from the impersonation sites, including logos. This led us to additional domains using the same visual assets, which helped identify further impersonation sites,” said Sadon.
Individual users should look further at any site that requests money for any reason. “Across the impersonation sites, the main landing pages were generally well-designed, but the sites themselves were relatively shallow,” he added. “Most consisted of a primary page and, at most, one or two additional pages such as a contact page. In some cases, navigation menus were present but non-functional or repetitive. Compared to legitimate law firm websites, these sites appeared thin rather than content rich.”
None of this is conclusive to an untrained investigator, but a bit of self-help could go a long way. If in doubt, examine the depth.
Related: Cyber Fraud Overtakes Ransomware as Top CEO Concern: WEF
Related: Hacker Conversations: Alex Hall, One-Time Fraudster
Related: Former Accenture Employee Charged Over Cybersecurity Fraud
Related: Account Takeover Fraud Caused $262 Million in Losses in 2025: FBI
