September 21, 2023
Wilko: a target for scams following administration
David Barnett
SHARE
Facebook Twitter LinkedIn
Wilko: a target for scams following administration

This article was co-written by David Barnett and Richard Ferguson.

 

Introduction

In August 2023, the UK high-street retailer Wilko Limited (formerly Wilkinson) entered administration, ultimately leading to store closures and selloffs, and the acquisition by The Range of the IP rights to the Wilko brand and website[1]. Shortly after the start of the administration period, reports began to emerge of a range of brand-related scams, including fake Wilko-branded websites offering branded products at heavily discounted prices[2]. Similar or related scams were also observed on social media, particularly Facebook[3], resulting in the requirement for the administrators to launch a campaign of enforcement actions.

These reports are perhaps unsurprising in view of previous studies which have found that high-profile news stories often serve as the trigger for spikes in related infringements and scams, particularly where specific brands are concerned and customers can be targeted[4].

In this article, we present the results of some simple analyses to determine the scale of the issues relating to the Wilko brand immediately following the closure of its stores[5].

 

Findings

  1. Manual searches

As of mid-September 2023, a number of active Wilko-related scams were easily identifiable via simple searches. As shown in Figure 1, the domain wilkoclosing.com was found to resolve to a live, Wilko-branded e-commerce site. The site had been live for long enough to have been indexed by search engines, and was returned at position 3 in Google in response to a search for ‘Wilko clearance sale’, and at position 4 for ‘Wilko clearance bargains’. The domain was registered with privacy-protected contact details, giving the registrant location as Henan, China.

 

Figure 1: An example of a live fake Wilko site (19-Sep-2023).

 

On Facebook, similar searches yielded multiple reports of Wilko-related scams (Figure 2).

 

 

Figure 2: Reported instances of Wilko-related scams on Facebook (19-Sep-2023).

 

In the first instance, the advertisement linked to a website at willkofficial.com [sic], which was no longer live, but generated a browser warning of deceptive content.

A number of similar scam-related pages were also found still to be active on Facebook on the same date, some of which included clearly unofficial contact details (e.g. using webmail e-mail addresses) and/or linked to fake external websites (Figures 3 and 4).

 

 

Figure 3: Examples of fake Wilko-related pages on Facebook (20-Sep-2023).

 

 

Figure 4: Examples of standalone websites linked-to from pages shown in Figure 3–

(i) vuoriclothingo.com, a fake Wilko-branded site;

(ii) pneial.com, a generic e-commerce template website, possibly indicating that the scam site is no longer active, or representing a case of traffic misdirection

 

It was also possible to find instances of Wilko-related e-commerce mobile apps on standalone app-download (‘APK’) sites. Whilst some such examples may be instances of the distribution of official apps, sites of this type are worthy of close monitoring, since they tend to incorporate less quality-control than the mainstream app stores, meaning the downloaded content applications may be unofficial, out-of-date (and lacking appropriate security patches) or associated with malicious content.

 

 

Figure 5: Example of a Wilko-related app identified on a standalone app-download site (20-Sep-2023).

 

  1. Deep-dive domain analysis

We next considered the set of all domains containing the string ‘wilko’ (or ‘willko’), based on zone-file analysis. Following the removal of all obviously non-relevant domains (e.g. those containing strings such as ‘willkommen’, names such as ‘wilkowiecki’ or ‘wilkosz’, or where the string is otherwise clearly being used as a personal name), this yielded a dataset of 772 potentially relevant names. We then further removed any which appeared explicitly to be official (i.e. owned by Wilko, based on registrant or registrar information), leaving a remaining dataset of 672 third-party domain names.

Of these, 430 had domain registration dates identifiable via an automated whois look-up. By aggregating the monthly numbers of registrations, a large spike in activity beginning in August 2023 was readily apparent (noting that the analysis was carried out in mid-September, and the full number for September was likely to increase).

 

 

Figure 6: Monthly numbers of registrations of ‘wilko’ (or ‘willko’) domains, since the start of 2020.

 

332 of the 672 domains were found to return some sort of live website response (i.e. an HTTP status code of 200) although, of the remaining 340, 131 (39%) were found to have active MX (mail exchange) records, indicating that they have been configured to be able to send and receive e-mails and could therefore potentially be being utilised for phishing activity. Many of the inactive domains had names featuring keywords (such as ‘clearance’, ‘offers’, ‘official’, ‘outlet’ or ‘sale’) indicating that they may have been registered with the intention of being used for scams.

Of the 127 domains explicitly identified as having been registered since the start of August 2023, 67 (53%) were found to resolve or re-direct to active fake Wilko sites, with a further 23 (18%) featuring browser warnings of deceptive content or resolving to pages stating that the domains have been suspended. A number of additional examples were found to resolve to alternative content, such as third-party e-commerce or gambling-related sites, thereby potentially comprising instances of misdirection. Across the full dataset, a total of 98 domains were found to feature indicators of current or past scam-related content (Figure 7).

 

 

Figure 7: Examples from the dataset of live fake Wilko websites (domain names: wilkossky.com;wilkobigsales.com; wilkooutletuk.com; wilkobestsale.com; bigsalebywilko.com; wilkosense.com)

 

Conclusions

The findings presented in this article illustrate that, where brands find themselves in the media, a spike in infringements and scams may not be far behind. The scale of the issue in this case – with almost 100 brand-related fraudulent domains identified for Wilko in mid-September – highlights the general importance to brand owners of a collaborative programme of domain name management and brand protection (monitoring plus enforcement) to avoid losses and protect customers.

In addition, some of the specific observations in this case raise some highly relevant general points about the way in which scams can be manifested:

  • Scams can operate over multiple channels (domain names, general Internet content, social media, mobile apps, etc.) and are often interconnected, highlighting the importance of a holistic approach to monitoring.

  • Fake websites can be hosted on brand-specific or general domain names, driving a requirement to combine domain-name monitoring (zone-file analysis, etc.) with alternative detection approaches.

  • In many cases, the scam content may make use of brand variations or misspellings, so as to drive customer confusion and/or evade detection, so it is important to utilise a monitoring technology able to address this.

  • Timely enforcement is key. If infringements are allowed to remain live long enough to be indexed by search engines, this can greatly increase their visibility and exposure.

  • Often, infringing sites will deliberately be hosted in jurisdictions or through Internet service providers who are notoriously non-compliant to takedown requests, showing the importance of the use of a range of enforcement techniques.

The post-pandemic retail sector in the UK has seen several high-street brands enter administration, with the IP often carved out from any bricks-and-mortar or plant-and-machinery (e.g. Made.com, Paperchase and Joules). These deals can happen quickly and sometimes be a fire sale. Regardless, brand protection should not be the preserve of a company’s long-standing brands, and brand protection enquiries and online threat analysis should form part of any due diligence process. After all, if a brand’s IP is valuable enough to buy, it should be valuable enough to protect from the outset.

 

[1] https://en.wikipedia.org/wiki/Wilko

[2] https://www.bbc.co.uk/news/business-66580724

[3] https://malwaretips.com/blogs/wilko-clearance-sale-up-to-90-off/

[4] https://www.linkedin.com/pulse/four-new-case-studies-domain-registration-activity-spikes-barnett/

[5] All observations and statistics are correct as of w/b 18-Sep-2023
SHARE
Facebook Twitter LinkedIn
Tags
Online Brand Enforcement /  Food & Drink /  Domains
Found this article interesting today?
Send us your thoughts:
Get in touch
Stobbs IP Limited
Building 1000
Cambridge Research Park
CB25 9PD
Tel. 01223 435240
Fax. 01223 425258
info@iamstobbs.com
Website Terms & Conditions
Privacy policy

German office legal notice
Cookie Declaration
Complaints Policy

Copyright © 2022 Stobbs IP
Stobbs (IP) Limited, trading as Stobbs, registered in England and Wales, Company number 08369121.
Registered Office: Building 1000, Cambridge Research Park, Cambridge, CB25 9PD.
VAT Number 155 4670 01.
Stobbs (IP) Limited and its directors and employees who are registered UK trade mark attorneys are regulated by IPReg www.ipreg.org.uk