Brand Impersonation: An Identity Threat Beneath the Surface

Jul 1, 2026
-minute read
Senior Security Researcher
Staff Software Engineer

The Ping Identity Threat Intelligence team recently uncovered a sophisticated and long-running brand impersonation infrastructure. This operation, potentially linked to an illegal gambling network, employs advanced black-hat search engine optimization (SEO) and evasion techniques to trick search engines and ultimately direct users to malicious content.

 

Before we dive into what we uncovered, let’s talk about what brand impersonation attacks are and how bad actors can mimic an organization's website and/or domain.

 

Key Takeaways

  • Brand impersonation is an identity problem: Attacks succeed when organizations cannot verify whether someone is interacting with a legitimate entity or a fake.

  • Threat actors used cloaking and black-hat SEO techniques to show legitimate-looking brand content to search engines while redirecting human users to malicious gambling infrastructure.

  • The operation leveraged expired domain abuse, mirrored websites, and cloud-hosted infrastructure to impersonate trusted global brands at industrial scale.

  • Continuous monitoring of domains, referrers, and identity-related signals is critical for detecting sophisticated brand impersonation and fraud campaigns before they escalate.

What Are Brand Impersonation Attacks?

Brand impersonation is a cybercrime technique in which threat actors imitate a trusted organization’s website, branding, domains, or digital experience to deceive users and exploit that trust. These campaigns often use cloned websites, phishing infrastructure, fake login portals, or manipulated search results to redirect victims toward fraud, credential theft, malware, or illegal services. Modern brand impersonation operations increasingly combine black-hat SEO, expired domain abuse, cloaking, and AI-driven automation to scale attacks while evading detection.

Our Brand Impersonation Investigation: The Starting Point

It began with the detection of a suspicious domain flagged by our automated systems, traffic logs and threat intelligence feeds. The domain was identified as malicious by several security vendors.

 

We received hundreds of events associated with this domain over a couple of months. However, navigating directly to the domain unexpectedly displayed a Chinese-language gambling page. This initial observation presented a puzzle: why was traffic from an organization's environment referring to a gambling site?

 

Figure 1: The gambling app webpage.

 

Further investigation showed that clicking the main "Bet Now" button on the gambling page led to a 403 Forbidden page.

 

Figure 2: “Bet Now” link leads to a 403 forbidden page.

A Deep Dive into the Impersonated Webpage

A review of the page's source code revealed a major inconsistency. Despite rendering as a gambling site, the underlying HTML content contained numerous references to a well-known consumer brand.

 

The unusual display was traced to a malicious JavaScript file, which dynamically loaded an iframe containing the gambling site. This script also ensured only the malicious iframe was visible by hiding all other elements.

 

Figure 3: The main.js script.

 

By temporarily disabling the script, the legitimate mirrored content of the targeted brand's website appeared.

 

Critical details were obtained from an analysis of the page's source code, revealing:

  • The mirroring tool used to clone the official website.
  • The original mirrored URL.
  • The creation date of the mirror.

 

Figure 4: Comment that reveals the tool used to mirror the original company’s website. 

 

However, the mirrored site was incomplete, missing images, logos, and included broken links. Most sensitive actions, like login or checkout, led back to the original, legitimate website. This raised a key question: Why create an incomplete mirrored website only to overlay it with gambling content leading to errors?

How Brand Impersonation Uses Cloaking & Black-Hat SEO

The answer lies in cloaking, a deceptive SEO technique. Cloaking presents different content to search engine bots than it does to human visitors. This technique is used to unfairly boost a site's ranking or hide illegal content from search engines. The logic checks who is visiting (bot vs. human, and sometimes, location) and serves the appropriate content.

 

In this scheme, search engines indexed the mirrored, reputable-looking page of the targeted brand, while human visitors were shown the gambling content.

 

The threat actors' goal was to present search engines with a clean, reputable brand to gain SEO advantage, while serving actual users content from the gambling site.

The Motivation Behind Brand Impersonation Campaigns

The true motivation became clear when we used a VPN to connect to the gambling site from various international IPs. While most connections still led to the site and subsequent 403 errors, a significant difference emerged when connecting using a Hong Kong IP address. The links that previously resulted in a forbidden page now displayed entirely new content, including various suspicious sites and gambling applications.

 

Figure 5: First example of a page we landed on when using the Hong Kong IP.

 

Figure 6: Second example of a page we landed on when using the Hong Kong IP.

 

Figure 7: Third example of a page we landed in when using the Hong Kong IP.

 

This confirmed the operation’s motive: to use the reputation of a global brand as a cover to lure users from specific regions to illegal gambling websites and applications.

Brand Impersonation at Scale: Domain & IP Analysis

Further analysis of the domain and IP address revealed a broader operation:

  • The domain's last SSL certificate expired in July 2024.
  • Historical checks via web archives showed that the domain previously belonged to a legitimate organization, which had since moved to a new domain and failed to renew the old one. This practice is known as expired domain abuse or weaponizing expired domains.
  • The malicious domain's IP address was found to host several other domains, all displaying the same suspicious gambling page and utilizing the exact same operational flow and evasion techniques. 

 

This suggests the case is just one example within a vast, centralized brand impersonation campaign.

Evidence of a Large-Scale Brand Impersonation Operation

By analyzing the Indicators of Compromise (IoCs) from this single case, our investigation uncovered thousands of domain names mimicking legitimate websites, belonging to major global brands and Fortune 500 companies. 

 

The hash of the injected gambling page led to thousands of domains being scanned, and ultimately confirming the industrial scale of this operation.

 

This type of scheme was detailed in a September 2025 blog post by Deep Specter Research titled The Cloak and the Dagger: How Google and Cloudflare Missed a Global Phishing Empire.1 Their research exposed a large-scale, cloud-hosted infrastructure that hijacks abandoned or expired domains, then pairs them with cloned websites of major global brands.

What Leaders Should Do to Prevent Brand Impersonation Attacks


The malicious domain was used to execute a brand impersonation attack. The scheme utilized cloaking to deceive search engine bots with a mirrored, legitimate-looking site while redirecting human visitors to a gambling site. This entire technical infrastructure is part of a vast, industrial-scale group known for hijacking thousands of expired domains to conduct sophisticated, sustained brand impersonation and phishing campaigns against prominent global brands.

 

Our recommendation: Organizations that observe similar signals should validate the delivery flow, preserve indicators, and coordinate with the relevant hosting, registrar, and platform providers to pursue takedown.

Frequently Asked Questions

A brand impersonation attack occurs when cybercriminals imitate a trusted company’s website, branding, or digital experience to deceive users and exploit the organization’s reputation.

Cloaking is a deceptive technique that serves different content to search engine crawlers than to human visitors, often to manipulate SEO rankings or hide malicious activity.

Threat actors acquire abandoned or expired domains that previously belonged to legitimate organizations and repurpose them for phishing, malware delivery, SEO abuse, or impersonation campaigns.

These campaigns often use legitimate-looking infrastructure, mirrored websites, geo-targeting, cloaking, and evasive hosting techniques that make malicious activity appear trustworthy to users and search engines.

Organizations can reduce risk by monitoring domain abuse, tracking suspicious referrals, implementing threat intelligence programs, using continuous fraud detection, and rapidly coordinating takedown efforts with hosting and domain providers.

Share this Article:
Related Resources

Start Today

See how Ping can help you deliver secure employee, partner, and customer experiences in a rapidly evolving digital world.