A deceptive associated set could make easily-findable pages (home page, About Us, privacy policy) that are clearly presented to the user, and then drive traffic to other, harder-to-find pages that are deceptively presented as independent.

For example, the sites of a bogus medical journal, clinic, and online pharmacy could be clearly co-branded on their home pages and on pages linked to from the home page - and then use social media ads to drive traffic to "research" "patient guide" and "order pills now" pages that are styled and branded completely differently.

The deceptive set would pass public review because from the point of view of home page visitors, it's obviously co-branded. And the set would not need to be large. (A small, well-tested set of 3 or so deceptively connected domains would probably be able to do this kind of scam best.)

Even highly conscientious independent reviewers would have trouble detecting a bogus set simply by surfing around -- reviewers would likely not be in the target group to which the deceptive deep pages would be promoted, and they wouldn't be able to get there from a link. Some kind of user research covering the actual audience experience would appear to be needed.

(cc @johannhof, based on today's WICG meeting)