Luxury & Fashion brands; be aware of the online counterfeiting!:

martes, 6 de febrero de 2018

Who is behind those FAKE Whatsapp campaigns supposedly giving for free Nike shoes and alike?

Update 1I did submit all this information to Facebook so they might take any "action" against the responsible behind this fraud and to signal they do not allow to abuse their infrastructure to lure its users, but apparently they do not care much about these actors, this was its response:

Hola Emilio,
We are aware of homograph URLs and the potential risks they pose. We have automated systems in place to detect and prevent abusive/malicious domains/URLs. What you're describing is a social engineering attack against people, which is not in scope for our program.
Gracias por comunicarse con Facebook,

Update 2: Also similar campaign in France targeting Air France

Today is the Safer Internet Day. It is an European initiative which has grown beyond its traditional geographic zone and is now celebrated in approximately 130 countries worldwide with the support of many stakeholders.

Some supporters of SID

Meanwhile in WhatsApp we still receive messages like the below picture:

English translation: Nike will give for free 5000 pairs of shoes due to its 55° anniversary. Get your shoes for free in: .... ) 

Fake Nike promotion in Spanish language

Fake Nike promotion in Italian language

Luring to any user who click in the link above (notice the KOI-7 encoding of - this is known as a homograph attack) going through the below redirection:

then ending end up with a survey as the below hosted in a recent created domain ( 3 days old and a risk score of 100 based on DomainTools ) and whose analysis in VirusTotal is NOT flagged by any commercial vendor.

Any unsuspected user will fill in the survey which is based on 4 basic questions. Afterwards a pre-requisite to receive the free shoes is to share the message through whatsapp with 20 of your friends. The ball keeps growing. 

The user then click on the whatsapp button to share the message. Once the message has been shared among its contacts you will be redirected to another site (bye bye Nike shoes :( )

The above redirection make sure we are arriving from the previous Whatsapp campaign (as this is a referred marketing network, otherwise a different site will be presented). As we are arriving from the Fake Nike whatsapp promotion we are presented now with the below site:

Now the user still willing to get the promised Nike shoes will fill in the above form with its personal data. But here the interesting part (as always) is in the small letter, by clicking on Patrocinadores we will see the below text:

where there are quite a few companies from different sectors willing to sink its teeth into your personal data:

and here finally we do get a mail address responsible for this "Fake" campaign, so you have now an address to write in case you have not received your promised Nike shoes:

or a postal address to write them:

Interestingly the domain was also recently created, some months after the business was set up, under an anonymous whois provider and hosted in Rusia:

Correlating data with the DomainTools tool Iris

If we pivot over any IP address related with the domain to take a look into PassiveDns information we can see the malicious history of domains hosted on such IPs (most of them under the TLD .review and .win). There are hundreds of different and random domains created recently with the only purpose to host fake marketing campaigns to be spread like wildfire through social networks as the current one:

PassiveDNS information extracted with VirusTotal

Below are some of the business who this entity will collect your personal data for their commercial purposes through fake campaigns like this:

and so on, we could stay giving out personal data for free to these companies for a while:

The key factor here is that those companies are not the culprit here but the intermediate agencies like Green Flamingo Promotions and alike who are using these tactics to do their business: to collect your personal and private information in order to sell it. 

There is no need to clarify how greedy these companies might be collecting your data in order to sell you their services. Just bear in mind that even with data that you are not giving but disclosing through the kind of devices you are connecting from and correlated with data collected through the previous dubious campaigns they may infer even your social class

Today is the Safer Internet Day so keep your data private or at least do not incur in fake campaigns like these. You have been warned !!

sábado, 3 de febrero de 2018

How to uncover a massive campaign of counterfeit-related websites with just an e-mail address

Disclaimer: Thanks to my side project I reached out an agreement with DomainTools to use their commercial tools to research news ways about how to leverage them to gather additional intel around the online counterfeiting fraud. This is an example of a small research with the outcome of a massive campaign of counterfeit-related websites. A more formal article can be found on the DomainTools blog.

In the context of online counterfeiting, there are four classes of domain that warrant discussion:
  • Counterfeiters registered domains
  • Free hosting based
  • Legitimate but compromised
  • Expired domains
In order to know more about each type you can take a look to the SANS paper "Tracking online counterfeiters".  For the purpose of this article I will focus on the first type but just to find later a massive campaign of counterfeit websites of different types.

A counterfeit registered domain might be as in example: (active while writing this article)

Figure 1: Counterfeit-related website

This involves the online counterfeiters using any provider to register the domain in the conventional sense. Unfortunately Whois data can be spoofed yet. In fact, if the counterfeiter was never going to need to manage the domain again, he could use a false e-mail address. This scenario mostly works for the bad-guys registering C2 domains, but usually is not the case for counterfeit-related websites, as in the above case:

Figure 2: Legitimate mail address used to register the counterfeit-related website

Other considerations are that registration services often sell privacy/protected registration as a service. In those cases, only the privacy service and registrar have the information provided by the registrant that registers a domain on behalf of someone else and then transfers it to them shortly thereafter. In those cases (also mostly seen on C2 domain registrations) the initial registration would be the intermediary, and then registrant data may be updated later to reflect the actual domain owner. Something you can easily set up as an alert in Domaintools to keep track of, as in the example below of a counterfeit-related website handing over the domain´s ownership:

Figure 3: Registar domains extracted with

With the side project: I usually keep track how counterfeit-related websites are maturing. Inmersed in these tasks I was investigating the domain: cause despite of showing up all signs of a counterfeit-related one, the online tool was not able to analyze it due to some kind of block countermeasures on the counterfeit domain server side.

Figure 4: Register domains extracted with

The same behavior was showed by the domain: this case the domain was manifestly a copy-cat of Adidas but in Danish language.

Figure 5: Register domains extracted with

Based on the Whois public data observed I started to suspect; the name server of both domains is the same, they also have been recently created and the email registration seems random but under the same domain (a China based company).

Both pictures figure 3 and figure 4 were extracted with the free Domain tools whois lookup tool. In the other hand, Iris is a tool to give you additional insights while investigating any kind of online fraud. In this case, by using Iris in order to investigate further these 2 domains, I just found a massive and fresh campaign of around 50.000 counterfeit-related websites !! and all in less than 5 minutes.

Lets see the step by step process:

1. With valid DomainTools credentials we access to the Irish service:

Figure 6: Iris main website

2. We type the IOC we would like to investigate further, in this case:

  Figure 7: Web domain being investigated with the Iris tool

3. In the email section we see the same email addresses as devised in the public whois lookup tool plus two additional mail addresses. Right click in any of these fields and we can see the number of additional domains registered under them. When pivoting over the random mail address based on domain it show the text: "no other domains share this value" but when we pivot over the mail address as seen in the figure 8:

  Figure 8: Pivoting over an Indicator ( web mail address )

4. We see 53.361 domains share this value. Lets check them out. In order to do it we click over "Narrow Search" and in the top menu we will see a new tag with this field as show below in the figure 9:

  Figure 9: Multitag search (web domain and web mail address)

5. Now we remove the domain tag in order to extract all the information related "only" to this email address and then we noticed the surprise:

  Figure 10: Iris search with a key indicator ( web mail address )

53.679 fresh counterfeit-related domains found !! a quick random verification show us that all are related to counterfeit-related websites targeting a huge amount of brands under domains which belong to many different TLDs specially: .com, .de and .top

Lets take a look to some of them as examples under the different TLDs.

Counterfeit-related website targeting to the New Balance brand:

  Figure 11: Counterfeit related website

Multibrand counterfeit-related website: 

                                                                    Figure 12: Counterfeit related website

Multibrand Counterfeit-related website:

                                                                    Figure 13: Counterfeit related website

Counterfeit-related website targeting to the Reebok brand:

                                                                    Figure 14: Counterfeit related website

Multibrand Counterfeit-related website (car parts, toys, electronics...):

                                                                    Figure 15: Counterfeit related website

Multibrand counterfeit-related website:

                                                                    Figure 16: Counterfeit related website

Multibrand counterfeit-related website:

                                                                    Figure 17: Counterfeit related website

"All the information collected here as been sent along to the Europol as part of the IOS program to fight the trade of counterfeit products online."

Update: After some days, the Indicator keeps registering new counterfeit-related domains as while I am writing this update (some days later after writing the original article) the number of domains related to this counterfeit actor is: 55.048. That is 1369 new counterfeit-related domains registered within a few days by the same actor.

martes, 5 de diciembre de 2017

Prediction: Safe Browsing technology will detect counterfeit-related websites

I will make only 1 prediction for 2018, which I firmly think later or sooner will be a reality. Some major technology such as SafeBrowsing will detect and flag counterfeit-related websites. I have been working on detecting this fraud for a while with the side project:

My thoughts are that this online fraud has reached a point which can not be overlooked. The last paragraph of the SANS paper on this topic published earlier this year is:

"SafeBrowsing ( is a Google technology included by default in the major browsers to protect the users from unsafe sites such as: Malware sites and phishing sites. The ultimate ambitious goal of this research is to have widely-used technologies like the above to flag a new kind of unsafe sites: FAKE websites related with the online counterfeiting. "

Humbly I have tried to have available detections for these kind of counterfeit-related websites into the major browsers such as; Mozilla and Chrome. In Mozilla they do not believe these kind of fake websites are a threat for the users so they will not fix, in Chrome the issue is still open.

Counterfeit-related websites are usually involved with personal information data stolen

The industry response to this online fraud is quite variable, while Facebook does little or nothing at all to disrupt this online fraud

Some brands in FB deal with the endless cat-and-mouse play with the online counterfeiters

the Law enforcement authorities along with 3rd parties coordinated by Europol had tackled down the biggest number of these kind of fake websites until date. So my prediction for 2018:

Counterfeit-related websites will be an additional protection by Safe Browsing (or any other major security technology), and this change will lead the way consumers (and industry) behaves against this online threat.

My view:

lunes, 27 de noviembre de 2017

Over 20520 internet domains seized for selling counterfeits

Over 20520 Internet domains kind of:

(Disclaimer: the below FAKE websites are still active, do browse them under your own risk. This is just information to show some examples of the kind of domains being seized)


have been seized for selling counterfeits. Its one of the biggest hit against online piracy. This massive operation was a joint investigation by Europol´s Intellectual Property Crime Coordinated Coalition (IPC3), the US National Intellectual Property Rights Coordination Centre and law enforcement authorities from 27 EU Member States and third parties facilitated by INTERPOL.

Europol and the European Union Intellectual Property Office (EUIPO), the last with headquarters in Alicante (Spain) continued to join efforts in 2017 by successfully supporting many high-priority investigations related to online crimes, providing training related to online investigations, and organizing  a conference on Innovative strategies for Effective Enforcement in Antwerp, Belgium, on 19-20 September 2017.

I was invited by Europol to the mentioned conference and had the honour to host a workshop to show how OSINT tools such as can help to gather intelligence about counterfeit-related websites.

Europol is doing a great work by dismantling not only cybercrime groups but also migrant smuggling networks, child abuse photographers and many more organized crime groups.

miércoles, 8 de noviembre de 2017

CISSP: Decertification notice

CISSP is despite its detractors the undisputed king of InfoSec certifications. 6 years ago I wrote a blog post about "how to get ready fast for the CISSP exam". In order to get this certification you need to invest a good amount of time, to have experience in the field and money". The same does apply to maintain it once you have it.

Some days ago I did receive a mail from ISC2 as the below:

Subject: (ISC)? Decertification Notice 
02 Nov 2017

Member ID:

Expiration Date:
31 Jul 2017
Termination Date:
01 Nov 2017
Dear Jose Casbas, 
The purpose of this notice is to provide information regarding the status of your (ISC)2 certification.
According to our records, your CISSP credential was terminated effective 01 Nov 2017 because of Unpaid Annual Maintenance Fees.

Because the CISSP is a federally-registered certification mark, you may no longer use the CISSP designation in any form. For example, you may not use CISSP after your name, on printed materials and you may not display the certificate itself, wear the CISSP lapel pin or imply in any way that you are presently certified. Continued use of the CISSP designation is unauthorized and an infringement of the CISSP mark.

To be certified again, you must sit for, and pass the examination again. However, in order to do so, you must pay any outstanding AMF and late fees before registering for the exam. You may also be subjected to a $35USD reinstatement fee upon successfully passing an exam and requesting reinstatement of your credential.

If you have any comments or questions, do not reply to this email. Please email

(ISC)2 Member Services

The process to do the payment and submit the CPEs regularly is a bit painful. If you don´t take care of it you will receive a notification like the above. Personally I found it quite rude, and the fact that you need to sit for, and pass the examination again to be certified got me puzzled.

I decided to look in Twitter and I found some dudes proud to receive such notification and even some felt liberated. Personally I thought is a pity to lost something you have dedicated effort and it has proven value on your career, hence I decided to send an email to the mentioned address asking for a soft solution. And I got it.

Advice: After receiving such notification, you have two weeks buffer to call them directly and to redeem your fees through the phone. There is no need to sit and pass the examination again.

lunes, 20 de marzo de 2017

SANS research paper: Tracking online counterfeiters

"Tracking online counterfeiters" is a GIAC Gold paper which has been published recently in the SANS reading room. This is a side project I am working on for a while. I discovered this topic while investigating the reasons of websites being compromised. And I become addicted to this new field which converge with the security field I was investigating originally.

Screenshots of 4 FAKE websites related with the online counterfeiting.

What I did discover as well is that this field is being massively underestimated by different industries, especially within the traditional security field.

"InfoSec also has a tendency to obsess over the technical sophistication of an attack instead of the impact it has on real people" (Stamos 2016) 

The context of this online fraud is explained in the paper. The links with the underground economy is showed. And the main tactics of the online counterfeiters are unveiled. Finally with all the information collected I detail the steps to create a new intelligence feed which we could use in many scenarios. Also 3 examples of scenarios where to apply this new intel are given just in case you are out of ideas.

Hope you enjoying reading the paper and do not hesitate in contact me with any question related to this topic.

jueves, 19 de enero de 2017

Chrome plugin to check whether a website is fake or not

Chrome plugin to avoid being lured by the online counterfeiters.

The plugin has two simple options:

1. When we are visiting a website and we are not sure about their legitimacy we just click on the plugin icon and then on "Check this page now":

it will take some seconds and then a pop up like below will appear informing about the result, in this case warning us to be careful cause the web is related with the online counterfeiting:

2. The other option, useful when we do not want to visit a website cause might be dangerous, is to click in the link and go directly to the website. Then we can type the web address of the website we would like to analyze:

In such a case we will see the information about the website being flagged as FAKE. Then we know it is not safe to browse the website nor to purchase any item on it.

In cases where a website has been already analyzed we will see the information into the popup like below where you can even click the "review the analysis" link to see the full report:

Do not hesitate to ask me any question regarding the plugin or the results. 

Have a safe online experience!