Luxury & Fashion brands; be aware of the online counterfeiting!:

lunes, 20 de marzo de 2017

SANS research paper: Tracking online counterfeiters

"Tracking online counterfeiters" is a GIAC Gold paper which has been published recently in the SANS reading room. This is a side project I am working on for a while. I discovered this topic while investigating the reasons of websites being compromised. And I become addicted to this new field which converge with the security field I was investigating originally.

Screenshots of 4 FAKE websites related with the online counterfeiting.

What I did discover as well is that this field is being massively underestimated by different industries, especially within the traditional security field.

"InfoSec also has a tendency to obsess over the technical sophistication of an attack instead of the impact it has on real people" (Stamos 2016) 

The context of this online fraud is explained in the paper. The links with the underground economy is showed. And the main tactics of the online counterfeiters are unveiled. Finally with all the information collected I detail the steps to create a new intelligence feed which we could use in many scenarios. Also 3 examples of scenarios where to apply this new intel are given just in case you are out of ideas.

Hope you enjoying reading the paper and do not hesitate in contact me with any question related to this topic.

jueves, 19 de enero de 2017

Chrome plugin to check whether a website is fake or not

Chrome plugin to avoid being lured by the online counterfeiters.

The plugin has two simple options:

1. When we are visiting a website and we are not sure about their legitimacy we just click on the plugin icon and then on "Check this page now":

it will take some seconds and then a pop up like below will appear informing about the result, in this case warning us to be careful cause the web is related with the online counterfeiting:

2. The other option, useful when we do not want to visit a website cause might be dangerous, is to click in the link and go directly to the website. Then we can type the web address of the website we would like to analyze:

In such a case we will see the information about the website being flagged as FAKE. Then we know it is not safe to browse the website nor to purchase any item on it.

In cases where a website has been already analyzed we will see the information into the popup like below where you can even click the "review the analysis" link to see the full report:

Do not hesitate to ask me any question regarding the plugin or the results. 

Have a safe online experience!

FACEBOOK does not worry about the online counterfeiting fraud

This recent post made me to review the drafts I had in this blog regarding a similar issue which I publish today. With the project I have been investigating the online counterfeiting fraud for quite some time. It turns out that Facebook has plenty of advertisements like below:

Facebook advertisement

Which leds to the Facebook event below (not active anymore):

In the above event page you can see the website being advertised: hxxp://
(not active anymore)

Which clearly is a FAKE rayban website. Flagged by

and hence by VT:

This FAKE website is clearly a luxury knock-off product a dark business which has even more revenue than the ransomware and close to well-known malware as the Zeus banking trojan.

Though it is not a security vulnerability itself I reported it to Facebook because it is an abuse of their functionality which might be used to lure their users: anyone can set up an ads and the target website would not be "fully verified" which might contain badware or fake content as in this case.

The report was closed with the following feedback:

Hi Emilio,

Thanks for contacting us. Keep in mind that this queue is specifically for security vulnerabilities. Since what you describe doesn't appear to be a security vulnerability, you can provide feedback or suggestions regarding a feature here:


Redacted name

It seems that the issue was investigated some years ago by another researchers:

But Facebook still allows such advertisements. Despite all the effort they are taking against FAKE news, it seems they still have plenty of room to improve regarding to get rid of advertisements involved with online counterfeiting in their network.

Google does a better work in such matter but sometimes, as highlighted in the picture below, they have ads related with fake sites as well.

lunes, 22 de agosto de 2016

How to cope with the online counterfeiting in the right way

Based on the last OECD/EUIPO report (2016), the trade in counterfeit and pirated good amounted to up to 2.5% of world trade in 2013.

The main luxury, fashion and sports brands are being targeted online, many take some proactive measures such as trying to take down the websites affecting their brand, but it is a cat and mouse play, as new FAKE sites will pop it up like mushrooms.

But the Alexander Wang brand has set a precedent; a kind of warning to counterfeiters, as it has just won a $90 million lawsuit against 459 FAKE websites targeting their brand. It does not mean the wining brand will see some millions from this lawsuit as the FAKE sites owners did not show up in court. But the key point is that today it would be more difficult for potential Alexander Wang customers to be victims of online fraud than any other brand, as below (despite their social media efforts).

martes, 31 de mayo de 2016

Massive Ransomware campaign of compromised Joomla based sites targeting to Endesa customers

Endesa is the largest electric utility company in Spain. Recently it has been discovered a ransomware campaign using a fake invoice of a huge amount to pay, in order to trick users to verify it. A clever social engineering move.

More details and the full list of domains involved can be checked in the CSIRT-CV alert.

The interesting part of this new Ransomware campaign is that most of the domains hosting the malicious scripts are based on the popular Joomla CMS.

hxxp://endesa-clientes .com / not available
hxxp://yamg.endesa-clientes .com / not available
hxxp://www.endesa-clientes. net /not available
hxxp://ojj.endesa-clientes .com / not available
hxxp://wtde.endesa-clientes. com / not available
hxxp://y2l6.endesa-clientes. com / not available
hxxp://rogaska-crystal. com / report
hxxp://itlearning. ma / not available
hxxp://nrmac. org / not available
hxxp://craferscottages. com. au / report
hxxp://sigortaci .net / report
hxxp://quality-managers. org / report
hxxp://tendearteplast. com / report
hxxp://gettingmarried .ie / report
hxxp:// / report
hxxp://tl6q.procura-italia. net / not available
hxxp://qln.myenel24. net / not available
hxxp://qln.myenel24. org / not available
hxxp://swisshalley-sale. ru / report (the only old Wordpress based)
hxxp://heroes-of-the-middle-ages. ru / report
hxxp://y2l6.endesa-clientes. com / not available
hxxp://securitysolutionshow. it / not available
hxxp:// / not available
hxxp://asge .ru / report
hxxp://ensarkarot. com / report
hxxp://faam. com / report
hxxp:// uk / report
hxxp://ipecho. net / report
hxxp://ultimchem. com report

Based on the compromises sites, it seems this campaign is leveraging the critical vulnerability CVE-2015-8562.

martes, 24 de mayo de 2016

How to spot a FAKE website

There are several tips about how to check whether a website is FAKE or not, but all of them require 8 different manual checks or even more.

Do not wast your time: just use to know with just 1 click whether a website is FAKE or not.

Let's take for example this website:

which was automatically flagged as FAKE by

but as long as the FAKE website is online has been able to lure to dozens of unsuspected users, and counting, as you can check it out in the below blog post created by some victim to raise awareness about the aforementioned FAKE site.

"If any of the victims would have check it out previously the website address in, they would have discovered that website is not safe to do business with."

" If you do not trust on a website, desenmsacaralo (unmask it) to see what is behind it "

martes, 12 de abril de 2016 has been integrated into VirusTotal's URL online scanning service

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners! is a free online service that analyzes websites to spot mainly whether they are FAKEs (related with the online counterfeiting) or not.

How does a FAKE website might be related with malicious content?; let me give you a bit of background to understand it.

Fake luxury goods are sold all over the Internet. There is an underground economy where a large number of globally distributed criminals trade in data, knowledge and services with the goal to defraud users and business, and this is related with the black market commoditization; a recent innovation from the fraudsters.

The underground organizations have well defined roles with inter dependencies, let's take for example; to buy and sell compromised web servers, scam hosting, exploit kits, and wholesale access to stolen user records including usernames and passwords, credit card numbers, and other sensitive personal data.

Recently Google published a post about a research related to this topic: The underground market fueling for profit abuse. The researches mapped the relations between the specialized roles in the underground economy as in the picture below.

whose explanation step by step can be viewed dinamically in this video:

Where the division of labor based on the chain of specialization is clearly represented. This underground economy is the culprit of current online threats such as fake anti-virus, ransomware, Trojan banks and any kind of commodity crimeware available out there. While reading the aforementioned research paper, the below figures called my attention:

Where IOCs for most of the threads above are usually included in the vast amount of intelligence watchlists either propietary or open source in order to do some kind of:
  • Correlation: (i.e: we need to see incident A before incident B can trigger)
  • Validation: (i.e: customers IP-space is linked to an IOC)
  • Enrichment: (i.e: To provide more context to known threats)

But for the Luxury knock-offs strategy of the profit center: Spamvertised products,  whereas the revenue numbers are even higher than in known threats such as Clickfraud or even close to the infamous Zeus, I was not aware of any kind of intelligence feed providing only such specific information.

The integration of into Virustotal's URL online scanning service is about the profit center: Spamvertised products. Any FAKE website related with the online counterfeiting will be flagged as such in and as suspicious in VirusTotal.

Below you can find some metrics about data is collecting:

Dashboard with all the brands detected

Availability of FAKE sites targeting to the PRADA brand

One of the main goals of the webservice is to let anyone known with just 1 click whether a website is FAKE or not. All the information collected is shared with the community through this VirusTotal integration. In addition, if you are a brand protection professional:

you would want to follow the desenmascarame twitter account (tweeting automatically each time a FAKE site is spotted and warning to the affected brand), o maybe to join the service avisame in order to get all the metadata of the FAKE website affecting to your brand.

More announcements to come.