Desenmascara.me

Luxury & Fashion brands; be aware of the online counterfeiting!: desenmascara.me

miércoles, 6 de noviembre de 2019

Fraudulent websites masquerading as different types of Spanish official applications

Update [08.11.2019]: Actors behind this massive online fraud are not only targeting Spanish public services, but also US based as shown below:


Fishing and hunting license in Florida --> https://www.fishingandhuntingflorida.com/


Fishing license in Texas --> https://www.texasfishinglicense.online/


Fishing license in Michigan --> https://www.michiganfishinglicense.online/


Fishing license in Georgia --> https://www.georgiafishinglicense.online/


This group of fraudsters have also registered a government alike domain: http://cbp-dhs-gov.com/
which at the time of writing this has just a landing page, the only purpose of these misleading domains (either once the website has been built up or just using the domain to send more credible phishing mails) is to lure users to steal their money and personal information:


end of update.



Fraud campaign in Spain:

Register of death? --> https://www.expedientedefuncion.online / www.solicitar-certificado-defuncion.online


Official documents (with apostilla)? --> https://www.apostillaylegalizacion.com/



Criminal certificate? --> https://www.certificadodelitospenales.online/


Birth certificate? --> https://www.certificadonacimiento.online/



Marriage certificate? --> https://www.actadematrimonio.online/



European health card? --> https://www.tarjetasanitariaeuropeaonline.com/




And so on with dozens of similar official certificates. This is common online fraud where fraudsters set up professional-looking websites to lure unsuspected users. Users unaware of how the bureaucracy system would work in Spain will look online to get a certificate based on their specific needs and they will end up on a fraudulent site like any of those. 

After the user submit its details and pay the fee, the website will show the user an error on the payment and the fraud is done. Money is available on the pocket of fraudsters and the victim receives nothing.


Never, ever buy services from a website whose legitimacy you are not sure about, in case of doubt just use the webservice https://desenmascara.me or ask us through the contact form.

The actor behind such fraudulent webs is a business registered in Florida (EEUU): Global Trading Solutions LLC, also associated with multimillionaire crypto fraud, and there is also an open investigation in a Spanish court.

Remember, if you have any doubt before making any purchase online, just use https://desenmascara.me to avoid being lured.

viernes, 11 de octubre de 2019

Annual Intellectual Property Report to US Congress

On April 26, 2018, President Trump, became the first President to formally recognize World Intellectual Property Day and proclaimed that “[o]n World Intellectual Property Day, we not only celebrate invention and innovation, but also we recognize how integral intellectual property rights are to our Nation’s economic competitiveness.” For this reason, the President stated that “[o]ur country will no longer turn a blind eye to the theft of American jobs, wealth, and intellectual property through the unfair and unscrupulous economic practices of some foreign actors.”




sábado, 28 de septiembre de 2019

How easy a google product is being misuse to market counterfeit goods

Update: INCOPRO has released a report about this same problem with key findings, metrics and a call to internet searches to act against this online fraud, and all quite well formatted for an easy and recommended reading.


"While our systems get better over time, counterfeiting remains a complex challenge, and we keep investing in anti-counterfeiting measures."  Kent Walker, Senior Vice President and General Counsel, Google. (2011)
"Just as in the offline world, people misuse legitimate online services to try to market counterfeit goods. This abuse hurts our users and our business; combating it its central to Google's operations." (Testimony of Kent Walker before the House Judiciary Subcommittee on Intellectual Property, Competition, and the Internet Hearing on 'Promoting Investment and Protectiong Commerce Online: Legitimate Sites v. Parasites, Part II' April 6, 2011)

A few years ago I wrote the SANS paper "Tracking online counterfeiters". At the time this paper provided some metrics of an OECD report dated in 2016 where the trade in counterfeit goods amounted for the 2.5% of world trade. Currently, based on the last OECD report now trade in fake goods is 3.3% of world trade and raising.

Also in the mentioned SANS paper I did include the research: "framing dependencies introduced by underground commoditization" which did show the federation of specialists selling capabilities, services, and resources explicitly tailored to the abuse ecosystem.

Revenue generation is outsourced to “affiliates”—independent contractors paid on a commission basis for each sale they bring in. [cited from original paper]



After bit more than a couple of years of the release the aforementioned SANS paper, lets take the two premises above and to dig a little deeper on this online counterfeiting fraud. I will expose briefly specific tactics online counterfeiters use to target different countries. Goal is to support the 2 previous premises: increasing online fraud and the specialists selling capabilities in the underground commoditization market, but also to highlight a huge abuse in a specific search engine I came across while investigating this tactic. An abuse specially "sensitive" as it affects to hundreds of the most famous and counterfeited brands.

This problem is specially outrageous as currently it allows to counterfeiters profit and abuse from free services even when in the past they used paid services. To not name about millions of users potentially being duped by this lack of protection against websites whose only purpose is commercial infringement.

Before going into the details, allow me to define what a FAKE website is.


"Defining what is a rogue site is not a simple task." (Testimony of Kent Walker before the House Judiciary Subcommittee on Intellectual Property, Competition, and the Internet Hearing on 'Promoting Investment and Protectiong Commerce Online: Legitimate Sites v. Parasites, Part II' April 6, 2011) 

The above statement is part of the testimony of Kent Walker before the House Judiciary Subcommittee on IP, which you can read fully on the link above. With all the respect and humbleness I do not agree with the above statement therefore let me explain my reasoning. I will use the term "rogue site" as a "FAKE site", and as I will deal with FAKE websites here, I will define first what the signs of a FAKE website are. To make it easier, I will follow the guidelines promoted by Europol to detect fraudulent sites selling fakes (also the basis the online tool https://desenmascara.me perform behind the scenes on top of many other checks to flag a website as FAKE). Here the only rectification I would do to those Europol guidelines is to remove the below red flag:



The above check to detect fraudulent sites is not true anymore. The mainstream use of free SSL certificates has made possible that counterfeiters use SSL as for instance the below FAKE site:

FAKE website using a SSL certificate


but lets go back to the point. I do think that to define what is a rogue site is a simple task, so simple I am still surprised no one is doing something like this yet.

To my humble understanding, a FAKE website is a rogue website that generate profits from the theft of intellectual property and/or lure users. Thats all. How can I back up such statement?, keep reading.

In one side we have the guidelines mentioned previously by Europol plus the yearly Europol operation In Our Sites (IOS) to seize domain names distributing counterfeit and pirated items online. The last edition in its ninth year was the most successful ever. In the other side, after years working to improve the accuracy of https://desenmascara.me to flag whether a website is FAKE or not, I did one thing to not only raise awareness of this online fraud to consumers but also to let brands offended know about FAKE websites abusing its trademark, I did this through the twitter bot desenmascarame, which only tweet a small percentage of FAKE websites being detected. At the time of writing this, this bot has tweeted around 15k times mentioning to hundreds of brands affected by FAKE websites:


Twitter bot desenmascara.me


Until now the twitter bot has not received any complain by the brands affected but the opposite; this information has been proved useful for the brands mentioned as per the feedback received by many of them:

Small extract of brands answering the twitter bot


All this experience working to detect counterfeit-related webs plus the feedback received by the brands and the request to provide such "intelligence" in formal ways, did allow me to set up a business based on a SaaS service out of this 4 years side project. The business goal is pretty simple but yet effective: to detect and flag counterfeit-related webs, to hand over either later or in real time this specific "intelligence" to the offended brands. Afterwards the brands (or their legal representatives) can initiate legal actions against the infringing websites. On top of that I do receive mails from users who have been lured by counterfeiters to find later that the online tool https://desenmascara.me would have avoided them to become victim of such fraud, these users also report websites which they think are FAKE but for whatever reason the online tool is not able to flag correctly.

It is this mix of technology + users what make the online tool https://desenmascara.me  a powerful proof of concept, but yet fully functional and in constant evolution. A proved novel solution which could be used as the basis to tackle the online counterfeiting fraud problem globally.

All this acumen allow me to affirm that to define what a rogue website is, it is not a complicated task, but yet a grey area. A grey area where the DMCA and a position to censor the Internet intersect. These facts lead to a situation where there is no incentive to be proactive with the online counterfeiting fraud but instead reactive by putting forms to report counterfeit goods aimed to trademark owners. Grey area as also it depends of country legislation and local judge considerations, for instance there are legal cases where Internet Service providers were ordered to block websites infringing trademarks, and other cases where the ISP could not be forced. Country specific legislations, right holders and internet freedom make this topic not only a grey area but a hard problem to solve where different actors should be aligned to act upon it at the scale it deserves.

The scale I am talking about is not about thousands but millions of domains being used by online counterfeiters to promote their items and to lure internet users. Despite all the efforts and huge investments big companies are making, this is happening with the complicity of search engines and social networks alike, plus the lack of security vendors making any effort on this area.

Is there any technology (i.e: Safebrowsing, proxy vendors, web of trust, blacklists...) right now which prevent you to browse any of these websites; (https:// www.swarovskijoyas .es), or this (https:// www.philippevente. online), or this ( https:// northfaces. store) or this one (https: //www. jackwholesaler.com)... ? (if so please do let me know).


After all this introduction of FAKE websites and the grey area they belong to, let me show you how I came across a specific google product being massively misuse to market counterfeit goods.

As part of improving the detection accuracy of desenmascara.me I spent time researching how online counterfeiters operate,  what their tactics are, how they are organized and what toolkits they are using to scale their business. Let's start with a simple FAKE web page like below:


http:// www.libredetabaco.es


This web fall easily under the red flags exposed by Europol:

  • Prices seems good
  • Contact us section pretty simple and generic
  • Site looks unfinished with broken links
  • Domain name is totally unrelated to the content
  • and many more red flags...

Now looking at the html code let's focus our attention in the highlighted line:


Suspicious html code used by the counterfeiter actor


It seems a custom code used under the templates directory (to setup how the website looks) to create the website. If we look such specific string in google we do only see 4 organic results (3 domains used by the counterfeiters in the Search Engine Results Page, SERP) but the interesting part is in the "images product":

Google SERP of a specific template directory found in the html code


When we click on "Más imagenes de..." translated from spanish into english to "more images of.." we do see the following pictures under the highlighted domains (all FAKE based on Europol red flags and desenmascara.me)


Google images result with the string search wgtestwo136dkghnleejfliejf


There are several results pointing to around 7 different websites with the same code. It's likely that the code belongs to the creator of the website as in this specific case, all results are under the Top Level Domain (TLD) .es and with domains which were expired and leveraged afterwards by the FAKE sites creators, this is another typical tactic of the counterfeiters.

Lets try to confirm this with a different domain hosted in the same infrastructure as the previous FAKE website, now take a look to a slightly different but still following the same string format as the previous example:

Suspicious html code used by the counterfeiter actor


here we have around 10 counterfeit-related websites which belong to the same code and also as the previous example all those websites are under the TLD .es and all of them domain names unrelated to the webshop content:

Google images result with the string search wgtestwo134asuifheufhals


Here what we are observing is specific contractors creating FAKE websites under the TLD .es. These contractors are just a small part of the full suply chain of the online counterfeiting schemes as pointed out in the paper mentioned at the beginning of this article.


Now lets take a look to actors dedicated to different countries as for example Germany and Austria (.de and .at TLDs). The website template below looks quite similar to the previous website:


http:// www.circuitnoize.at


red flags are the same as the previous FAKE website, but now in the html code we notice a slightly different template name (tu2kitySHOPde):

"<div class="yccrFvaOgfCU"><img src="includes/templates/tu2kitySHOPde/images/cardd.gif"></div>"
Suspicious html code used by the counterfeiter actor


now we do the same as before, to perform a google search with such specific code. On this occasion 0 results came on the search but again it led us to the additional and interesting results on google images:

we click on google images and whoila!!, we do see few domains with the same type of pictures:




hxxp://www.guntenlauf.at/
hxxp://www.circuitnoize.at
hxxp://www.nikolabartenbachkunst.at
hxxp://www.awesome-riders.at
hxxp://www.strahlemannrockt.de/

also registration of the above domains did happen on the same consecutive days. This is just a small specific example of how actors operate to create FAKE shops with pre-built kits and to host them under previously used domains and TLDs they might be familiar with in terms of language or target market.

In order to avoid sensibilities with the above examples with google images, I have tried to avoid showing websites targeting specific brands. 

The fact that by looking those quite specific unique codes found in the html code of the FAKE sites, did raise just a few or none results on a google search but instead did raise results on the search image product, made me to explore some possibilities which after few tests were proved true: the google image search product open the door to thousands of results of FAKE websites offending literary every brand which might be counterfeited. These results while there are not available in the SERPs (at least not visible in the first pages), they are fully available through google search images:

Google image results leading to FAKE websites owned by online counterfeiters.


I have omitted any specific brand logo or trademark name buy as you can see above, a typical google search image might led to FAKE websites. All those websites were categorized as FAKE by the online tool desenmascara.me due to all of them having the red flags recommended by Europol to detect fraudulent websites. Also note that the web of trust icon (the green icon close to the website address) does not indicate any danger or suspicious flag, when actually, any user who would purchase items on any of those websites might be:
  • Lured and will not receive anything
  • Lured and will receive a counterfeit item
  • Lured and their personal information will be misuse to feed this online fraud
  • Lured and their credit card details will be stolen
In resume, users being directed towards these websites might be lured by the online counterfeiters.

To finalize, as already mentioned, this might be a grey area, but the true reality is that is not so difficult to detect and flag FAKE websites. Google has hundreds of PHDs working in Mountain View, Zurich and around the world to work on hard problems. Maybe this problem doesn't make the cut of the priority list right now?. Based on the World Economic Forum (WEF), online counterfeiting is part of one of the top illicit trades of the 21st century, along with drug trafficking, human trafficking, diamonds and few others. It is in the best interest of users, the brands affected and the society in general (terrorism finance, tax evasion, child work, poor conditions...) to keep these counterfeit sellers out of the Internet. We just need the will, proactivity and cooperation to tackle this online fraud.



Disclaimer: off course, I have a vested interest in taking these counterfeit websites out of Internet. I just want to test my proof of concept project at scale to show how this problem might be solve.

lunes, 19 de agosto de 2019

How to prevent Business Email Compromise (BEC) fraud ?

O en español; como prevenir el fraude del CEO.

The past year the FBI published an alert pointing out that the BEC fraud exceed $12 billion globally.
The report was based on data collected by the FBI´s Internet Crime Complaint Center (IC3), international law enforcement and financial institutions between October 2013 and May 2018. The amounts represent both money that was actually lost by victims and money they could have lost had they taken the bait.

Many of these attacks are skillfully crafted. Criminals lurking on websites and social media con uncover plenty of information for fine-tuned spear phishing emails: who suppliers are, what the management structure is, who is receiving new business pitches or expansion plans, etc. Executive travel plans are particularly useful for scenarios like this since the urgency of a task can be inflated from abroad: "I'm in Singapur and we need to make a payment ASAP to this supplier or we risk losing it. Don't delay - please wire these funds immediately."

How this fraud could be prevented?:

  1. To train your leadership, specially in finance about the risks associated with these kind of attacks, methods of detection and manual authentication.
  2. Methods of detection will include to be vigilant to:
    • Pressure and a sense of urgency
    • Unusual request in contradiction with internal procedures
    • Typosquatted domains similar to your company (@R0CHE.COM instead of @ROCHE.COM)
  3. To use DMARC. Domain-based Message Authentication, Reporting & Conformance, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author ("From:") domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.

You can check wether you organization has DMARC in place or not just by typing the domain part of your mail address into this resource.

DMARC check compliance for the gmail.com domain



Basically, DMARC is a technology that allows you to confirm whether an email is from the organization it claims to be from. This technology will not help you in cases where the corporate email has been compromised, and the attacker has full access to the mail account of the person in finance. Obviously this approach would require much more effort.

Since June 2016, the Global Cyber Alliance (GCA) has been working to accelerate adoption of DMARC through advocacy, by providing a set of easy-to-use tools and campaigns to drive deployement. GCA also measured the economic impact on this report. The benefits to deploy DMARC in your company are clear. What are you waiting for?





miércoles, 7 de agosto de 2019

Criminal activity involving counterfeiting and the professionalised organized crime networks

Recently, the first EU-wide intellectual property crime threat assessment from Europol and the European Union Intellectual Property Office (EUIPO) was published. Press release by Europol.



The report contains 40 pages of insights about criminal activity involving counterfeiting and the professionalised organized crime networks, which can reap large profits while running relatively few risks. It was created with EU-wide data and strategic intelligence analysis. 

Below are the main points I would highlight on this report:

Metrics related:
  • Counterfeit and pirated goods could make up as much as 6.8 % of EU imports, amounting to EUR 121 billion 
  • In 2016, up to 6.8 % of EU imports constituted counterfeit and pirated goods, amounting to as much as EUR 121 billion. Compared to 5 % in 2013, this is a sharp increase in three years1. 
  • The economic impact of counterfeit clothing and personal accessories is particularly high. It is estimated that counterfeiting causes losses of around EUR 26 billion per year to the clothing, footwear and accessories sector13 and around EUR 2 billion a year to the jewellery and watches sector in the EU14. 


Facts related:
  • Although shipment of counterfeit goods to the EU still occurs largely in bulk by freight transport, in recent years there has been a strong increase in express transport. This sharp growth in trade via small parcels is related to the growth in online marketplaces selling counterfeit goods 

  • Besides the traditional luxury items, a wide range of everyday goods are targeted by counterfeiters. This includes cosmetics, electronic components, food and drinks, pesticides, pharmaceuticals, tobacco products, toys and vehicle parts. 
  • A growing number of counterfeit pharmaceuticals are detected in small parcels, facilitated by a continuous expansion of unauthorised and unregulated online pharmacies. 

  • The market for counterfeit goods remains highly profitable, providing criminals with opportunities to generate huge profits while running few risks. Most criminal activity involving counterfeiting is undoubtedly performed by organised crime groups and there appears to be an overall professionalisation of these groups. 

  • Counterfeiting and piracy are lucrative criminal activities, while at the same time generating relatively low detection risks. 
  • several EU Member States have in recent years decreased their focus on fighting IP crime, in favour of other criminal activities that are deemed more serious and harmful, such as drugs trafficking, migrant smuggling, trafficking in human beings, and terrorism 
  • Online marketplaces are increasingly becoming an important source of income for criminal groups engaged in the sale of counterfeit and pirated goods. 
  • In a series of studies conducted by the EUIPO over the last few years, the direct annual losses of 13 market sectors that are particularly vulnerable to counterfeiting have been estimated. Collectively, these sectors lose EUR 60 billion a year, or 7.5 % of their total sales. 
  • However, despite the large number of counterfeit clothes and shoes that are sold online, they are also still commonly sold on the streets of certain cities and in popular tourist areas. 
  • A particularly worrisome development is that some of the jihadist terrorist attacks in the EU in recent years were partially financed by selling counterfeit clothing and shoes, although the most prominent example of this already stems from 2015. The Kouachi brothers, responsible for the terrorist attack on the Charlie Hebdo office, had been involved in selling counterfeit sports shoes. They had paid for the shoes via international payment services and imported them via parcel service from China. 
  • Other criminal acts that are commonly committed by counterfeiting organised crime groups are excise fraud and VAT fraud. 
  • Criminals are increasingly offering counterfeit goods through social media networks using specific URLs that can be hard to identify by law enforcement authorities. 
  • A common modus operandi for online counterfeiters is to re-register previously used legitimate domain names, also referred to as cybersquatting. Domain names that have previously been used for a wide variety of purposes, including those used by commercial businesses, embassies or politicians, are systematically re-registered to operate as e-shops selling counterfeit goods. This reuse of legitimate websites ensures consistent internet traffic towards these e-shops41. 

Security related:

  • While consumers are attracted to these kind of websites by the free content they can find there, in many cases these same websites are used to target exactly those types of consumers with phishing attempts or the dissemination of malware. It is estimated that one in four persons who stream illegally through a box or stick are affected by a virus or malware. Different kinds of malware and potentially unwanted programmes (PUPs) have been found on suspected websites sharing copyright-infringing content for free, which use deceptive techniques and social engineering to trick consumers into sharing sensitive personal information or even payment card details. This includes many PUPs for the Android OS, reflecting the growing popularity of mobile devices. 





lunes, 10 de junio de 2019

Captchas being used by online counterfeiters to protect their FAKE webs


This is a new technique spotted by desenmascara.me. After digging a bit about the reason of some FAKE websites from different brands, being not flagged as such by desenmascara.me, I stumbled upon this new technique.

Captchas are mainly used as a security check to ensure only human users can pass through, usually used in form submissions, or online tools to avoid bots or any automatic misuse.


Desenmascara.me has included a new check to bypass this "protection" implemented recently by the online counterfeiters in their FAKE webs.


I keep improving desenmascara.me with the goal to become the only URL engine being able to spot any kind of FAKE website related with the counterfeiting. If you have any tips or feedback to improve this online service, please do let us know. Many thanks!

lunes, 3 de septiembre de 2018

Desenmascara.me at Blackhat USA arsenal 2018

The past month took place the Black Hat conference 2018 in Las Vegas.


I had the great opportunity to demoed the web tool to track online counterfeiters: desenmascara.me

x


Though I had already presented the tool in Black Hat Europe in Amsterdam around 3 years ago, this conference was totally different in the way that only americans know how to do: great shows!!.

Photo courtesy of Azeria

I must admit I was a bit overwhelmed with this great conference and I did miss a lot of talks and events I would like to have assisted cause they took place at the same time and the hurdle of preparing the presentation/demo. Anyhow this is what experience is, for next editions I will organize better my schedule and must-go talks.

I was thrilled to have the opportunity of presenting my side project to track online counterfeiters within such remarkable environment. Many thanks to the Arsenal organizers for which seems was the biggest edition of arsenal tools!!.












viernes, 4 de mayo de 2018

Advanced security analytics approaches


This is a live post which I will keep updating for my own reference.

  • Signature-based approaches are the oldest and most common approaches to detect security intrusions within a networked computing environment.
  • Behavioral analytics: Its a branch of business analytics where known patterns are applied to discover malicious behavior.
  • Anomaly detection: Also know as outlier detection, uses statistical profiling to build a historical baseline. It alerts on deviations from established baselines that conform to a potential attack vector.
  • Cross-device correlation: also known as event correlation refers to a technique where an IDS alert can be correlated with a huge number of firewall alerts to pinpoint events that are really important within a scenario where a massive amount of alerts take place.
  • Kill-chain detection: is an intrusion-based methodology that allows one to focus on the different stages of an attack. This methodology was developed by Lockheed-Martin.
  • Integrated threat intelligence: this might be similar to the signature-based approach but more agile and supported through industry partnerships. It looks for known bad actors by leveraging global threat intelligence from multiple and disparate feeds. 
Every approach would have a goal to catch either suspicious or malicious activity. The ideal catch -and also the most complicated- would be an abstract set of behaviors that an adversary is using. Based on David Bianco´s Pyramid of pain diagram, that´s the adversary´s tactics, techniques and procedures (TTPs). This is the ideal detector based on Red Canary´s detection engineering team.



However, regardless of the approaches used, the truth is that within MSSP environments (with an overwhelming amount of security alerts) there is a huge amount of wasted time and resources processing useless security alerts, and many often either reduce the sensitivity of security personnel or ignore alerts altogether. Which could be the best solution?, that is a hard question, while innovative approaches to avoid pitfalls of alert fatigue and other SOC challenges as SOCless detections might be suitable for some environments they are not intended for MSSP environments. The best advice I have ever seen on this area to improve MSSP capabilities is this:
I had countless conversations with organizations complaining about the false positives sent by the MSSP. But it’s impressive how many of them are not prepared to report back those events to the provider in a way that would allow them to tune their systems and avoid a similar occurrence in the future. This is a recurrent theme in this document: You MUST WORK WITH THE MSSP, not expect them to figure everything out alone.
Augusto Barros. Research VP at Gartner.



But obviously to talk about security alerts without having an incident response plan in place is fruitless. Some companies contract MSSP services just as a checkbox where every security alert escalated, regardless of its accuracy would go to a black hole. This might be due to either a lack of security awareness within the company (lack of CISO roles) or due to budgetary reasons. In the last case, usually the IT personnel can not cope with security related work, again either due to an excessive work-load or lack of knowledge. The optimal situation would be a company with a  security incident response plan in place (see NIST 800-61),

Incident response phases defined in NIST 800-61

In such optimal situations, a company whose security service is provided by an MSSP would know what to do and how to act (through defined playbooks) regarding every security alert they would receive by the MSSP.

Mini-paper released recently: Improving security incident quality in SOCs with resolution categories.

Related external links:
https://www.sans.org/reading-room/whitepapers/infosec/detecting-preventing-attacks-earlier-kill-chain-36230
https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf
https://redcanary.com/blog/common-siem-issues/







martes, 17 de abril de 2018

Fortinet I hope that we all do not fall for one of these one day

This post of Fortinet called my attention: You will fall for this one day. I could not believe that a CTF player was the victim of a counterfeit-related web showed through and ads in Facebook. It is not my intention to put guilt on the victim but instead to highlight that if a savvy-technical guy can be lured by the online counterfeiters, the chances for an average Internet user to avoid this fraud are quite low.


The article is quite good describing how these scams usually work and the tactics of the online counterfeiters in relation to a carefully-chosen website name, as described in the Tracking online counterfeiters paper, in order to lure to their victims.

Also to my surprise, near to the conclusion of the article I could read -the bold sentence of the paragraph below:


The CTF player reported the website to the affected brand, Salomon in this case. This is a good action on their side but its a drop in the Ocean. The desenmascara.me project, through its twitter account, has alerted -so far- around 10.000 times to 142 different brands being affected by online counterfeiters. Though the number of counterfeit-websites detected by this side project is higher but due to API twitter restrictions, not all websites detected are automatically tweeted.

But the article had more surprises as in relation to the Fortinet approach to cope with this fraud:


While is great to see how some security vendors are taking into account these kind of fake websites luring users, yet the "phishing" categorization might not be accurate enough as to highlight this massive online fraud. As pointed out in the mentioned paper about "Tracking online counterfeiters" to have a specific categorization for this specific fraud will help to raise awareness among users and also to create alliances with other stakeholders to fight it. But this is a not-so-easy battle as even Kaspersky call it phishing. The reality behind such counterfeit-related webs is that rarely phishing is the goal but instead is a profit center through which victims transfer new capitals into the underground, and as a profit center, all the pieces of this ecosystem must work properly:



Also to assess that FortiGuard customers are protected from this scam cause the website has been classified and blocked is a very valid (but weak) point to show value over other vendors not being able to recognize this online fraud:



But the reality is that a more wider approach is needed to cope with this massive online fraud. Just as an example taken from the fake website being blocked by Fortinet: www.salocc.com
There are dozens of additional fake webs which belong to the same counterfeit-campaign (as noted by the use of the same infrastructure and website domain registration details):



Are also all those fake websites detected and blocked by Fortinet?. The answer; at this point in time they are not, as showed below with a random fake web domain related to the same campaign:






As I said before, this is just a drop in the ocean. After researching this online fraud for years; publishing a paper about "Tracking online counterfeiters", collaborating with Europol into joint operations to take down websites related with this fraud, and also unveiling massive campaigns of counterfeit-related websthe reality is that all the past estimations from different sources about the rising of this massive and underestimated online fraud are becoming true. In order to tackle this online fraud a more holistic approach is needed, the technology to do it is already available but the only thing truly needed to cope with it is will.

As stated in the last sentence of the "Tracking online counterfeiters" paper, the ultimate ambitious goal of this research and the desenmascara.me side project, is to protect users worldwide of this massive online fraud. How this could be achieved?: by having widely-used technologies like SafeBrowsing or alike flagging a new kind of unsafe sites: FAKE websites related with the online counterfeiting.

Therefore, Fortinet, I hope that we all do not fall for one of these one day.


P.D: Unfortunately this is an underrated online fraud. This is feature request to  Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1326308 which was closed as "will not be fixed" cause they did not consider the topic relevant enough as to act upon it.

domingo, 8 de abril de 2018

RFC1918 IP Addresses in APT reports being used as IOCs by "Intelligence" providers

The title of this article was published some days ago as a tweet. Unfortunately by seeing the responses it seems this is not a so uncommon issue:





All started as a heads´up about a high priority incident in a sensitive environment. A watchlist that matches an internal private IP against a botnet?. This incident needed confirmation as got escalated with urgency. As its common in this scenario dealing with different stakeholders, the private IP being categorized as botnet was anonymized in order to protect sensitive information, but we need such information in order to further investigate it. To request such information sum up time to the investigation.

Once we have the private IP details we can do some cross checks to get the additional context needed in this scenario. The additional cross-checks are to verify which intelligence feed contained the private IP and then to gather the details. After some investigation we were unable to find any correlation, none of the watchlists we do provide (from public and private sources around the world, including product vendors, industry experts, government agencies, professional associations, media, news groups..) contained such info. Next step was to seek the private IP into any public report, cause at this time it was a bit clear which the issue was, and Bingo !! - Anunak: APT against financial institutions is a great report released by Group-IB and Fox-IT and contained the private IP address as a C&C IP and without any additional info. This is likely a common mistake about not vetting the information provided by reverse engineers to the intel team responsible to craft up the APT report, then this mistake is chained by Intelligence providers who do not perform any vet into the IOCs they ingest, packed and then sell. It turns out the customer affected was using additional threat intelligence providers, and was one of them who did provide the private IP address as an IOC.

Based on The cost of bad intelligence: "Security professionals practicing threat intelligence must understand the implications of mistakes and poor analysis. Bad intelligence can and does decrease the security effectiveness of an organization."