Desenmascara.me

Luxury & Fashion brands; be aware of the online counterfeiting!: desenmascara.me

lunes, 22 de agosto de 2016

How to cope with the online counterfeiting in the right way

Based on the last OECD/EUIPO report (2016), the trade in counterfeit and pirated good amounted to up to 2.5% of world trade in 2013.

The main luxury, fashion and sports brands are being targeted online, many take some proactive measures such as trying to take down the websites affecting their brand, but it is a cat and mouse play, as new FAKE sites will pop it up like mushrooms.


But the Alexander Wang brand has set a precedent; a kind of warning to counterfeiters, as it has just won a $90 million lawsuit against 459 FAKE websites targeting their brand. It does not mean the wining brand will see some millions from this lawsuit as the FAKE sites owners did not show up in court. But the key point is that today it would be more difficult for potential Alexander Wang customers to be victims of online fraud than any other brand, as below (despite their social media efforts).






martes, 31 de mayo de 2016

Massive Ransomware campaign of compromised Joomla based sites targeting to Endesa customers

Endesa is the largest electric utility company in Spain. Recently it has been discovered a ransomware campaign using a fake invoice of a huge amount to pay, in order to trick users to verify it. A clever social engineering move.

More details and the full list of domains involved can be checked in the CSIRT-CV alert.

The interesting part of this new Ransomware campaign is that most of the domains hosting the malicious scripts are based on the popular Joomla CMS.


hxxp://endesa-clientes .com / not available
hxxp://yamg.endesa-clientes .com / not available
hxxp://www.endesa-clientes. net /not available
hxxp://ojj.endesa-clientes .com / not available
hxxp://wtde.endesa-clientes. com / not available
hxxp://y2l6.endesa-clientes. com / not available
hxxp://rogaska-crystal. com / desenmascara.me report
hxxp://itlearning. ma / not available
hxxp://nrmac. org / not available
hxxp://craferscottages. com. au / desenmascara.me report
hxxp://sigortaci .net / desenmascara.me report
hxxp://quality-managers. org / desenmascara.me report
hxxp://tendearteplast. com / desenmascara.me report
hxxp://gettingmarried .ie / desenmascara.me report
hxxp://reigjofre.com / desenmascara.me report
hxxp://tl6q.procura-italia. net / not available
hxxp://qln.myenel24. net / not available
hxxp://qln.myenel24. org / not available
hxxp://swisshalley-sale. ru / desenmascara.me report (the only old Wordpress based)
hxxp://heroes-of-the-middle-ages. ru / desenmascara.me report
hxxp://y2l6.endesa-clientes. com / not available
hxxp://securitysolutionshow. it / not available
hxxp://gov.endesa-clientes.com / not available
hxxp://asge .ru / desenmascara.me report
hxxp://ensarkarot. com / desenmascara.me report
hxxp://faam. com / desenmascara.me report
hxxp://houseofcolours.co. uk / desenmascara.me report
hxxp://ipecho. net / desenmascara.me report
hxxp://ultimchem. com desenmascara.me report

Based on the compromises sites, it seems this campaign is leveraging the critical vulnerability CVE-2015-8562.
 

martes, 24 de mayo de 2016

How to spot a FAKE website

There are several tips about how to check whether a website is FAKE or not, but all of them require 8 different manual checks or even more.

Do not wast your time: just use http://desenmascara.me to know with just 1 click whether a website is FAKE or not.

Let's take for example this website:



which was automatically flagged as FAKE by desenmascara.me



but as long as the FAKE website is online has been able to lure to dozens of unsuspected users, and counting, as you can check it out in the below blog post created by some victim to raise awareness about the aforementioned FAKE site.

https://estafadosxantionosotombt.blogspot.com.es/

"If any of the victims would have check it out previously the website address in desenmascara.me, they would have discovered that website is not safe to do business with."

" If you do not trust on a website, desenmsacaralo (unmask it) to see what is behind it "

martes, 12 de abril de 2016

Desenmascara.me has been integrated into VirusTotal's URL online scanning service

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners!

Desenmascara.me is a free online service that analyzes websites to spot mainly whether they are FAKEs (related with the online counterfeiting) or not.

https://virustotal.com/en/url/795c5a1da59e5ffb5fb510f313f734ae94092959766df9e415f948bfd3119015/analysis/


How does a FAKE website might be related with malicious content?; let me give you a bit of background to understand it.

Fake luxury goods are sold all over the Internet. There is an underground economy where a large number of globally distributed criminals trade in data, knowledge and services with the goal to defraud users and business, and this is related with the black market commoditization; a recent innovation from the fraudsters.

The underground organizations have well defined roles with inter dependencies, let's take for example; to buy and sell compromised web servers, scam hosting, exploit kits, and wholesale access to stolen user records including usernames and passwords, credit card numbers, and other sensitive personal data.



Recently Google published a post about a research related to this topic: The underground market fueling for profit abuse. The researches mapped the relations between the specialized roles in the underground economy as in the picture below.



whose explanation step by step can be viewed dinamically in this video:



Where the division of labor based on the chain of specialization is clearly represented. This underground economy is the culprit of current online threats such as fake anti-virus, ransomware, Trojan banks and any kind of commodity crimeware available out there. While reading the aforementioned research paper, the below figures called my attention:



Where IOCs for most of the threads above are usually included in the vast amount of intelligence watchlists either propietary or open source in order to do some kind of:
  • Correlation: (i.e: we need to see incident A before incident B can trigger)
  • Validation: (i.e: customers IP-space is linked to an IOC)
  • Enrichment: (i.e: To provide more context to known threats)

But for the Luxury knock-offs strategy of the profit center: Spamvertised products,  whereas the revenue numbers are even higher than in known threats such as Clickfraud or even close to the infamous Zeus, I was not aware of any kind of intelligence feed providing only such specific information.

The integration of desenmascara.me into Virustotal's URL online scanning service is about the profit center: Spamvertised products. Any FAKE website related with the online counterfeiting will be flagged as such in desenmascara.me and as suspicious in VirusTotal.

Below you can find some metrics about data desenmascara.me is collecting:
 




Dashboard with all the brands detected




Availability of FAKE sites targeting to the PRADA brand


One of the main goals of the desenmascara.me webservice is to let anyone known with just 1 click whether a website is FAKE or not. All the information collected is shared with the community through this VirusTotal integration. In addition, if you are a brand protection professional:


you would want to follow the desenmascarame twitter account (tweeting automatically each time a FAKE site is spotted and warning to the affected brand), o maybe to join the service avisame in order to get all the metadata of the FAKE website affecting to your brand.



More announcements to come.

lunes, 4 de abril de 2016

Good sites used in phishing attacks (Hacked sites)

The talk: Hard lessons learned while defending Gmail users" by Elie Bursztein, Anti-Spam and abuse research Lead @Google, provide key lessons the Gmail team learned the hard way while protecting Gmail for over a decade, so everyone involved in building an online product can benefit from them.

I would like to highlight the Key Challenges they will face in 2016:



I like specially the "hacked site" challenge. For them, when a site is hacked they have to react very quickly but at the same time it is very hard for them to reach those people that have been hacked. 

But what kind of good sites are being hacked?, despite of the PwnedWebsites resource to keep track of worth to mention websites which has been pwned, past statistics show revealed that legitimate websites visited by mass audiences have the highest concentration of online security threats than those pornography, pharmaceutical or gambling sites.

Remember, if you have a website you always may use desenmascara.me in order to know whether your website is an easy target for the bad guys or not.



martes, 8 de marzo de 2016

Counter-offensive tactics to bear in mind when using IOCs

Threat Intelligence indicators are not Signatures, is a great post which does show how by implementing this approach, common in Organizations, will end up with floods of False Positives.



But there is another problem on top being flooded with false positives when using threat intelligence indicators as signatures. The bad guys know the enterprises are using this approach hence they are leveraging on it with some counter-offensive tactics. For instance there are public and private intelligence feeds which are being used by enterprises and SOCs to either create alerts based on hits or to auto escalate them based on use cases. Then, what do the bad guys are doing?

  • A given IOC is malicious in a short timeframe but enough as to be catched by some feed trackers out there. Once the IOC has been included in a tracker the bad guys then point the malicious domain (IOC) to a known IP such as Google or Facebook. Time to have fun on the enterprises relying on those IOCs.
  • Changing DNS entries often (fast-flux), this is a common technique to hide the delivery sites behind an ever-changing network of compromised sites but when this technique is used by pointing the malicious domains to legitimate IPs parts of the time; time to have fun again on those enterprises leveraging those IOCs.

If you would like to stay ahead of poor Threat intelligence, take a look to these questions for evaluating an external threat intelligence source.


viernes, 26 de febrero de 2016

Must the Internet providers block sites offering counterfeit items?

Luxury brands Cartier and Montblanc won recently a U.K. court ruling that orders Internet providers to block websites selling counterfeit goods including watches and pens. [Source Bloomberg.]

While this is not the correct approach to go but instead the Prada one is the way to go. This open an interesting debate?: Must the Internet providers block sites offering counterfeit items?

Net neutrality is the key issue here. In US the FCC (Federal Communications Commission) promotes a strong Net neutrality to keep the Internet open and free with statements like below pointed out on May 2010:
The FCC introduces strong net neutrality protections that said internet service providers could not block websites or impose limits on users. In December, the FCC would go on to pass a final version, adopting their first-ever rules to regulate Internet access. [Source Whitehouse.]

In Europe, the European Commision is in charge of the Net Neutrality, but with some issues.


This is an old debate about whether the ISPs should block access or not to content such as:
  • Adult websites
  • Terrorism propaganda
  • Intelectual property infringement (a.k.a: FAKE websites)

Now with news like those pointed out at the beginning of this article the debate is open:

 Must the Internet providers block sites offering counterfeit items?


What is your position on this matter?


Disclaimer: All the websites requested to be block by Cartier and Montblanc are available on the private desenmascara.me feed.