Desenmascara.me

Luxury & Fashion brands; be aware of the online counterfeiting!: desenmascara.me

lunes, 19 de agosto de 2019

How to prevent Business Email Compromise (BEC) fraud ?

O en español; como prevenir el fraude del CEO.

The past year the FBI published an alert pointing out that the BEC fraud exceed $12 billion globally.
The report was based on data collected by the FBI´s Internet Crime Complaint Center (IC3), international law enforcement and financial institutions between October 2013 and May 2018. The amounts represent both money that was actually lost by victims and money they could have lost had they taken the bait.

Many of these attacks are skillfully crafted. Criminals lurking on websites and social media con uncover plenty of information for fine-tuned spear phishing emails: who suppliers are, what the management structure is, who is receiving new business pitches or expansion plans, etc. Executive travel plans are particularly useful for scenarios like this since the urgency of a task can be inflated from abroad: "I'm in Singapur and we need to make a payment ASAP to this supplier or we risk losing it. Don't delay - please wire these funds immediately."

How this fraud could be prevented?:

  1. To train your leadership, specially in finance about the risks associated with these kind of attacks, methods of detection and manual authentication.
  2. Methods of detection will include to be vigilant to:
    • Pressure and a sense of urgency
    • Unusual request in contradiction with internal procedures
    • Typosquatted domains similar to your company (@R0CHE.COM instead of @ROCHE.COM)
  3. To use DMARC. Domain-based Message Authentication, Reporting & Conformance, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author ("From:") domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.

You can check wether you organization has DMARC in place or not just by typing the domain part of your mail address into this resource.

DMARC check compliance for the gmail.com domain



Basically, DMARC is a technology that allows you to confirm whether an email is from the organization it claims to be from. This technology will not help you in cases where the corporate email has been compromised, and the attacker has full access to the mail account of the person in finance. Obviously this approach would require much more effort.

Since June 2016, the Global Cyber Alliance (GCA) has been working to accelerate adoption of DMARC through advocacy, by providing a set of easy-to-use tools and campaigns to drive deployement. GCA also measured the economic impact on this report. The benefits to deploy DMARC in your company are clear. What are you waiting for?





miércoles, 7 de agosto de 2019

Criminal activity involving counterfeiting and the professionalised organized crime networks

Recently, the first EU-wide intellectual property crime threat assessment from Europol and the European Union Intellectual Property Office (EUIPO) was published. Press release by Europol.



The report contains 40 pages of insights about criminal activity involving counterfeiting and the professionalised organized crime networks, which can reap large profits while running relatively few risks. It was created with EU-wide data and strategic intelligence analysis. 

Below are the main points I would highlight on this report:

Metrics related:
  • Counterfeit and pirated goods could make up as much as 6.8 % of EU imports, amounting to EUR 121 billion 
  • In 2016, up to 6.8 % of EU imports constituted counterfeit and pirated goods, amounting to as much as EUR 121 billion. Compared to 5 % in 2013, this is a sharp increase in three years1. 
  • The economic impact of counterfeit clothing and personal accessories is particularly high. It is estimated that counterfeiting causes losses of around EUR 26 billion per year to the clothing, footwear and accessories sector13 and around EUR 2 billion a year to the jewellery and watches sector in the EU14. 


Facts related:
  • Although shipment of counterfeit goods to the EU still occurs largely in bulk by freight transport, in recent years there has been a strong increase in express transport. This sharp growth in trade via small parcels is related to the growth in online marketplaces selling counterfeit goods 

  • Besides the traditional luxury items, a wide range of everyday goods are targeted by counterfeiters. This includes cosmetics, electronic components, food and drinks, pesticides, pharmaceuticals, tobacco products, toys and vehicle parts. 
  • A growing number of counterfeit pharmaceuticals are detected in small parcels, facilitated by a continuous expansion of unauthorised and unregulated online pharmacies. 

  • The market for counterfeit goods remains highly profitable, providing criminals with opportunities to generate huge profits while running few risks. Most criminal activity involving counterfeiting is undoubtedly performed by organised crime groups and there appears to be an overall professionalisation of these groups. 

  • Counterfeiting and piracy are lucrative criminal activities, while at the same time generating relatively low detection risks. 
  • several EU Member States have in recent years decreased their focus on fighting IP crime, in favour of other criminal activities that are deemed more serious and harmful, such as drugs trafficking, migrant smuggling, trafficking in human beings, and terrorism 
  • Online marketplaces are increasingly becoming an important source of income for criminal groups engaged in the sale of counterfeit and pirated goods. 
  • In a series of studies conducted by the EUIPO over the last few years, the direct annual losses of 13 market sectors that are particularly vulnerable to counterfeiting have been estimated. Collectively, these sectors lose EUR 60 billion a year, or 7.5 % of their total sales. 
  • However, despite the large number of counterfeit clothes and shoes that are sold online, they are also still commonly sold on the streets of certain cities and in popular tourist areas. 
  • A particularly worrisome development is that some of the jihadist terrorist attacks in the EU in recent years were partially financed by selling counterfeit clothing and shoes, although the most prominent example of this already stems from 2015. The Kouachi brothers, responsible for the terrorist attack on the Charlie Hebdo office, had been involved in selling counterfeit sports shoes. They had paid for the shoes via international payment services and imported them via parcel service from China. 
  • Other criminal acts that are commonly committed by counterfeiting organised crime groups are excise fraud and VAT fraud. 
  • Criminals are increasingly offering counterfeit goods through social media networks using specific URLs that can be hard to identify by law enforcement authorities. 
  • A common modus operandi for online counterfeiters is to re-register previously used legitimate domain names, also referred to as cybersquatting. Domain names that have previously been used for a wide variety of purposes, including those used by commercial businesses, embassies or politicians, are systematically re-registered to operate as e-shops selling counterfeit goods. This reuse of legitimate websites ensures consistent internet traffic towards these e-shops41. 

Security related:

  • While consumers are attracted to these kind of websites by the free content they can find there, in many cases these same websites are used to target exactly those types of consumers with phishing attempts or the dissemination of malware. It is estimated that one in four persons who stream illegally through a box or stick are affected by a virus or malware. Different kinds of malware and potentially unwanted programmes (PUPs) have been found on suspected websites sharing copyright-infringing content for free, which use deceptive techniques and social engineering to trick consumers into sharing sensitive personal information or even payment card details. This includes many PUPs for the Android OS, reflecting the growing popularity of mobile devices. 





lunes, 10 de junio de 2019

Captchas being used by online counterfeiters to protect their FAKE webs


This is a new technique spotted by desenmascara.me. After digging a bit about the reason of some FAKE websites from different brands, being not flagged as such by desenmascara.me, I stumbled upon this new technique.

Captchas are mainly used as a security check to ensure only human users can pass through, usually used in form submissions, or online tools to avoid bots or any automatic misuse.


Desenmascara.me has included a new check to bypass this "protection" implemented recently by the online counterfeiters in their FAKE webs.


I keep improving desenmascara.me with the goal to become the only URL engine being able to spot any kind of FAKE website related with the counterfeiting. If you have any tips or feedback to improve this online service, please do let us know. Many thanks!

lunes, 3 de septiembre de 2018

Desenmascara.me at Blackhat USA arsenal 2018

The past month took place the Black Hat conference 2018 in Las Vegas.


I had the great opportunity to demoed the web tool to track online counterfeiters: desenmascara.me

x


Though I had already presented the tool in Black Hat Europe in Amsterdam around 3 years ago, this conference was totally different in the way that only americans know how to do: great shows!!.

Photo courtesy of Azeria

I must admit I was a bit overwhelmed with this great conference and I did miss a lot of talks and events I would like to have assisted cause they took place at the same time and the hurdle of preparing the presentation/demo. Anyhow this is what experience is, for next editions I will organize better my schedule and must-go talks.

I was thrilled to have the opportunity of presenting my side project to track online counterfeiters within such remarkable environment. Many thanks to the Arsenal organizers for which seems was the biggest edition of arsenal tools!!.












viernes, 4 de mayo de 2018

Advanced security analytics approaches


This is a live post which I will keep updating for my own reference.

  • Signature-based approaches are the oldest and most common approaches to detect security intrusions within a networked computing environment.
  • Behavioral analytics: Its a branch of business analytics where known patterns are applied to discover malicious behavior.
  • Anomaly detection: Also know as outlier detection, uses statistical profiling to build a historical baseline. It alerts on deviations from established baselines that conform to a potential attack vector.
  • Cross-device correlation: also known as event correlation refers to a technique where an IDS alert can be correlated with a huge number of firewall alerts to pinpoint events that are really important within a scenario where a massive amount of alerts take place.
  • Kill-chain detection: is an intrusion-based methodology that allows one to focus on the different stages of an attack. This methodology was developed by Lockheed-Martin.
  • Integrated threat intelligence: this might be similar to the signature-based approach but more agile and supported through industry partnerships. It looks for known bad actors by leveraging global threat intelligence from multiple and disparate feeds. 
Every approach would have a goal to catch either suspicious or malicious activity. The ideal catch -and also the most complicated- would be an abstract set of behaviors that an adversary is using. Based on David Bianco´s Pyramid of pain diagram, that´s the adversary´s tactics, techniques and procedures (TTPs). This is the ideal detector based on Red Canary´s detection engineering team.



However, regardless of the approaches used, the truth is that within MSSP environments (with an overwhelming amount of security alerts) there is a huge amount of wasted time and resources processing useless security alerts, and many often either reduce the sensitivity of security personnel or ignore alerts altogether. Which could be the best solution?, that is a hard question, while innovative approaches to avoid pitfalls of alert fatigue and other SOC challenges as SOCless detections might be suitable for some environments they are not intended for MSSP environments. The best advice I have ever seen on this area to improve MSSP capabilities is this:
I had countless conversations with organizations complaining about the false positives sent by the MSSP. But it’s impressive how many of them are not prepared to report back those events to the provider in a way that would allow them to tune their systems and avoid a similar occurrence in the future. This is a recurrent theme in this document: You MUST WORK WITH THE MSSP, not expect them to figure everything out alone.
Augusto Barros. Research VP at Gartner.



But obviously to talk about security alerts without having an incident response plan in place is fruitless. Some companies contract MSSP services just as a checkbox where every security alert escalated, regardless of its accuracy would go to a black hole. This might be due to either a lack of security awareness within the company (lack of CISO roles) or due to budgetary reasons. In the last case, usually the IT personnel can not cope with security related work, again either due to an excessive work-load or lack of knowledge. The optimal situation would be a company with a  security incident response plan in place (see NIST 800-61),

Incident response phases defined in NIST 800-61

In such optimal situations, a company whose security service is provided by an MSSP would know what to do and how to act (through defined playbooks) regarding every security alert they would receive by the MSSP.

Mini-paper released recently: Improving security incident quality in SOCs with resolution categories.

Related external links:
https://www.sans.org/reading-room/whitepapers/infosec/detecting-preventing-attacks-earlier-kill-chain-36230
https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf
https://redcanary.com/blog/common-siem-issues/







martes, 17 de abril de 2018

Fortinet I hope that we all do not fall for one of these one day

This post of Fortinet called my attention: You will fall for this one day. I could not believe that a CTF player was the victim of a counterfeit-related web showed through and ads in Facebook. It is not my intention to put guilt on the victim but instead to highlight that if a savvy-technical guy can be lured by the online counterfeiters, the chances for an average Internet user to avoid this fraud are quite low.


The article is quite good describing how these scams usually work and the tactics of the online counterfeiters in relation to a carefully-chosen website name, as described in the Tracking online counterfeiters paper, in order to lure to their victims.

Also to my surprise, near to the conclusion of the article I could read -the bold sentence of the paragraph below:


The CTF player reported the website to the affected brand, Salomon in this case. This is a good action on their side but its a drop in the Ocean. The desenmascara.me project, through its twitter account, has alerted -so far- around 10.000 times to 142 different brands being affected by online counterfeiters. Though the number of counterfeit-websites detected by this side project is higher but due to API twitter restrictions, not all websites detected are automatically tweeted.

But the article had more surprises as in relation to the Fortinet approach to cope with this fraud:


While is great to see how some security vendors are taking into account these kind of fake websites luring users, yet the "phishing" categorization might not be accurate enough as to highlight this massive online fraud. As pointed out in the mentioned paper about "Tracking online counterfeiters" to have a specific categorization for this specific fraud will help to raise awareness among users and also to create alliances with other stakeholders to fight it. But this is a not-so-easy battle as even Kaspersky call it phishing. The reality behind such counterfeit-related webs is that rarely phishing is the goal but instead is a profit center through which victims transfer new capitals into the underground, and as a profit center, all the pieces of this ecosystem must work properly:



Also to assess that FortiGuard customers are protected from this scam cause the website has been classified and blocked is a very valid (but weak) point to show value over other vendors not being able to recognize this online fraud:



But the reality is that a more wider approach is needed to cope with this massive online fraud. Just as an example taken from the fake website being blocked by Fortinet: www.salocc.com
There are dozens of additional fake webs which belong to the same counterfeit-campaign (as noted by the use of the same infrastructure and website domain registration details):



Are also all those fake websites detected and blocked by Fortinet?. The answer; at this point in time they are not, as showed below with a random fake web domain related to the same campaign:






As I said before, this is just a drop in the ocean. After researching this online fraud for years; publishing a paper about "Tracking online counterfeiters", collaborating with Europol into joint operations to take down websites related with this fraud, and also unveiling massive campaigns of counterfeit-related websthe reality is that all the past estimations from different sources about the rising of this massive and underestimated online fraud are becoming true. In order to tackle this online fraud a more holistic approach is needed, the technology to do it is already available but the only thing truly needed to cope with it is will.

As stated in the last sentence of the "Tracking online counterfeiters" paper, the ultimate ambitious goal of this research and the desenmascara.me side project, is to protect users worldwide of this massive online fraud. How this could be achieved?: by having widely-used technologies like SafeBrowsing or alike flagging a new kind of unsafe sites: FAKE websites related with the online counterfeiting.

Therefore, Fortinet, I hope that we all do not fall for one of these one day.


P.D: Unfortunately this is an underrated online fraud. This is feature request to  Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1326308 which was closed as "will not be fixed" cause they did not consider the topic relevant enough as to act upon it.

domingo, 8 de abril de 2018

RFC1918 IP Addresses in APT reports being used as IOCs by "Intelligence" providers

The title of this article was published some days ago as a tweet. Unfortunately by seeing the responses it seems this is not a so uncommon issue:





All started as a heads´up about a high priority incident in a sensitive environment. A watchlist that matches an internal private IP against a botnet?. This incident needed confirmation as got escalated with urgency. As its common in this scenario dealing with different stakeholders, the private IP being categorized as botnet was anonymized in order to protect sensitive information, but we need such information in order to further investigate it. To request such information sum up time to the investigation.

Once we have the private IP details we can do some cross checks to get the additional context needed in this scenario. The additional cross-checks are to verify which intelligence feed contained the private IP and then to gather the details. After some investigation we were unable to find any correlation, none of the watchlists we do provide (from public and private sources around the world, including product vendors, industry experts, government agencies, professional associations, media, news groups..) contained such info. Next step was to seek the private IP into any public report, cause at this time it was a bit clear which the issue was, and Bingo !! - Anunak: APT against financial institutions is a great report released by Group-IB and Fox-IT and contained the private IP address as a C&C IP and without any additional info. This is likely a common mistake about not vetting the information provided by reverse engineers to the intel team responsible to craft up the APT report, then this mistake is chained by Intelligence providers who do not perform any vet into the IOCs they ingest, packed and then sell. It turns out the customer affected was using additional threat intelligence providers, and was one of them who did provide the private IP address as an IOC.

Based on The cost of bad intelligence: "Security professionals practicing threat intelligence must understand the implications of mistakes and poor analysis. Bad intelligence can and does decrease the security effectiveness of an organization." 










miércoles, 28 de febrero de 2018

Invited to talk at the Europol about desenmascara.me

The past week I had the opportunity to participate into the IOS IX Kick-off meeting held in the Europol HQ in The Hague (The Netherlands).



IOS stands for operation In Our Sites and is a joint global recurrent operation first implemented in 2014 and has since then increased significantly. The eighth edition in 2017 of this global operation saw a big range of anti-counterfeiting associations and brand owner representatives joined law enforcement authorities participating in this huge worldwide action, to facilitate international cooperation and support the countries involved in this initiative. In fact the outcome of the last edition was: The biggest hit against online piracy: over 20520 domains seized for selling counterfeits

I had the opportunity to participate in the ninth edition by presenting the online tool http://desenmascara.me as a tool to help:

  1. users (as a 1 stop shop where to check whether a website is related with countefeiters or not)
  2. brands (by providing the intelligence gathered through users inputs)
  3. LAEs (through cooperation with the intel acquired to dismantle organized groups behind this online fraud).
The overall goal was to show the trust to use desenmascara.me tool as an OSINT tool to gather fresh counterfeit-related websites from hundreds of different brands.

I really enjoyed by participating in this kick-off meeting by acquiring new knowledge and making great contacts.

If you have any question regarding the use of desenmascara.me please do not hesitate to drop me an email or send it through the contact form of the website.

Happy only counterfeiting hunting.


martes, 6 de febrero de 2018

Who is behind those FAKE Whatsapp campaigns supposedly giving for free Nike shoes and alike?

Update 1I did submit all this information to Facebook so they might take any "action" against the responsible behind this fraud and to signal they do not allow to abuse their infrastructure to lure its users, but apparently they do not care much about these actors, this was its response:

Hola Emilio,
We are aware of homograph URLs and the potential risks they pose. We have automated systems in place to detect and prevent abusive/malicious domains/URLs. What you're describing is a social engineering attack against people, which is not in scope for our program.
Gracias por comunicarse con Facebook,

Update 2: Also similar campaign in France targeting Air France


Today is the Safer Internet Day. It is an European initiative which has grown beyond its traditional geographic zone and is now celebrated in approximately 130 countries worldwide with the support of many stakeholders.



Some supporters of SID



Meanwhile in WhatsApp we still receive messages like the below picture:

English translation: Nike will give for free 5000 pairs of shoes due to its 55° anniversary. Get your shoes for free in: .... ) 

Fake Nike promotion in Spanish language


Fake Nike promotion in Italian language



Luring to any user who click in the link above (notice the KOI-7 encoding of nike.com - this is known as a homograph attack) going through the below redirection:


then ending end up with a survey as the below hosted in a recent created domain ( 3 days old and a risk score of 100 based on DomainTools ) and whose analysis in VirusTotal is NOT flagged by any commercial vendor.




Any unsuspected user will fill in the survey which is based on 4 basic questions. Afterwards a pre-requisite to receive the free shoes is to share the message through whatsapp with 20 of your friends. The ball keeps growing. 



The user then click on the whatsapp button to share the message. Once the message has been shared among its contacts you will be redirected to another site (bye bye Nike shoes :( )

The above redirection make sure we are arriving from the previous Whatsapp campaign (as this is a referred marketing network, otherwise a different site will be presented). As we are arriving from the Fake Nike whatsapp promotion we are presented now with the below site:




Now the user still willing to get the promised Nike shoes will fill in the above form with its personal data. But here the interesting part (as always) is in the small letter, by clicking on Patrocinadores we will see the below text:


where there are quite a few companies from different sectors willing to sink its teeth into your personal data:





and here finally we do get a mail address responsible for this "Fake" campaign, so you have now an address to write in case you have not received your promised Nike shoes:




or a postal address to write them:




Interestingly the domain greenflamingopromotions.com was also recently created, some months after the business was set up, under an anonymous whois provider and hosted in Rusia:

Correlating data with the DomainTools tool Iris


If we pivot over any IP address related with the domain to take a look into PassiveDns information we can see the malicious history of domains hosted on such IPs (most of them under the TLD .review and .win). There are hundreds of different and random domains created recently with the only purpose to host fake marketing campaigns to be spread like wildfire through social networks as the current one:


PassiveDNS information extracted with VirusTotal


Below are some of the business who this entity will collect your personal data for their commercial purposes through fake campaigns like this:








and so on, we could stay giving out personal data for free to these companies for a while:






The key factor here is that those companies are not the culprit here but the intermediate agencies like Green Flamingo Promotions and alike who are using these tactics to do their business: to collect your personal and private information in order to sell it. 

There is no need to clarify how greedy these companies might be collecting your data in order to sell you their services. Just bear in mind that even with data that you are not giving but disclosing through the kind of devices you are connecting from and correlated with data collected through the previous dubious campaigns they may infer even your social class


Today is the Safer Internet Day so keep your data private or at least do not incur in fake campaigns like these. You have been warned !!

sábado, 3 de febrero de 2018

How to uncover a massive campaign of counterfeit-related websites with just an e-mail address

Disclaimer: Thanks to my side project desenmascara.me I reached out an agreement with DomainTools to use their commercial tools to research news ways about how to leverage them to gather additional intel around the online counterfeiting fraud. This is an example of a small research with the outcome of a massive campaign of counterfeit-related websites. A more formal article can be found on the DomainTools blog.

In the context of online counterfeiting, there are four classes of domain that warrant discussion:
  • Counterfeiters registered domains
  • Free hosting based
  • Legitimate but compromised
  • Expired domains
In order to know more about each type you can take a look to the SANS paper "Tracking online counterfeiters".  For the purpose of this article I will focus on the first type but just to find later a massive campaign of counterfeit websites of different types.

A counterfeit registered domain might be as in example: http://www.pradaus.com (active while writing this article)


Figure 1: Counterfeit-related website www.pradaus.com


This involves the online counterfeiters using any provider to register the domain in the conventional sense. Unfortunately Whois data can be spoofed yet. In fact, if the counterfeiter was never going to need to manage the domain again, he could use a false e-mail address. This scenario mostly works for the bad-guys registering C2 domains, but usually is not the case for counterfeit-related websites, as in the above case:


Figure 2: Legitimate mail address used to register the counterfeit-related website www.pradaus.com



Other considerations are that registration services often sell privacy/protected registration as a service. In those cases, only the privacy service and registrar have the information provided by the registrant that registers a domain on behalf of someone else and then transfers it to them shortly thereafter. In those cases (also mostly seen on C2 domain registrations) the initial registration would be the intermediary, and then registrant data may be updated later to reflect the actual domain owner. Something you can easily set up as an alert in Domaintools to keep track of, as in the example below of a counterfeit-related website handing over the domain´s ownership:



Figure 3: Registar domains extracted with DomainTools.com


With the side project: desenmascara.me I usually keep track how counterfeit-related websites are maturing. Inmersed in these tasks I was investigating the domain: http://www.123australian.com cause despite of showing up all signs of a counterfeit-related one, the online tool http://desenmascara.me was not able to analyze it due to some kind of block countermeasures on the counterfeit domain server side.



Figure 4: Register domains extracted with DomainTools.com


The same behavior was showed by the domain: http://111MediaGroup.com this case the domain was manifestly a copy-cat of Adidas but in Danish language.

Figure 5: Register domains extracted with DomainTools.com



Based on the Whois public data observed I started to suspect; the name server of both domains is the same, they also have been recently created and the email registration seems random but under the same domain yeah.net (a China based company).

Both pictures figure 3 and figure 4 were extracted with the free Domain tools whois lookup tool. In the other hand, Iris is a tool to give you additional insights while investigating any kind of online fraud. In this case, by using Iris in order to investigate further these 2 domains, I just found a massive and fresh campaign of around 50.000 counterfeit-related websites !! and all in less than 5 minutes.

Lets see the step by step process:

1. With valid DomainTools credentials we access to the Irish service:

Figure 6: Iris main website

2. We type the IOC we would like to investigate further, in this case: 111mediagroup.com

  Figure 7: Web domain being investigated with the Iris tool

3. In the email section we see the same email addresses as devised in the public whois lookup tool plus two additional mail addresses. Right click in any of these fields and we can see the number of additional domains registered under them. When pivoting over the random mail address based on yeah.net domain it show the text: "no other domains share this value" but when we pivot over the mail address yinchu4c@163.com as seen in the figure 8:



  Figure 8: Pivoting over an Indicator ( web mail address )

4. We see 53.361 domains share this value. Lets check them out. In order to do it we click over "Narrow Search" and in the top menu we will see a new tag with this field as show below in the figure 9:


  Figure 9: Multitag search (web domain and web mail address)


5. Now we remove the domain tag in order to extract all the information related "only" to this email address and then we noticed the surprise:

  Figure 10: Iris search with a key indicator ( web mail address )

53.679 fresh counterfeit-related domains found !! a quick random verification show us that all are related to counterfeit-related websites targeting a huge amount of brands under domains which belong to many different TLDs specially: .com, .de and .top

Lets take a look to some of them as examples under the different TLDs.

Counterfeit-related website targeting to the New Balance brand: 122ratto.com

  Figure 11: Counterfeit related website



Multibrand counterfeit-related website: 0entropie.de 

                                                                    Figure 12: Counterfeit related website

Multibrand Counterfeit-related website: a1ecosolutions.co.uk

                                                                    Figure 13: Counterfeit related website


Counterfeit-related website targeting to the Reebok brand: reebokclassic.es

                                                                    Figure 14: Counterfeit related website


Multibrand Counterfeit-related website (car parts, toys, electronics...): aamumalls.top

                                                                    Figure 15: Counterfeit related website


Multibrand counterfeit-related website: aan-massage.nl

                                                                    Figure 16: Counterfeit related website


Multibrand counterfeit-related website: 10sharks.org

                                                                    Figure 17: Counterfeit related website



"All the information collected here as been sent along to the Europol as part of the IOS program to fight the trade of counterfeit products online."

Update: After some days, the Indicator yinchu4c@163.com keeps registering new counterfeit-related domains as while I am writing this update (some days later after writing the original article) the number of domains related to this counterfeit actor is: 55.048. That is 1369 new counterfeit-related domains registered within a few days by the same actor.