Desenmascara.me

Luxury & Fashion brands; be aware of the online counterfeiting!: desenmascara.me

sábado, 4 de julio de 2015

El sitio no permite desenmascaramiento automatico, ¿quizá un WAF o bloqueado?

The English translation for the title of this blog article would be something like: The site does not allow automatic unmasking due to either a WAF or being banned.

With the new Anti-counterfeiting features in order to spot fake websites, I came across some websites which the service was not able to analyze because the HTTP response coming from the scaned website returned a 403 code.

A message like to the below picture was then showed:

  
As the desenmascara.me service browse any website just as a normal user would do, there is no reason to block it and not way to discover through the logs that a website is being analyzed by desenmascara.me. The only way to discover it would be through the IP of the service.

After some checks then I came to the conclusion that the desenmascara.me service was being banned by some fake websites in order to not being categorized as such. Such behaviour per se it is a good sign :)

Taking as example the fake website from the picture above: hxxp://www.longchamphandbags.us.com/

The below message was returned when plain HTTP request was sent from the desenmascara.me server:

<head><title>Error 403 - IP Address Blocked</title></head>
<body>
<p><center><h1>Your IP Address </h1></center></p>
<p><center><h4><font color="#FF0000">XX.XX.XXX.XX</font></h4></center></p>
<p><center><h3>is blacklisted on the network.</h3></center></p>
<p></p>
<p><center>If you have any question,please contact us with your IP at support@dilehost.com .</center></p>
</body>
</html>


However, from any other IP, the website was accessed without issues:



Now when a website is blocking the desenmascara.me service, a message like the above would appear:


which is pretty similar to the original message but now with a link pointing to this blog article to let you know I am aware of this issue.

While I look for a correct approach to solve it you can overcome it temporarily by accessing directly to the report of the website. In order to do it, you only needs to know the MD5 of the website with services such as: http://www.md5.cz/

How to see a report of a potential fake website which can not be scanned with desenmascara.me

Method 1 (step by step):

  1. We are unable to analyze a website such as: hxxp://www.longchamphandbags.us.com and as a result we get the above picture.
  2. Then we go to: http://www.md5.cz and we type the full address without the end slash of the website we want to analyze in the md5 input field such as follows:
     
  3. We copy the resulting MD5 hash which is in red.
  4. We go to search.twitter.com and paste the MD5 hash from the previous step:

  5. If the website has been previously analyzed and categorized as either fake or not official it should appear as below:
     
  6. Then by just clicking on the desenmascara.me URL we will have access to the report.
  7.    


Method 2 (step by step): It is possible the website has been categorized either as fake or not official but it has not been automatically tweeted, then:
  1. Same as method 1
  2. Same as method 1
  3. Same as method 1
  4. Then we go to the URL report directly: http://desenmascara.me/consulta/f10c5832e704999ce45413e7811de723
  5.  Example: report url




In some occassions by trying to use the second temporary approach you may receive an application error, this might be due to the website has not been analyzed yet.

For any doubt you can either contact me or comment on this blog article.

2 comentarios:

  1. Hello,
    Could you please tell me if this website is reliable for online shoping?
    Thanks :)

    ResponderEliminar
    Respuestas
    1. sorry, the website is http://nikelifestyleshoes.cc/

      Eliminar

Trata a los demás como te gustaría ser tratado.