How to verify whether a website is legitimate or not?:

lunes, 22 de agosto de 2016

How to cope with the online counterfeiting in the right way

Based on the last OECD/EUIPO report (2016), the trade in counterfeit and pirated good amounted to up to 2.5% of world trade in 2013.

The main luxury, fashion and sports brands are being targeted online, many take some proactive measures such as trying to take down the websites affecting their brand, but it is a cat and mouse play, as new FAKE sites will pop it up like mushrooms.

But the Alexander Wang brand has set a precedent; a kind of warning to counterfeiters, as it has just won a $90 million lawsuit against 459 FAKE websites targeting their brand. It does not mean the wining brand will see some millions from this lawsuit as the FAKE sites owners did not show up in court. But the key point is that today it would be more difficult for potential Alexander Wang customers to be victims of online fraud than any other brand, as below (despite their social media efforts).

martes, 31 de mayo de 2016

Massive Ransomware campaign of compromised Joomla based sites targeting to Endesa customers

Endesa is the largest electric utility company in Spain. Recently it has been discovered a ransomware campaign using a fake invoice of a huge amount to pay, in order to trick users to verify it. A clever social engineering move.

More details and the full list of domains involved can be checked in the CSIRT-CV alert.

The interesting part of this new Ransomware campaign is that most of the domains hosting the malicious scripts are based on the popular Joomla CMS.

hxxp://endesa-clientes .com / not available
hxxp://yamg.endesa-clientes .com / not available
hxxp://www.endesa-clientes. net /not available
hxxp://ojj.endesa-clientes .com / not available
hxxp://wtde.endesa-clientes. com / not available
hxxp://y2l6.endesa-clientes. com / not available
hxxp://rogaska-crystal. com / report
hxxp://itlearning. ma / not available
hxxp://nrmac. org / not available
hxxp://craferscottages. com. au / report
hxxp://sigortaci .net / report
hxxp://quality-managers. org / report
hxxp://tendearteplast. com / report
hxxp://gettingmarried .ie / report
hxxp:// / report
hxxp://tl6q.procura-italia. net / not available
hxxp://qln.myenel24. net / not available
hxxp://qln.myenel24. org / not available
hxxp://swisshalley-sale. ru / report (the only old Wordpress based)
hxxp://heroes-of-the-middle-ages. ru / report
hxxp://y2l6.endesa-clientes. com / not available
hxxp://securitysolutionshow. it / not available
hxxp:// / not available
hxxp://asge .ru / report
hxxp://ensarkarot. com / report
hxxp://faam. com / report
hxxp:// uk / report
hxxp://ipecho. net / report
hxxp://ultimchem. com report

Based on the compromises sites, it seems this campaign is leveraging the critical vulnerability CVE-2015-8562.

martes, 24 de mayo de 2016

How to spot a FAKE website

There are several tips about how to check whether a website is FAKE or not, but all of them require 8 different manual checks or even more.

Do not wast your time: just use to know with just 1 click whether a website is FAKE or not.

Let's take for example this website:

which was automatically flagged as FAKE by

but as long as the FAKE website is online has been able to lure to dozens of unsuspected users, and counting, as you can check it out in the below blog post created by some victim to raise awareness about the aforementioned FAKE site.

"If any of the victims would have check it out previously the website address in, they would have discovered that website is not safe to do business with."

" If you do not trust on a website, desenmsacaralo (unmask it) to see what is behind it "

martes, 12 de abril de 2016 has been integrated into VirusTotal's URL online scanning service

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners! is a free online service that analyzes websites to spot mainly whether they are FAKEs (related with the online counterfeiting) or not.

How does a FAKE website might be related with malicious content?; let me give you a bit of background to understand it.

Fake luxury goods are sold all over the Internet. There is an underground economy where a large number of globally distributed criminals trade in data, knowledge and services with the goal to defraud users and business, and this is related with the black market commoditization; a recent innovation from the fraudsters.

The underground organizations have well defined roles with inter dependencies, let's take for example; to buy and sell compromised web servers, scam hosting, exploit kits, and wholesale access to stolen user records including usernames and passwords, credit card numbers, and other sensitive personal data.

Recently Google published a post about a research related to this topic: The underground market fueling for profit abuse. The researches mapped the relations between the specialized roles in the underground economy as in the picture below.

whose explanation step by step can be viewed dinamically in this video:

Where the division of labor based on the chain of specialization is clearly represented. This underground economy is the culprit of current online threats such as fake anti-virus, ransomware, Trojan banks and any kind of commodity crimeware available out there. While reading the aforementioned research paper, the below figures called my attention:

Where IOCs for most of the threads above are usually included in the vast amount of intelligence watchlists either propietary or open source in order to do some kind of:
  • Correlation: (i.e: we need to see incident A before incident B can trigger)
  • Validation: (i.e: customers IP-space is linked to an IOC)
  • Enrichment: (i.e: To provide more context to known threats)

But for the Luxury knock-offs strategy of the profit center: Spamvertised products,  whereas the revenue numbers are even higher than in known threats such as Clickfraud or even close to the infamous Zeus, I was not aware of any kind of intelligence feed providing only such specific information.

The integration of into Virustotal's URL online scanning service is about the profit center: Spamvertised products. Any FAKE website related with the online counterfeiting will be flagged as such in and as suspicious in VirusTotal.

Below you can find some metrics about data is collecting:

Dashboard with all the brands detected

Availability of FAKE sites targeting to the PRADA brand

One of the main goals of the webservice is to let anyone known with just 1 click whether a website is FAKE or not. All the information collected is shared with the community through this VirusTotal integration. In addition, if you are a brand protection professional:

you would want to follow the desenmascarame twitter account (tweeting automatically each time a FAKE site is spotted and warning to the affected brand), o maybe to join the service avisame in order to get all the metadata of the FAKE website affecting to your brand.

More announcements to come.

lunes, 4 de abril de 2016

Good sites used in phishing attacks (Hacked sites)

The talk: Hard lessons learned while defending Gmail users" by Elie Bursztein, Anti-Spam and abuse research Lead @Google, provide key lessons the Gmail team learned the hard way while protecting Gmail for over a decade, so everyone involved in building an online product can benefit from them.

I would like to highlight the Key Challenges they will face in 2016:

I like specially the "hacked site" challenge. For them, when a site is hacked they have to react very quickly but at the same time it is very hard for them to reach those people that have been hacked. 

But what kind of good sites are being hacked?, despite of the PwnedWebsites resource to keep track of worth to mention websites which has been pwned, past statistics show revealed that legitimate websites visited by mass audiences have the highest concentration of online security threats than those pornography, pharmaceutical or gambling sites.

Remember, if you have a website you always may use in order to know whether your website is an easy target for the bad guys or not.

martes, 8 de marzo de 2016

Counter-offensive tactics to bear in mind when using IOCs

Threat Intelligence indicators are not Signatures, is a great post which does show how by implementing this approach, common in Organizations, will end up with floods of False Positives.

But there is another problem on top being flooded with false positives when using threat intelligence indicators as signatures. The bad guys know the enterprises are using this approach hence they are leveraging on it with some counter-offensive tactics. For instance there are public and private intelligence feeds which are being used by enterprises and SOCs to either create alerts based on hits or to auto escalate them based on use cases. Then, what do the bad guys are doing?

  • A given IOC is malicious in a short timeframe but enough as to be catched by some feed trackers out there. Once the IOC has been included in a tracker the bad guys then point the malicious domain (IOC) to a known IP such as Google or Facebook. Time to have fun on the enterprises relying on those IOCs.
  • Changing DNS entries often (fast-flux), this is a common technique to hide the delivery sites behind an ever-changing network of compromised sites but when this technique is used by pointing the malicious domains to legitimate IPs parts of the time; time to have fun again on those enterprises leveraging those IOCs.

If you would like to stay ahead of poor Threat intelligence, take a look to these questions for evaluating an external threat intelligence source.

viernes, 26 de febrero de 2016

Must the Internet providers block sites offering counterfeit items?

Luxury brands Cartier and Montblanc won recently a U.K. court ruling that orders Internet providers to block websites selling counterfeit goods including watches and pens. [Source Bloomberg.]

While this is not the correct approach to go but instead the Prada one is the way to go. This open an interesting debate?: Must the Internet providers block sites offering counterfeit items?

Net neutrality is the key issue here. In US the FCC (Federal Communications Commission) promotes a strong Net neutrality to keep the Internet open and free with statements like below pointed out on May 2010:
The FCC introduces strong net neutrality protections that said internet service providers could not block websites or impose limits on users. In December, the FCC would go on to pass a final version, adopting their first-ever rules to regulate Internet access. [Source Whitehouse.]

In Europe, the European Commision is in charge of the Net Neutrality, but with some issues.

This is an old debate about whether the ISPs should block access or not to content such as:
  • Adult websites
  • Terrorism propaganda
  • Intelectual property infringement (a.k.a: FAKE websites)

Now with news like those pointed out at the beginning of this article the debate is open:

 Must the Internet providers block sites offering counterfeit items?

What is your position on this matter?

Disclaimer: All the websites requested to be block by Cartier and Montblanc are available on the private feed.

martes, 9 de febrero de 2016

What happens to a website when their owners are not using it anymore?

Mammut is a Swiss company specialized in mountain sports. Personally I was not familiar with this brand, but thanks to the project a vast amount of brands, being counterfeited in the black corners of Internet, have become known for me.

 Mammut logo

While doing some research about the Mammut brand in order to add it to the service, I come across the below web domain:

Created on 2012-02-09, expired TODAY and registered through a proxy as it’s common on this activities to not disclose owner details:
which shows (at the time of this writing) a tipical 'access denied' message as below:


You don't have permission to access /quickstart.html on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

And based on this linkedin page, the above domain belongs to an Architecture and Planning company located in New York, without much activity lately as their last twitter was on 10. Jun 2014.

But then the thing is that such a web domain has some indexed resource such as:

Mammut keywords in the site

With several misconfigured mammut links pointing to a vast amount of FAKE websites targeting to the main fashion brands such as:

Gucci FAKE website

Tiffany FAKE website

Moncler FAKE website

NFL FAKE website

Louboutin FAKE website

RayBan FAKE website

and even fashion FAKEs hoverboards

UGG FAKE website taken down

The above examples are just a few sites to give you an overview of the size of this knock-off luxury campaign which target to many luxury brands at once. But of course there are more roles involved on campaigns like this such as spammers either on twitter:

Notice the change when the twitter account is mentioned

or in the below google search (which at the time of this writing has no results anymore. -Well done Google.):

“link: mammut“

The above google search did show hundreds of results with websites either compromised (due to old Joomla versions..) or spammed with comments to distribute this massive spam campaign of knock-off luxury products. 

This knock-off luxury online campaign does show how this online counterfeit business operate in a conglomerate of entities linked between them with different roles and ramifications as pointed out  in this Google research.

By collecting information from all the above FAKE websites there are email address and more information which is useful to track more FAKE online campaigns from the same actors. I tried to contact with some of the targeted brands but the communication was not successful so this article is just to let you know how this business operate online and to let you know what happen with a web domain which is not used anymore by their owners but it remains still active: it will be used by the bad guys!!.

If you are a brand representative of any of the brands affected either on this incident or any other online counterfeiting issue, do not hesitate to contact me for further details and cooperation.

jueves, 28 de enero de 2016

Trust seals are useless

A trust seal is a seal granted by an entity to website or businesses for display. Often the purpose is demonstrate to customers that this business is concerned with security and their business identity. [Wiki]

Trust seal examples

This conversation about trust seal in websites is old and sometimes lead to wrong assumptions. It’s not the actual security of your page that matters the most to users as they have little to no technical understanding of how HTTP works (and they should NOT have). Rather it is the confidence a website show prior to make any purchase with them to that’s of importance to this vast majority of users.

Why am I speaking about this?, cause today I come across a website with this 'Hacker safe' seal:

which was compromised to store a FAKE website selling Adidas products, nothing secret, even Google knew something strange was going on it:

This compromised website had a low security awareness value based on (-65), and it end up storing a FAKE website with a useless 'Hacker Safe' seal, therefore remember:

" If you do not trust on a website, unmask it to see what is behind it "