How to verify whether a website is legitimate or not?:

martes, 12 de abril de 2016 has been integrated into VirusTotal's URL online scanning service

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners! is a free online service that analyzes websites to spot mainly whether they are FAKEs (related with the online counterfeiting) or not.

How does a FAKE website might be related with malicious content?; let me give you a bit of background to understand it.

Fake luxury goods are sold all over the Internet. There is an underground economy where a large number of globally distributed criminals trade in data, knowledge and services with the goal to defraud users and business, and this is related with the black market commoditization; a recent innovation from the fraudsters.

The underground organizations have well defined roles with inter dependencies, let's take for example; to buy and sell compromised web servers, scam hosting, exploit kits, and wholesale access to stolen user records including usernames and passwords, credit card numbers, and other sensitive personal data.

Recently Google published a post about a research related to this topic: The underground market fueling for profit abuse. The researches mapped the relations between the specialized roles in the underground economy as in the picture below.

whose explanation step by step can be viewed dinamically in this video:

Where the division of labor based on the chain of specialization is clearly represented. This underground economy is the culprit of current online threats such as fake anti-virus, ransomware, Trojan banks and any kind of commodity crimeware available out there. While reading the aforementioned research paper, the below figures called my attention:

Where IOCs for most of the threads above are usually included in the vast amount of intelligence watchlists either propietary or open source in order to do some kind of:
  • Correlation: (i.e: we need to see incident A before incident B can trigger)
  • Validation: (i.e: customers IP-space is linked to an IOC)
  • Enrichment: (i.e: To provide more context to known threats)

But for the Luxury knock-offs strategy of the profit center: Spamvertised products,  whereas the revenue numbers are even higher than in known threats such as Clickfraud or even close to the infamous Zeus, I was not aware of any kind of intelligence feed providing only such specific information.

The integration of into Virustotal's URL online scanning service is about the profit center: Spamvertised products. Any FAKE website related with the online counterfeiting will be flagged as such in and as suspicious in VirusTotal.

Below you can find some metrics about data is collecting:

Dashboard with all the brands detected

Availability of FAKE sites targeting to the PRADA brand

One of the main goals of the webservice is to let anyone known with just 1 click whether a website is FAKE or not. All the information collected is shared with the community through this VirusTotal integration. In addition, if you are a brand protection professional:

you would want to follow the desenmascarame twitter account (tweeting automatically each time a FAKE site is spotted and warning to the affected brand), o maybe to join the service avisame in order to get all the metadata of the FAKE website affecting to your brand.

More announcements to come.

lunes, 4 de abril de 2016

Good sites used in phishing attacks (Hacked sites)

The talk: Hard lessons learned while defending Gmail users" by Elie Bursztein, Anti-Spam and abuse research Lead @Google, provide key lessons the Gmail team learned the hard way while protecting Gmail for over a decade, so everyone involved in building an online product can benefit from them.

I would like to highlight the Key Challenges they will face in 2016:

I like specially the "hacked site" challenge. For them, when a site is hacked they have to react very quickly but at the same time it is very hard for them to reach those people that have been hacked. 

But what kind of good sites are being hacked?, despite of the PwnedWebsites resource to keep track of worth to mention websites which has been pwned, past statistics show revealed that legitimate websites visited by mass audiences have the highest concentration of online security threats than those pornography, pharmaceutical or gambling sites.

Remember, if you have a website you always may use in order to know whether your website is an easy target for the bad guys or not.