Desenmascara.me

How to verify whether a website is legitimate or not?: desenmascara.me

martes, 5 de diciembre de 2017

Prediction: Safe Browsing technology will detect counterfeit-related websites

I will make only 1 prediction for 2018, which I firmly think later or sooner will be a reality. Some major technology such as SafeBrowsing will detect and flag counterfeit-related websites. I have been working on detecting this fraud for a while with the side project: http://desenmascara.me

My thoughts are that this online fraud has reached a point which can not be overlooked. The last paragraph of the SANS paper on this topic published earlier this year is:

"SafeBrowsing (https://www.google.com/transparencyreport/safebrowsing/?hl=en) is a Google technology included by default in the major browsers to protect the users from unsafe sites such as: Malware sites and phishing sites. The ultimate ambitious goal of this research is to have widely-used technologies like the above to flag a new kind of unsafe sites: FAKE websites related with the online counterfeiting. "

Humbly I have tried to have available detections for these kind of counterfeit-related websites into the major browsers such as; Mozilla and Chrome. In Mozilla they do not believe these kind of fake websites are a threat for the users so they will not fix, in Chrome the issue is still open.


Counterfeit-related websites are usually involved with personal information data stolen


The industry response to this online fraud is quite variable, while Facebook does little or nothing at all to disrupt this online fraud

Some brands in FB deal with the endless cat-and-mouse play with the online counterfeiters

the Law enforcement authorities along with 3rd parties coordinated by Europol had tackled down the biggest number of these kind of fake websites until date. So my prediction for 2018:


Counterfeit-related websites will be an additional protection by Safe Browsing (or any other major security technology), and this change will lead the way consumers (and industry) behaves against this online threat.

My view:


lunes, 27 de noviembre de 2017

Over 20520 internet domains seized for selling counterfeits

Over 20520 Internet domains kind of:

(Disclaimer: the below FAKE websites are still active, do browse them under your own risk. This is just information to show some examples of the kind of domains being seized)

hxxp://www.rbqcd.com
hxxp://www.pandoratoutlet.com
hxxp://www.6sreplicachanel.com
hxxp://www.swarovskioutletsus.com
hxxp://www.wonderlandeventos.com
hxxp://www.giorgioarmanioutlet.com
hxxp://www.airmaxbaratasoutlet.com

have been seized for selling counterfeits. Its one of the biggest hit against online piracy. This massive operation was a joint investigation by Europol´s Intellectual Property Crime Coordinated Coalition (IPC3), the US National Intellectual Property Rights Coordination Centre and law enforcement authorities from 27 EU Member States and third parties facilitated by INTERPOL.

Europol and the European Union Intellectual Property Office (EUIPO), the last with headquarters in Alicante (Spain) continued to join efforts in 2017 by successfully supporting many high-priority investigations related to online crimes, providing training related to online investigations, and organizing  a conference on Innovative strategies for Effective Enforcement in Antwerp, Belgium, on 19-20 September 2017.

I was invited by Europol to the mentioned conference and had the honour to host a workshop to show how OSINT tools such as http://desenmascara.me can help to gather intelligence about counterfeit-related websites.



Europol is doing a great work by dismantling not only cybercrime groups but also migrant smuggling networks, child abuse photographers and many more organized crime groups.

miércoles, 8 de noviembre de 2017

CISSP: Decertification notice

CISSP is despite its detractors the undisputed king of InfoSec certifications. 6 years ago I wrote a blog post about "how to get ready fast for the CISSP exam". In order to get this certification you need to invest a good amount of time, to have experience in the field and money". The same does apply to maintain it once you have it.

Some days ago I did receive a mail from ISC2 as the below:

Subject: (ISC)? Decertification Notice 
02 Nov 2017



Member ID:
388018

Certification:
CISSP
Expiration Date:
31 Jul 2017
Termination Date:
01 Nov 2017
Dear Jose Casbas, 
The purpose of this notice is to provide information regarding the status of your (ISC)2 certification.
According to our records, your CISSP credential was terminated effective 01 Nov 2017 because of Unpaid Annual Maintenance Fees.

Because the CISSP is a federally-registered certification mark, you may no longer use the CISSP designation in any form. For example, you may not use CISSP after your name, on printed materials and you may not display the certificate itself, wear the CISSP lapel pin or imply in any way that you are presently certified. Continued use of the CISSP designation is unauthorized and an infringement of the CISSP mark.

To be certified again, you must sit for, and pass the examination again. However, in order to do so, you must pay any outstanding AMF and late fees before registering for the exam. You may also be subjected to a $35USD reinstatement fee upon successfully passing an exam and requesting reinstatement of your credential.

If you have any comments or questions, do not reply to this email. Please email [email protected].
Sincerely, 

(ISC)2 Member Services

The process to do the payment and submit the CPEs regularly is a bit painful. If you don´t take care of it you will receive a notification like the above. Personally I found it quite rude, and the fact that you need to sit for, and pass the examination again to be certified got me puzzled.

I decided to look in Twitter and I found some dudes proud to receive such notification and even some felt liberated. Personally I thought is a pity to lost something you have dedicated effort and it has proven value on your career, hence I decided to send an email to the mentioned address asking for a soft solution. And I got it.

Advice: After receiving such notification, you have two weeks buffer to call them directly and to redeem your fees through the phone. There is no need to sit and pass the examination again.

lunes, 20 de marzo de 2017

SANS research paper: Tracking online counterfeiters

"Tracking online counterfeiters" is a GIAC Gold paper which has been published recently in the SANS reading room. This is a side project I am working on for a while. I discovered this topic while investigating the reasons of websites being compromised. And I become addicted to this new field which converge with the security field I was investigating originally.


Screenshots of 4 FAKE websites related with the online counterfeiting.

What I did discover as well is that this field is being massively underestimated by different industries, especially within the traditional security field.


"InfoSec also has a tendency to obsess over the technical sophistication of an attack instead of the impact it has on real people" (Stamos 2016) 

The context of this online fraud is explained in the paper. The links with the underground economy is showed. And the main tactics of the online counterfeiters are unveiled. Finally with all the information collected I detail the steps to create a new intelligence feed which we could use in many scenarios. Also 3 examples of scenarios where to apply this new intel are given just in case you are out of ideas.


Hope you enjoying reading the paper and do not hesitate in contact me with any question related to this topic.





jueves, 19 de enero de 2017

Chrome plugin to check whether a website is fake or not

Chrome plugin to avoid being lured by the online counterfeiters.

The plugin has two simple options:

1. When we are visiting a website and we are not sure about their legitimacy we just click on the plugin icon and then on "Check this page now":


it will take some seconds and then a pop up like below will appear informing about the result, in this case warning us to be careful cause the web is related with the online counterfeiting:


2. The other option, useful when we do not want to visit a website cause might be dangerous, is to click in the link and go directly to the desenmascara.me website. Then we can type the web address of the website we would like to analyze:

In such a case we will see the information about the website being flagged as FAKE. Then we know it is not safe to browse the website nor to purchase any item on it.

In cases where a website has been already analyzed we will see the information into the popup like below where you can even click the "review the analysis" link to see the full report:


Do not hesitate to ask me any question regarding the plugin or the results. 

Have a safe online experience!

FACEBOOK does not worry about the online counterfeiting fraud

This recent post made me to review the drafts I had in this blog regarding a similar issue which I publish today. With the project http://desenmascara.me I have been investigating the online counterfeiting fraud for quite some time. It turns out that Facebook has plenty of advertisements like below:


Facebook advertisement


Which leds to the Facebook event below (not active anymore):


In the above event page you can see the website being advertised: hxxp://www.rblovez.pw/
(not active anymore)



Which clearly is a FAKE rayban website. Flagged by desenmascara.me
http://desenmascara.me/consulta/b0f91cdf147d93f9726e923191b08eb4

and hence by VT:

https://www.virustotal.com/en-gb/url/e651e1c5c9e31be8152b9ef28111f9cf0a4db1473b0f5d1830ba6ef2270449eb/analysis/1457705321/

This FAKE website is clearly a luxury knock-off product a dark business which has even more revenue than the ransomware and close to well-known malware as the Zeus banking trojan.




Though it is not a security vulnerability itself I reported it to Facebook because it is an abuse of their functionality which might be used to lure their users: anyone can set up an ads and the target website would not be "fully verified" which might contain badware or fake content as in this case.


The report was closed with the following feedback:

Hi Emilio,

Thanks for contacting us. Keep in mind that this queue is specifically for security vulnerabilities. Since what you describe doesn't appear to be a security vulnerability, you can provide feedback or suggestions regarding a feature here:

https://www.facebook.com/help/contact/268228883256323

Thanks,

Redacted name
Facebook



It seems that the issue was investigated some years ago by another researchers:




But Facebook still allows such advertisements. Despite all the effort they are taking against FAKE news, it seems they still have plenty of room to improve regarding to get rid of advertisements involved with online counterfeiting in their network.

Google does a better work in such matter but sometimes, as highlighted in the picture below, they have ads related with fake sites as well.