How to verify whether a website is legitimate or not?:

lunes, 3 de septiembre de 2018 at Blackhat USA arsenal 2018

The past month took place the Black Hat conference 2018 in Las Vegas.

I had the great opportunity to demoed the web tool to track online counterfeiters:


Though I had already presented the tool in Black Hat Europe in Amsterdam around 3 years ago, this conference was totally different in the way that only americans know how to do: great shows!!.

Photo courtesy of Azeria

I must admit I was a bit overwhelmed with this great conference and I did miss a lot of talks and events I would like to have assisted cause they took place at the same time and the hurdle of preparing the presentation/demo. Anyhow this is what experience is, for next editions I will organize better my schedule and must-go talks.

I was thrilled to have the opportunity of presenting my side project to track online counterfeiters within such remarkable environment. Many thanks to the Arsenal organizers for which seems was the biggest edition of arsenal tools!!.

viernes, 4 de mayo de 2018

Advanced security analytics approaches

This is a live post which I will keep updating for my own reference.

  • Signature-based approaches are the oldest and most common approaches to detect security intrusions within a networked computing environment.
  • Behavioral analytics: Its a branch of business analytics where known patterns are applied to discover malicious behavior.
  • Anomaly detection: Also know as outlier detection, uses statistical profiling to build a historical baseline. It alerts on deviations from established baselines that conform to a potential attack vector.
  • Cross-device correlation: also known as event correlation refers to a technique where an IDS alert can be correlated with a huge number of firewall alerts to pinpoint events that are really important within a scenario where a massive amount of alerts take place.
  • Kill-chain detection: is an intrusion-based methodology that allows one to focus on the different stages of an attack. This methodology was developed by Lockheed-Martin.
  • Integrated threat intelligence: this might be similar to the signature-based approach but more agile and supported through industry partnerships. It looks for known bad actors by leveraging global threat intelligence from multiple and disparate feeds. 
Every approach would have a goal to catch either suspicious or malicious activity. The ideal catch -and also the most complicated- would be an abstract set of behaviors that an adversary is using. Based on David Bianco´s Pyramid of pain diagram, that´s the adversary´s tactics, techniques and procedures (TTPs). This is the ideal detector based on Red Canary´s detection engineering team.

However, regardless of the approaches used, the truth is that within MSSP environments (with an overwhelming amount of security alerts) there is a huge amount of wasted time and resources processing useless security alerts, and many often either reduce the sensitivity of security personnel or ignore alerts altogether. Which could be the best solution?, that is a hard question, while innovative approaches to avoid pitfalls of alert fatigue and other SOC challenges as SOCless detections might be suitable for some environments they are not intended for MSSP environments. The best advice I have ever seen on this area to improve MSSP capabilities is this:
I had countless conversations with organizations complaining about the false positives sent by the MSSP. But it’s impressive how many of them are not prepared to report back those events to the provider in a way that would allow them to tune their systems and avoid a similar occurrence in the future. This is a recurrent theme in this document: You MUST WORK WITH THE MSSP, not expect them to figure everything out alone.
Augusto Barros. Research VP at Gartner.

But obviously to talk about security alerts without having an incident response plan in place is fruitless. Some companies contract MSSP services just as a checkbox where every security alert escalated, regardless of its accuracy would go to a black hole. This might be due to either a lack of security awareness within the company (lack of CISO roles) or due to budgetary reasons. In the last case, usually the IT personnel can not cope with security related work, again either due to an excessive work-load or lack of knowledge. The optimal situation would be a company with a  security incident response plan in place (see NIST 800-61),

Incident response phases defined in NIST 800-61

In such optimal situations, a company whose security service is provided by an MSSP would know what to do and how to act (through defined playbooks) regarding every security alert they would receive by the MSSP.

Mini-paper released recently: Improving security incident quality in SOCs with resolution categories.

Related external links:

martes, 17 de abril de 2018

Fortinet I hope that we all do not fall for one of these one day

This post of Fortinet called my attention: You will fall for this one day. I could not believe that a CTF player was the victim of a counterfeit-related web showed through and ads in Facebook. It is not my intention to put guilt on the victim but instead to highlight that if a savvy-technical guy can be lured by the online counterfeiters, the chances for an average Internet user to avoid this fraud are quite low.

The article is quite good describing how these scams usually work and the tactics of the online counterfeiters in relation to a carefully-chosen website name, as described in the Tracking online counterfeiters paper, in order to lure to their victims.

Also to my surprise, near to the conclusion of the article I could read -the bold sentence of the paragraph below:

The CTF player reported the website to the affected brand, Salomon in this case. This is a good action on their side but its a drop in the Ocean. The project, through its twitter account, has alerted -so far- around 10.000 times to 142 different brands being affected by online counterfeiters. Though the number of counterfeit-websites detected by this side project is higher but due to API twitter restrictions, not all websites detected are automatically tweeted.

But the article had more surprises as in relation to the Fortinet approach to cope with this fraud:

While is great to see how some security vendors are taking into account these kind of fake websites luring users, yet the "phishing" categorization might not be accurate enough as to highlight this massive online fraud. As pointed out in the mentioned paper about "Tracking online counterfeiters" to have a specific categorization for this specific fraud will help to raise awareness among users and also to create alliances with other stakeholders to fight it. But this is a not-so-easy battle as even Kaspersky call it phishing. The reality behind such counterfeit-related webs is that rarely phishing is the goal but instead is a profit center through which victims transfer new capitals into the underground, and as a profit center, all the pieces of this ecosystem must work properly:

Also to assess that FortiGuard customers are protected from this scam cause the website has been classified and blocked is a very valid (but weak) point to show value over other vendors not being able to recognize this online fraud:

But the reality is that a more wider approach is needed to cope with this massive online fraud. Just as an example taken from the fake website being blocked by Fortinet:
There are dozens of additional fake webs which belong to the same counterfeit-campaign (as noted by the use of the same infrastructure and website domain registration details):

Are also all those fake websites detected and blocked by Fortinet?. The answer; at this point in time they are not, as showed below with a random fake web domain related to the same campaign:

As I said before, this is just a drop in the ocean. After researching this online fraud for years; publishing a paper about "Tracking online counterfeiters", collaborating with Europol into joint operations to take down websites related with this fraud, and also unveiling massive campaigns of counterfeit-related websthe reality is that all the past estimations from different sources about the rising of this massive and underestimated online fraud are becoming true. In order to tackle this online fraud a more holistic approach is needed, the technology to do it is already available but the only thing truly needed to cope with it is will.

As stated in the last sentence of the "Tracking online counterfeiters" paper, the ultimate ambitious goal of this research and the side project, is to protect users worldwide of this massive online fraud. How this could be achieved?: by having widely-used technologies like SafeBrowsing or alike flagging a new kind of unsafe sites: FAKE websites related with the online counterfeiting.

Therefore, Fortinet, I hope that we all do not fall for one of these one day.

P.D: Unfortunately this is an underrated online fraud. This is feature request to  Firefox: which was closed as "will not be fixed" cause they did not consider the topic relevant enough as to act upon it.

domingo, 8 de abril de 2018

RFC1918 IP Addresses in APT reports being used as IOCs by "Intelligence" providers

The title of this article was published some days ago as a tweet. Unfortunately by seeing the responses it seems this is not a so uncommon issue:

All started as a heads´up about a high priority incident in a sensitive environment. A watchlist that matches an internal private IP against a botnet?. This incident needed confirmation as got escalated with urgency. As its common in this scenario dealing with different stakeholders, the private IP being categorized as botnet was anonymized in order to protect sensitive information, but we need such information in order to further investigate it. To request such information sum up time to the investigation.

Once we have the private IP details we can do some cross checks to get the additional context needed in this scenario. The additional cross-checks are to verify which intelligence feed contained the private IP and then to gather the details. After some investigation we were unable to find any correlation, none of the watchlists we do provide (from public and private sources around the world, including product vendors, industry experts, government agencies, professional associations, media, news groups..) contained such info. Next step was to seek the private IP into any public report, cause at this time it was a bit clear which the issue was, and Bingo !! - Anunak: APT against financial institutions is a great report released by Group-IB and Fox-IT and contained the private IP address as a C&C IP and without any additional info. This is likely a common mistake about not vetting the information provided by reverse engineers to the intel team responsible to craft up the APT report, then this mistake is chained by Intelligence providers who do not perform any vet into the IOCs they ingest, packed and then sell. It turns out the customer affected was using additional threat intelligence providers, and was one of them who did provide the private IP address as an IOC.

Based on The cost of bad intelligence: "Security professionals practicing threat intelligence must understand the implications of mistakes and poor analysis. Bad intelligence can and does decrease the security effectiveness of an organization." 

miércoles, 28 de febrero de 2018

Invited to talk at the Europol about

The past week I had the opportunity to participate into the IOS IX Kick-off meeting held in the Europol HQ in The Hague (The Netherlands).

IOS stands for operation In Our Sites and is a joint global recurrent operation first implemented in 2014 and has since then increased significantly. The eighth edition in 2017 of this global operation saw a big range of anti-counterfeiting associations and brand owner representatives joined law enforcement authorities participating in this huge worldwide action, to facilitate international cooperation and support the countries involved in this initiative. In fact the outcome of the last edition was: The biggest hit against online piracy: over 20520 domains seized for selling counterfeits

I had the opportunity to participate in the ninth edition by presenting the online tool as a tool to help:

  1. users (as a 1 stop shop where to check whether a website is related with countefeiters or not)
  2. brands (by providing the intelligence gathered through users inputs)
  3. LAEs (through cooperation with the intel acquired to dismantle organized groups behind this online fraud).
The overall goal was to show the trust to use tool as an OSINT tool to gather fresh counterfeit-related websites from hundreds of different brands.

I really enjoyed by participating in this kick-off meeting by acquiring new knowledge and making great contacts.

If you have any question regarding the use of please do not hesitate to drop me an email or send it through the contact form of the website.

Happy only counterfeiting hunting.

martes, 6 de febrero de 2018

Who is behind those FAKE Whatsapp campaigns supposedly giving for free Nike shoes and alike?

Update 1I did submit all this information to Facebook so they might take any "action" against the responsible behind this fraud and to signal they do not allow to abuse their infrastructure to lure its users, but apparently they do not care much about these actors, this was its response:

Hola Emilio,
We are aware of homograph URLs and the potential risks they pose. We have automated systems in place to detect and prevent abusive/malicious domains/URLs. What you're describing is a social engineering attack against people, which is not in scope for our program.
Gracias por comunicarse con Facebook,

Update 2: Also similar campaign in France targeting Air France

Today is the Safer Internet Day. It is an European initiative which has grown beyond its traditional geographic zone and is now celebrated in approximately 130 countries worldwide with the support of many stakeholders.

Some supporters of SID

Meanwhile in WhatsApp we still receive messages like the below picture:

English translation: Nike will give for free 5000 pairs of shoes due to its 55° anniversary. Get your shoes for free in: .... ) 

Fake Nike promotion in Spanish language

Fake Nike promotion in Italian language

Luring to any user who click in the link above (notice the KOI-7 encoding of - this is known as a homograph attack) going through the below redirection:

then ending end up with a survey as the below hosted in a recent created domain ( 3 days old and a risk score of 100 based on DomainTools ) and whose analysis in VirusTotal is NOT flagged by any commercial vendor.

Any unsuspected user will fill in the survey which is based on 4 basic questions. Afterwards a pre-requisite to receive the free shoes is to share the message through whatsapp with 20 of your friends. The ball keeps growing. 

The user then click on the whatsapp button to share the message. Once the message has been shared among its contacts you will be redirected to another site (bye bye Nike shoes :( )

The above redirection make sure we are arriving from the previous Whatsapp campaign (as this is a referred marketing network, otherwise a different site will be presented). As we are arriving from the Fake Nike whatsapp promotion we are presented now with the below site:

Now the user still willing to get the promised Nike shoes will fill in the above form with its personal data. But here the interesting part (as always) is in the small letter, by clicking on Patrocinadores we will see the below text:

where there are quite a few companies from different sectors willing to sink its teeth into your personal data:

and here finally we do get a mail address responsible for this "Fake" campaign, so you have now an address to write in case you have not received your promised Nike shoes:

or a postal address to write them:

Interestingly the domain was also recently created, some months after the business was set up, under an anonymous whois provider and hosted in Rusia:

Correlating data with the DomainTools tool Iris

If we pivot over any IP address related with the domain to take a look into PassiveDns information we can see the malicious history of domains hosted on such IPs (most of them under the TLD .review and .win). There are hundreds of different and random domains created recently with the only purpose to host fake marketing campaigns to be spread like wildfire through social networks as the current one:

PassiveDNS information extracted with VirusTotal

Below are some of the business who this entity will collect your personal data for their commercial purposes through fake campaigns like this:

and so on, we could stay giving out personal data for free to these companies for a while:

The key factor here is that those companies are not the culprit here but the intermediate agencies like Green Flamingo Promotions and alike who are using these tactics to do their business: to collect your personal and private information in order to sell it. 

There is no need to clarify how greedy these companies might be collecting your data in order to sell you their services. Just bear in mind that even with data that you are not giving but disclosing through the kind of devices you are connecting from and correlated with data collected through the previous dubious campaigns they may infer even your social class

Today is the Safer Internet Day so keep your data private or at least do not incur in fake campaigns like these. You have been warned !!

sábado, 3 de febrero de 2018

How to uncover a massive campaign of counterfeit-related websites with just an e-mail address

Disclaimer: Thanks to my side project I reached out an agreement with DomainTools to use their commercial tools to research news ways about how to leverage them to gather additional intel around the online counterfeiting fraud. This is an example of a small research with the outcome of a massive campaign of counterfeit-related websites. A more formal article can be found on the DomainTools blog.

In the context of online counterfeiting, there are four classes of domain that warrant discussion:
  • Counterfeiters registered domains
  • Free hosting based
  • Legitimate but compromised
  • Expired domains
In order to know more about each type you can take a look to the SANS paper "Tracking online counterfeiters".  For the purpose of this article I will focus on the first type but just to find later a massive campaign of counterfeit websites of different types.

A counterfeit registered domain might be as in example: (active while writing this article)

Figure 1: Counterfeit-related website

This involves the online counterfeiters using any provider to register the domain in the conventional sense. Unfortunately Whois data can be spoofed yet. In fact, if the counterfeiter was never going to need to manage the domain again, he could use a false e-mail address. This scenario mostly works for the bad-guys registering C2 domains, but usually is not the case for counterfeit-related websites, as in the above case:

Figure 2: Legitimate mail address used to register the counterfeit-related website

Other considerations are that registration services often sell privacy/protected registration as a service. In those cases, only the privacy service and registrar have the information provided by the registrant that registers a domain on behalf of someone else and then transfers it to them shortly thereafter. In those cases (also mostly seen on C2 domain registrations) the initial registration would be the intermediary, and then registrant data may be updated later to reflect the actual domain owner. Something you can easily set up as an alert in Domaintools to keep track of, as in the example below of a counterfeit-related website handing over the domain´s ownership:

Figure 3: Registar domains extracted with

With the side project: I usually keep track how counterfeit-related websites are maturing. Inmersed in these tasks I was investigating the domain: cause despite of showing up all signs of a counterfeit-related one, the online tool was not able to analyze it due to some kind of block countermeasures on the counterfeit domain server side.

Figure 4: Register domains extracted with

The same behavior was showed by the domain: this case the domain was manifestly a copy-cat of Adidas but in Danish language.

Figure 5: Register domains extracted with

Based on the Whois public data observed I started to suspect; the name server of both domains is the same, they also have been recently created and the email registration seems random but under the same domain (a China based company).

Both pictures figure 3 and figure 4 were extracted with the free Domain tools whois lookup tool. In the other hand, Iris is a tool to give you additional insights while investigating any kind of online fraud. In this case, by using Iris in order to investigate further these 2 domains, I just found a massive and fresh campaign of around 50.000 counterfeit-related websites !! and all in less than 5 minutes.

Lets see the step by step process:

1. With valid DomainTools credentials we access to the Irish service:

Figure 6: Iris main website

2. We type the IOC we would like to investigate further, in this case:

  Figure 7: Web domain being investigated with the Iris tool

3. In the email section we see the same email addresses as devised in the public whois lookup tool plus two additional mail addresses. Right click in any of these fields and we can see the number of additional domains registered under them. When pivoting over the random mail address based on domain it show the text: "no other domains share this value" but when we pivot over the mail address [email protected] as seen in the figure 8:

  Figure 8: Pivoting over an Indicator ( web mail address )

4. We see 53.361 domains share this value. Lets check them out. In order to do it we click over "Narrow Search" and in the top menu we will see a new tag with this field as show below in the figure 9:

  Figure 9: Multitag search (web domain and web mail address)

5. Now we remove the domain tag in order to extract all the information related "only" to this email address and then we noticed the surprise:

  Figure 10: Iris search with a key indicator ( web mail address )

53.679 fresh counterfeit-related domains found !! a quick random verification show us that all are related to counterfeit-related websites targeting a huge amount of brands under domains which belong to many different TLDs specially: .com, .de and .top

Lets take a look to some of them as examples under the different TLDs.

Counterfeit-related website targeting to the New Balance brand:

  Figure 11: Counterfeit related website

Multibrand counterfeit-related website: 

                                                                    Figure 12: Counterfeit related website

Multibrand Counterfeit-related website:

                                                                    Figure 13: Counterfeit related website

Counterfeit-related website targeting to the Reebok brand:

                                                                    Figure 14: Counterfeit related website

Multibrand Counterfeit-related website (car parts, toys, electronics...):

                                                                    Figure 15: Counterfeit related website

Multibrand counterfeit-related website:

                                                                    Figure 16: Counterfeit related website

Multibrand counterfeit-related website:

                                                                    Figure 17: Counterfeit related website

"All the information collected here as been sent along to the Europol as part of the IOS program to fight the trade of counterfeit products online."

Update: After some days, the Indicator [email protected] keeps registering new counterfeit-related domains as while I am writing this update (some days later after writing the original article) the number of domains related to this counterfeit actor is: 55.048. That is 1369 new counterfeit-related domains registered within a few days by the same actor.