Desenmascara.me

Luxury & Fashion brands; be aware of the online counterfeiting!: desenmascara.me

martes, 6 de febrero de 2018

Who is behind those FAKE Whatsapp campaigns supposedly giving for free Nike shoes and alike?

Update 1I did submit all this information to Facebook so they might take any "action" against the responsible behind this fraud and to signal they do not allow to abuse their infrastructure to lure its users, but apparently they do not care much about these actors, this was its response:

Hola Emilio,
We are aware of homograph URLs and the potential risks they pose. We have automated systems in place to detect and prevent abusive/malicious domains/URLs. What you're describing is a social engineering attack against people, which is not in scope for our program.
Gracias por comunicarse con Facebook,

Update 2: Also similar campaign in France targeting Air France


Today is the Safer Internet Day. It is an European initiative which has grown beyond its traditional geographic zone and is now celebrated in approximately 130 countries worldwide with the support of many stakeholders.



Some supporters of SID



Meanwhile in WhatsApp we still receive messages like the below picture:

English translation: Nike will give for free 5000 pairs of shoes due to its 55° anniversary. Get your shoes for free in: .... ) 

Fake Nike promotion in Spanish language


Fake Nike promotion in Italian language



Luring to any user who click in the link above (notice the KOI-7 encoding of nike.com - this is known as a homograph attack) going through the below redirection:


then ending end up with a survey as the below hosted in a recent created domain ( 3 days old and a risk score of 100 based on DomainTools ) and whose analysis in VirusTotal is NOT flagged by any commercial vendor.




Any unsuspected user will fill in the survey which is based on 4 basic questions. Afterwards a pre-requisite to receive the free shoes is to share the message through whatsapp with 20 of your friends. The ball keeps growing. 



The user then click on the whatsapp button to share the message. Once the message has been shared among its contacts you will be redirected to another site (bye bye Nike shoes :( )

The above redirection make sure we are arriving from the previous Whatsapp campaign (as this is a referred marketing network, otherwise a different site will be presented). As we are arriving from the Fake Nike whatsapp promotion we are presented now with the below site:




Now the user still willing to get the promised Nike shoes will fill in the above form with its personal data. But here the interesting part (as always) is in the small letter, by clicking on Patrocinadores we will see the below text:


where there are quite a few companies from different sectors willing to sink its teeth into your personal data:





and here finally we do get a mail address responsible for this "Fake" campaign, so you have now an address to write in case you have not received your promised Nike shoes:




or a postal address to write them:




Interestingly the domain greenflamingopromotions.com was also recently created, some months after the business was set up, under an anonymous whois provider and hosted in Rusia:

Correlating data with the DomainTools tool Iris


If we pivot over any IP address related with the domain to take a look into PassiveDns information we can see the malicious history of domains hosted on such IPs (most of them under the TLD .review and .win). There are hundreds of different and random domains created recently with the only purpose to host fake marketing campaigns to be spread like wildfire through social networks as the current one:


PassiveDNS information extracted with VirusTotal


Below are some of the business who this entity will collect your personal data for their commercial purposes through fake campaigns like this:








and so on, we could stay giving out personal data for free to these companies for a while:






The key factor here is that those companies are not the culprit here but the intermediate agencies like Green Flamingo Promotions and alike who are using these tactics to do their business: to collect your personal and private information in order to sell it. 

There is no need to clarify how greedy these companies might be collecting your data in order to sell you their services. Just bear in mind that even with data that you are not giving but disclosing through the kind of devices you are connecting from and correlated with data collected through the previous dubious campaigns they may infer even your social class


Today is the Safer Internet Day so keep your data private or at least do not incur in fake campaigns like these. You have been warned !!

sábado, 3 de febrero de 2018

How to uncover a massive campaign of counterfeit-related websites with just an e-mail address

Disclaimer: Thanks to my side project desenmascara.me I reached out an agreement with DomainTools to use their commercial tools to research news ways about how to leverage them to gather additional intel around the online counterfeiting fraud. This is an example of a small research with the outcome of a massive campaign of counterfeit-related websites. A more formal article can be found on the DomainTools blog.

In the context of online counterfeiting, there are four classes of domain that warrant discussion:
  • Counterfeiters registered domains
  • Free hosting based
  • Legitimate but compromised
  • Expired domains
In order to know more about each type you can take a look to the SANS paper "Tracking online counterfeiters".  For the purpose of this article I will focus on the first type but just to find later a massive campaign of counterfeit websites of different types.

A counterfeit registered domain might be as in example: http://www.pradaus.com (active while writing this article)


Figure 1: Counterfeit-related website www.pradaus.com


This involves the online counterfeiters using any provider to register the domain in the conventional sense. Unfortunately Whois data can be spoofed yet. In fact, if the counterfeiter was never going to need to manage the domain again, he could use a false e-mail address. This scenario mostly works for the bad-guys registering C2 domains, but usually is not the case for counterfeit-related websites, as in the above case:


Figure 2: Legitimate mail address used to register the counterfeit-related website www.pradaus.com



Other considerations are that registration services often sell privacy/protected registration as a service. In those cases, only the privacy service and registrar have the information provided by the registrant that registers a domain on behalf of someone else and then transfers it to them shortly thereafter. In those cases (also mostly seen on C2 domain registrations) the initial registration would be the intermediary, and then registrant data may be updated later to reflect the actual domain owner. Something you can easily set up as an alert in Domaintools to keep track of, as in the example below of a counterfeit-related website handing over the domain´s ownership:



Figure 3: Registar domains extracted with DomainTools.com


With the side project: desenmascara.me I usually keep track how counterfeit-related websites are maturing. Inmersed in these tasks I was investigating the domain: http://www.123australian.com cause despite of showing up all signs of a counterfeit-related one, the online tool http://desenmascara.me was not able to analyze it due to some kind of block countermeasures on the counterfeit domain server side.



Figure 4: Register domains extracted with DomainTools.com


The same behavior was showed by the domain: http://111MediaGroup.com this case the domain was manifestly a copy-cat of Adidas but in Danish language.

Figure 5: Register domains extracted with DomainTools.com



Based on the Whois public data observed I started to suspect; the name server of both domains is the same, they also have been recently created and the email registration seems random but under the same domain yeah.net (a China based company).

Both pictures figure 3 and figure 4 were extracted with the free Domain tools whois lookup tool. In the other hand, Iris is a tool to give you additional insights while investigating any kind of online fraud. In this case, by using Iris in order to investigate further these 2 domains, I just found a massive and fresh campaign of around 50.000 counterfeit-related websites !! and all in less than 5 minutes.

Lets see the step by step process:

1. With valid DomainTools credentials we access to the Irish service:

Figure 6: Iris main website

2. We type the IOC we would like to investigate further, in this case: 111mediagroup.com

  Figure 7: Web domain being investigated with the Iris tool

3. In the email section we see the same email addresses as devised in the public whois lookup tool plus two additional mail addresses. Right click in any of these fields and we can see the number of additional domains registered under them. When pivoting over the random mail address based on yeah.net domain it show the text: "no other domains share this value" but when we pivot over the mail address yinchu4c@163.com as seen in the figure 8:



  Figure 8: Pivoting over an Indicator ( web mail address )

4. We see 53.361 domains share this value. Lets check them out. In order to do it we click over "Narrow Search" and in the top menu we will see a new tag with this field as show below in the figure 9:


  Figure 9: Multitag search (web domain and web mail address)


5. Now we remove the domain tag in order to extract all the information related "only" to this email address and then we noticed the surprise:

  Figure 10: Iris search with a key indicator ( web mail address )

53.679 fresh counterfeit-related domains found !! a quick random verification show us that all are related to counterfeit-related websites targeting a huge amount of brands under domains which belong to many different TLDs specially: .com, .de and .top

Lets take a look to some of them as examples under the different TLDs.

Counterfeit-related website targeting to the New Balance brand: 122ratto.com

  Figure 11: Counterfeit related website



Multibrand counterfeit-related website: 0entropie.de 

                                                                    Figure 12: Counterfeit related website

Multibrand Counterfeit-related website: a1ecosolutions.co.uk

                                                                    Figure 13: Counterfeit related website


Counterfeit-related website targeting to the Reebok brand: reebokclassic.es

                                                                    Figure 14: Counterfeit related website


Multibrand Counterfeit-related website (car parts, toys, electronics...): aamumalls.top

                                                                    Figure 15: Counterfeit related website


Multibrand counterfeit-related website: aan-massage.nl

                                                                    Figure 16: Counterfeit related website


Multibrand counterfeit-related website: 10sharks.org

                                                                    Figure 17: Counterfeit related website



"All the information collected here as been sent along to the Europol as part of the IOS program to fight the trade of counterfeit products online."

Update: After some days, the Indicator yinchu4c@163.com keeps registering new counterfeit-related domains as while I am writing this update (some days later after writing the original article) the number of domains related to this counterfeit actor is: 55.048. That is 1369 new counterfeit-related domains registered within a few days by the same actor.