Disclaimer: Thanks to my side project desenmascara.me I reached out an agreement with DomainTools to use their commercial tools to research news ways about how to leverage them to gather additional intel around the online counterfeiting fraud. This is an example of a small research with the outcome of a massive campaign of counterfeit-related websites. A more formal article can be found on the DomainTools blog.
In the context of online counterfeiting, there are four classes of domain that warrant discussion:
- Counterfeiters registered domains
- Free hosting based
- Legitimate but compromised
- Expired domains
In order to know more about each type you can take a look to the SANS paper "Tracking online counterfeiters". For the purpose of this article I will focus on the first type but just to find later a massive campaign of counterfeit websites of different types.
A counterfeit registered domain might be as in example: http://www.pradaus.com (active while writing this article)
Figure 1: Counterfeit-related website www.pradaus.com
This involves the online counterfeiters using any provider to register the domain in the conventional sense. Unfortunately Whois data can be spoofed yet. In fact, if the counterfeiter was never going to need to manage the domain again, he could use a false e-mail address. This scenario mostly works for the bad-guys registering C2 domains, but usually is not the case for counterfeit-related websites, as in the above case:
Figure 2: Legitimate mail address used to register the counterfeit-related website www.pradaus.com
Other considerations are that registration services often sell privacy/protected registration as a service. In those cases, only the privacy service and registrar have the information provided by the registrant that registers a domain on behalf of someone else and then transfers it to them shortly thereafter. In those cases (also mostly seen on C2 domain registrations) the initial registration would be the intermediary, and then registrant data may be updated later to reflect the actual domain owner. Something you can easily set up as an alert in Domaintools to keep track of, as in the example below of a counterfeit-related website handing over the domain´s ownership:
Figure 3: Registar domains extracted with DomainTools.com
With the side project: desenmascara.me I usually keep track how counterfeit-related websites are maturing. Inmersed in these tasks I was investigating the domain: http://www.123australian.com cause despite of showing up all signs of a counterfeit-related one, the online tool http://desenmascara.me was not able to analyze it due to some kind of block countermeasures on the counterfeit domain server side.
Figure 4: Register domains extracted with DomainTools.com
The same behavior was showed by the domain: http://111MediaGroup.com this case the domain was manifestly a copy-cat of Adidas but in Danish language.
Figure 5: Register domains extracted with DomainTools.com
Based on the Whois public data observed I started to suspect; the name server of both domains is the same, they also have been recently created and the email registration seems random but under the same domain yeah.net (a China based company).
Both pictures figure 3 and figure 4 were extracted with the free Domain tools whois lookup tool. In the other hand, Iris is a tool to give you additional insights while investigating any kind of online fraud. In this case, by using Iris in order to investigate further these 2 domains, I just found a massive and fresh campaign of around 50.000 counterfeit-related websites !! and all in less than 5 minutes.
Lets see the step by step process:
1. With valid DomainTools credentials we access to the Irish service:
Figure 6: Iris main website
2. We type the IOC we would like to investigate further, in this case: 111mediagroup.com
Figure 7: Web domain being investigated with the Iris tool
3. In the email section we see the same email addresses as devised in the public whois lookup tool plus two additional mail addresses. Right click in any of these fields and we can see the number of additional domains registered under them. When pivoting over the random mail address based on yeah.net domain it show the text: "no other domains share this value" but when we pivot over the mail address [email protected] as seen in the figure 8:
Figure 8: Pivoting over an Indicator ( web mail address )
4. We see 53.361 domains share this value. Lets check them out. In order to do it we click over "Narrow Search" and in the top menu we will see a new tag with this field as show below in the figure 9:
Figure 9: Multitag search (web domain and web mail address)
5. Now we remove the domain tag in order to extract all the information related "only" to this email address and then we noticed the surprise:
Figure 10: Iris search with a key indicator ( web mail address )
53.679 fresh counterfeit-related domains found !! a quick random verification show us that all are related to counterfeit-related websites targeting a huge amount of brands under domains which belong to many different TLDs specially: .com, .de and .top
Lets take a look to some of them as examples under the different TLDs.
Counterfeit-related website targeting to the New Balance brand: 122ratto.com
Figure 11: Counterfeit related website
Multibrand counterfeit-related website: 0entropie.de
Figure 12: Counterfeit related website
Multibrand Counterfeit-related website: a1ecosolutions.co.uk
Figure 13: Counterfeit related website
Counterfeit-related website targeting to the Reebok brand: reebokclassic.es
Figure 14: Counterfeit related website
Multibrand Counterfeit-related website (car parts, toys, electronics...): aamumalls.top
Figure 15: Counterfeit related website
Multibrand counterfeit-related website: aan-massage.nl
Figure 16: Counterfeit related website
Multibrand counterfeit-related website: 10sharks.org
Figure 17: Counterfeit related website
"All the information collected here as been sent along to the Europol as part of the IOS program to fight the trade of counterfeit products online."
Update: After some days, the Indicator [email protected] keeps registering new counterfeit-related domains as while I am writing this update (some days later after writing the original article) the number of domains related to this counterfeit actor is: 55.048. That is 1369 new counterfeit-related domains registered within a few days by the same actor.
No hay comentarios:
Publicar un comentario
Trata a los demás como te gustaría ser tratado.