How to verify whether a website is legitimate or not?:

sábado, 3 de febrero de 2018

How to uncover a massive campaign of counterfeit-related websites with just an e-mail address

Disclaimer: Thanks to my side project I reached out an agreement with DomainTools to use their commercial tools to research news ways about how to leverage them to gather additional intel around the online counterfeiting fraud. This is an example of a small research with the outcome of a massive campaign of counterfeit-related websites. A more formal article can be found on the DomainTools blog.

In the context of online counterfeiting, there are four classes of domain that warrant discussion:
  • Counterfeiters registered domains
  • Free hosting based
  • Legitimate but compromised
  • Expired domains
In order to know more about each type you can take a look to the SANS paper "Tracking online counterfeiters".  For the purpose of this article I will focus on the first type but just to find later a massive campaign of counterfeit websites of different types.

A counterfeit registered domain might be as in example: (active while writing this article)

Figure 1: Counterfeit-related website

This involves the online counterfeiters using any provider to register the domain in the conventional sense. Unfortunately Whois data can be spoofed yet. In fact, if the counterfeiter was never going to need to manage the domain again, he could use a false e-mail address. This scenario mostly works for the bad-guys registering C2 domains, but usually is not the case for counterfeit-related websites, as in the above case:

Figure 2: Legitimate mail address used to register the counterfeit-related website

Other considerations are that registration services often sell privacy/protected registration as a service. In those cases, only the privacy service and registrar have the information provided by the registrant that registers a domain on behalf of someone else and then transfers it to them shortly thereafter. In those cases (also mostly seen on C2 domain registrations) the initial registration would be the intermediary, and then registrant data may be updated later to reflect the actual domain owner. Something you can easily set up as an alert in Domaintools to keep track of, as in the example below of a counterfeit-related website handing over the domain´s ownership:

Figure 3: Registar domains extracted with

With the side project: I usually keep track how counterfeit-related websites are maturing. Inmersed in these tasks I was investigating the domain: cause despite of showing up all signs of a counterfeit-related one, the online tool was not able to analyze it due to some kind of block countermeasures on the counterfeit domain server side.

Figure 4: Register domains extracted with

The same behavior was showed by the domain: this case the domain was manifestly a copy-cat of Adidas but in Danish language.

Figure 5: Register domains extracted with

Based on the Whois public data observed I started to suspect; the name server of both domains is the same, they also have been recently created and the email registration seems random but under the same domain (a China based company).

Both pictures figure 3 and figure 4 were extracted with the free Domain tools whois lookup tool. In the other hand, Iris is a tool to give you additional insights while investigating any kind of online fraud. In this case, by using Iris in order to investigate further these 2 domains, I just found a massive and fresh campaign of around 50.000 counterfeit-related websites !! and all in less than 5 minutes.

Lets see the step by step process:

1. With valid DomainTools credentials we access to the Irish service:

Figure 6: Iris main website

2. We type the IOC we would like to investigate further, in this case:

  Figure 7: Web domain being investigated with the Iris tool

3. In the email section we see the same email addresses as devised in the public whois lookup tool plus two additional mail addresses. Right click in any of these fields and we can see the number of additional domains registered under them. When pivoting over the random mail address based on domain it show the text: "no other domains share this value" but when we pivot over the mail address [email protected] as seen in the figure 8:

  Figure 8: Pivoting over an Indicator ( web mail address )

4. We see 53.361 domains share this value. Lets check them out. In order to do it we click over "Narrow Search" and in the top menu we will see a new tag with this field as show below in the figure 9:

  Figure 9: Multitag search (web domain and web mail address)

5. Now we remove the domain tag in order to extract all the information related "only" to this email address and then we noticed the surprise:

  Figure 10: Iris search with a key indicator ( web mail address )

53.679 fresh counterfeit-related domains found !! a quick random verification show us that all are related to counterfeit-related websites targeting a huge amount of brands under domains which belong to many different TLDs specially: .com, .de and .top

Lets take a look to some of them as examples under the different TLDs.

Counterfeit-related website targeting to the New Balance brand:

  Figure 11: Counterfeit related website

Multibrand counterfeit-related website: 

                                                                    Figure 12: Counterfeit related website

Multibrand Counterfeit-related website:

                                                                    Figure 13: Counterfeit related website

Counterfeit-related website targeting to the Reebok brand:

                                                                    Figure 14: Counterfeit related website

Multibrand Counterfeit-related website (car parts, toys, electronics...):

                                                                    Figure 15: Counterfeit related website

Multibrand counterfeit-related website:

                                                                    Figure 16: Counterfeit related website

Multibrand counterfeit-related website:

                                                                    Figure 17: Counterfeit related website

"All the information collected here as been sent along to the Europol as part of the IOS program to fight the trade of counterfeit products online."

Update: After some days, the Indicator [email protected] keeps registering new counterfeit-related domains as while I am writing this update (some days later after writing the original article) the number of domains related to this counterfeit actor is: 55.048. That is 1369 new counterfeit-related domains registered within a few days by the same actor.

2 comentarios:

  1. На страницах портала promportal.Su представлено 78 предложений раздела "onetwoslim". В каталоге вы легко найдете интересующие вас товары или услуги. one two slim капли Можно заказать удаленно с доставкой на наш веб-сайт. Информация о рассрочках и способах оплаты, номера телефонов продавца записаны в ценнике товара. Узнайте о рассрочках, условиях оптовых закупок, бонусах и текущих акциях у менеджера.

  2. Пользователь имеет возможность приобрести товар, нажав на поле. Закажите вантуслим В гамбурге для участия в акции со скидкой! До и в конце приема onetwoslim в гамбурге Включая обсуждения с отзовикой и irecommend: Аня, работник сельского хозяйства, 38 лет вантуслим, кажется, самое оптимальное лекарство для похудения, которое можно приобрести в нашей стране! Я говорю по опыту, я пробовал то-то и то-то, а также только сейчас получил эффект. Мой муж в шоке! Лично я боялась того, что значит развод, но в конце концов похудела на 6 килограммов. Если бы вы не были onetwoslim в гамбурге, а бетон обладает магическим действием, лишние килограммы мучили бы меня всю оставшуюся жизнь. Галина, турагент, 27 лет я сбросила десять килограммов лишних килограммов с помощью вантуслима. Том целый месяц пил капли перед тем, как лечь спать. Таисия, диджей, 28 лет пережила такой ужас, которого вы никогда не пожелаете. Оставаясь в той позе, которая мне нравилась, я растолстел на 19 килограммов жира. Сбить их с толку так и не получилось. Конец страданиям пришел, когда моя сестра посоветовала мне купить onetwoslim в гамбурге. Десять дней, и стрелка весов показала результат. Теперь я чувствую себя комфортно и стройной, а капли van tu slim - мой главный помощник.


Trata a los demás como te gustaría ser tratado.