Desenmascara.me

How to verify whether a website is legitimate or not?: desenmascara.me

sábado, 28 de septiembre de 2019

How easy a google product is being misuse to market counterfeit goods

Update (11.06.2020): Google allow now to request removal of "Counterfeit: sale of counterfeit goods" from google search results

Update (21.10.2019): INCOPRO has released a report about this same problem with key findings, metrics and a call to internet searches to act against this online fraud, and all quite well formatted for an easy and recommended reading.


"While our systems get better over time, counterfeiting remains a complex challenge, and we keep investing in anti-counterfeiting measures."  Kent Walker, Senior Vice President and General Counsel, Google. (2011)
"Just as in the offline world, people misuse legitimate online services to try to market counterfeit goods. This abuse hurts our users and our business; combating it its central to Google's operations." (Testimony of Kent Walker before the House Judiciary Subcommittee on Intellectual Property, Competition, and the Internet Hearing on 'Promoting Investment and Protectiong Commerce Online: Legitimate Sites v. Parasites, Part II' April 6, 2011)

A few years ago I wrote the SANS paper "Tracking online counterfeiters". At the time this paper provided some metrics of an OECD report dated in 2016 where the trade in counterfeit goods amounted for the 2.5% of world trade. Currently, based on the last OECD report now trade in fake goods is 3.3% of world trade and raising.

Also in the mentioned SANS paper I did include the research: "framing dependencies introduced by underground commoditization" which did show the federation of specialists selling capabilities, services, and resources explicitly tailored to the abuse ecosystem.

Revenue generation is outsourced to “affiliates”—independent contractors paid on a commission basis for each sale they bring in. [cited from original paper]



After bit more than a couple of years of the release the aforementioned SANS paper, lets take the two premises above and to dig a little deeper on this online counterfeiting fraud. I will expose briefly specific tactics online counterfeiters use to target different countries. Goal is to support the 2 previous premises: increasing online fraud and the specialists selling capabilities in the underground commoditization market, but also to highlight a huge abuse in a specific search engine I came across while investigating this tactic. An abuse specially "sensitive" as it affects to hundreds of the most famous and counterfeited brands.

This problem is specially outrageous as currently it allows to counterfeiters profit and abuse from free services even when in the past they used paid services. To not name about millions of users potentially being duped by this lack of protection against websites whose only purpose is commercial infringement.

Before going into the details, allow me to define what a FAKE website is.


"Defining what is a rogue site is not a simple task." (Testimony of Kent Walker before the House Judiciary Subcommittee on Intellectual Property, Competition, and the Internet Hearing on 'Promoting Investment and Protectiong Commerce Online: Legitimate Sites v. Parasites, Part II' April 6, 2011) 

The above statement is part of the testimony of Kent Walker before the House Judiciary Subcommittee on IP, which you can read fully on the link above. With all the respect and humbleness I do not agree with the above statement therefore let me explain my reasoning. I will use the term "rogue site" as a "FAKE site", and as I will deal with FAKE websites here, I will define first what the signs of a FAKE website are. To make it easier, I will follow the guidelines promoted by Europol to detect fraudulent sites selling fakes (also the basis the online tool https://desenmascara.me perform behind the scenes on top of many other checks to flag a website as FAKE). Here the only rectification I would do to those Europol guidelines is to remove the below red flag:



The above check to detect fraudulent sites is not true anymore. The mainstream use of free SSL certificates has made possible that counterfeiters use SSL as for instance the below FAKE site:

FAKE website using a SSL certificate


but lets go back to the point. I do think that to define what is a rogue site is a simple task, so simple I am still surprised no one is doing something like this yet.

To my humble understanding, a FAKE website is a rogue website that generate profits from the theft of intellectual property and/or lure users. Thats all. How can I back up such statement?, keep reading.

In one side we have the guidelines mentioned previously by Europol plus the yearly Europol operation In Our Sites (IOS) to seize domain names distributing counterfeit and pirated items online. The last edition in its ninth year was the most successful ever. In the other side, after years working to improve the accuracy of https://desenmascara.me to flag whether a website is FAKE or not, I did one thing to not only raise awareness of this online fraud to consumers but also to let brands offended know about FAKE websites abusing its trademark, I did this through the twitter bot desenmascarame, which only tweet a small percentage of FAKE websites being detected. At the time of writing this, this bot has tweeted around 15k times mentioning to hundreds of brands affected by FAKE websites:


Twitter bot desenmascara.me


Until now the twitter bot has not received any complain by the brands affected but the opposite; this information has been proved useful for the brands mentioned as per the feedback received by many of them:

Small extract of brands answering the twitter bot


All this experience working to detect counterfeit-related webs plus the feedback received by the brands and the request to provide such "intelligence" in formal ways, did allow me to set up a business based on a SaaS service out of this 4 years side project. The business goal is pretty simple but yet effective: to detect and flag counterfeit-related webs, to hand over either later or in real time this specific "intelligence" to the offended brands. Afterwards the brands (or their legal representatives) can initiate legal actions against the infringing websites. On top of that I do receive mails from users who have been lured by counterfeiters to find later that the online tool https://desenmascara.me would have avoided them to become victim of such fraud, these users also report websites which they think are FAKE but for whatever reason the online tool is not able to flag correctly.

It is this mix of technology + users what make the online tool https://desenmascara.me  a powerful proof of concept, but yet fully functional and in constant evolution. A proved novel solution which could be used as the basis to tackle the online counterfeiting fraud problem globally.

All this acumen allow me to affirm that to define what a rogue website is, it is not a complicated task, but yet a grey area. A grey area where the DMCA and a position to censor the Internet intersect. These facts lead to a situation where there is no incentive to be proactive with the online counterfeiting fraud but instead reactive by putting forms to report counterfeit goods aimed to trademark owners. Grey area as also it depends of country legislation and local judge considerations, for instance there are legal cases where Internet Service providers were ordered to block websites infringing trademarks, and other cases where the ISP could not be forced. Country specific legislations, right holders and internet freedom make this topic not only a grey area but a hard problem to solve where different actors should be aligned to act upon it at the scale it deserves.

The scale I am talking about is not about thousands but millions of domains being used by online counterfeiters to promote their items and to lure internet users. Despite all the efforts and huge investments big companies are making, this is happening with the complicity of search engines and social networks alike, plus the lack of security vendors making any effort on this area.

Is there any technology (i.e: Safebrowsing, proxy vendors, web of trust, blacklists...) right now which prevent you to browse any of these websites; (https:// www.swarovskijoyas .es), or this (https:// www.philippevente. online), or this ( https:// northfaces. store) or this one (https: //www. jackwholesaler.com)... ? (if so please do let me know).


After all this introduction of FAKE websites and the grey area they belong to, let me show you how I came across a specific google product being massively misuse to market counterfeit goods.

As part of improving the detection accuracy of desenmascara.me I spent time researching how online counterfeiters operate,  what their tactics are, how they are organized and what toolkits they are using to scale their business. Let's start with a simple FAKE web page like below:


http:// www.libredetabaco.es


This web fall easily under the red flags exposed by Europol:

  • Prices seems good
  • Contact us section pretty simple and generic
  • Site looks unfinished with broken links
  • Domain name is totally unrelated to the content
  • and many more red flags...

Now looking at the html code let's focus our attention in the highlighted line:


Suspicious html code used by the counterfeiter actor


It seems a custom code used under the templates directory (to setup how the website looks) to create the website. If we look such specific string in google we do only see 4 organic results (3 domains used by the counterfeiters in the Search Engine Results Page, SERP) but the interesting part is in the "images product":

Google SERP of a specific template directory found in the html code


When we click on "Más imagenes de..." translated from spanish into english to "more images of.." we do see the following pictures under the highlighted domains (all FAKE based on Europol red flags and desenmascara.me)


Google images result with the string search wgtestwo136dkghnleejfliejf


There are several results pointing to around 7 different websites with the same code. It's likely that the code belongs to the creator of the website as in this specific case, all results are under the Top Level Domain (TLD) .es and with domains which were expired and leveraged afterwards by the FAKE sites creators, this is another typical tactic of the counterfeiters.

Lets try to confirm this with a different domain hosted in the same infrastructure as the previous FAKE website, now take a look to a slightly different but still following the same string format as the previous example:

Suspicious html code used by the counterfeiter actor


here we have around 10 counterfeit-related websites which belong to the same code and also as the previous example all those websites are under the TLD .es and all of them domain names unrelated to the webshop content:

Google images result with the string search wgtestwo134asuifheufhals


Here what we are observing is specific contractors creating FAKE websites under the TLD .es. These contractors are just a small part of the full suply chain of the online counterfeiting schemes as pointed out in the paper mentioned at the beginning of this article.


Now lets take a look to actors dedicated to different countries as for example Germany and Austria (.de and .at TLDs). The website template below looks quite similar to the previous website:


http:// www.circuitnoize.at


red flags are the same as the previous FAKE website, but now in the html code we notice a slightly different template name (tu2kitySHOPde):

"<div class="yccrFvaOgfCU"><img src="includes/templates/tu2kitySHOPde/images/cardd.gif"></div>"
Suspicious html code used by the counterfeiter actor


now we do the same as before, to perform a google search with such specific code. On this occasion 0 results came on the search but again it led us to the additional and interesting results on google images:

we click on google images and whoila!!, we do see few domains with the same type of pictures:




hxxp://www.guntenlauf.at/
hxxp://www.circuitnoize.at
hxxp://www.nikolabartenbachkunst.at
hxxp://www.awesome-riders.at
hxxp://www.strahlemannrockt.de/

also registration of the above domains did happen on the same consecutive days. This is just a small specific example of how actors operate to create FAKE shops with pre-built kits and to host them under previously used domains and TLDs they might be familiar with in terms of language or target market.

In order to avoid sensibilities with the above examples with google images, I have tried to avoid showing websites targeting specific brands. 

The fact that by looking those quite specific unique codes found in the html code of the FAKE sites, did raise just a few or none results on a google search but instead did raise results on the search image product, made me to explore some possibilities which after few tests were proved true: the google image search product open the door to thousands of results of FAKE websites offending literary every brand which might be counterfeited. These results while there are not available in the SERPs (at least not visible in the first pages), they are fully available through google search images:

Google image results leading to FAKE websites owned by online counterfeiters.


I have omitted any specific brand logo or trademark name buy as you can see above, a typical google search image might led to FAKE websites. All those websites were categorized as FAKE by the online tool desenmascara.me due to all of them having the red flags recommended by Europol to detect fraudulent websites. Also note that the web of trust icon (the green icon close to the website address) does not indicate any danger or suspicious flag, when actually, any user who would purchase items on any of those websites might be:
  • Lured and will not receive anything
  • Lured and will receive a counterfeit item
  • Lured and their personal information will be misuse to feed this online fraud
  • Lured and their credit card details will be stolen
In resume, users being directed towards these websites might be lured by the online counterfeiters.

To finalize, as already mentioned, this might be a grey area, but the true reality is that is not so difficult to detect and flag FAKE websites. Google has hundreds of PHDs working in Mountain View, Zurich and around the world to work on hard problems. Maybe this problem doesn't make the cut of the priority list right now?. Based on the World Economic Forum (WEF), online counterfeiting is part of one of the top illicit trades of the 21st century, along with drug trafficking, human trafficking, diamonds and few others. It is in the best interest of users, the brands affected and the society in general (terrorism finance, tax evasion, child work, poor conditions...) to keep these counterfeit sellers out of the Internet. We just need the will, proactivity and cooperation to tackle this online fraud.



Disclaimer: off course, I have a vested interest in taking these counterfeit websites out of Internet. I just want to test my proof of concept project at scale to show how this problem might be solve.