How to verify whether a website is legitimate or not?:

martes, 9 de enero de 2024

Denunciar una página fraudulenta

Plugin de chrome avisando sobre una web fraudulenta avisando de una web fraudulenta

Plugin de chrome avisando sobre una web fraudulenta que usa personajes famosos

Sitio web fraudulento

Si caiste en una estafa online, toma medidas rapidas.

  • Recopila pruebas
  • Denuncia a las autoridades
  • Utiliza para alertar a otros usuarios.

Ejemplos de webs fraudulentas, de conocidas marcas:

miércoles, 7 de diciembre de 2022

ChatGPT still can't let us know whether a website is fraudulent or not

Note: See at the bottom for more updates on this topic of ChatGPT.

ChatGPT, the general purpose chatbot released by the cutting-edge project OpenAI is making headlines everywhere. Let's just leave random ones for the record and to check it out later on.

ChatGPT is fine-tuned from a model in the GPT-3.5 series, which finished training in early 2022. 

It was trained using Reinforcement Learning from Human Feedback (RLHF). 

With all the buzzword, I tried a few simple questions:

What I learnt?:

  • I have no idea about AI. This article is just to grasp some concepts.
  • The fluency devised from answers all over the world is an illusion that stems from the combination of massive amounts of data, immense computing power, and novel processing techniques.
  • One of the more popular use cases seems to be to generate essays. Though there is already Openai detector PoC.
  • The robot is not connected to the Internet therefore his knowledge stops at 2021-09 (at the time of writing this article).
  • The technology is impressive but still has its limitations, as seen above.
  • Still far away from the Singularity (see below)

While ago I read the book "Life 3.0" Being human in the age of Artificial Intelligence by Max Tegmark.

Below some random paragraphs that I had marked in the book:

Intellectual property rights are sometimes hailed as the mother of creativity and invention. However, Marshall Brain points out that many of the finest examples of human creativity -from scientific discoveries to creation of literature, art, music and design - were motivated not bv a desire for profit but by other human emotions, such as curiosity, an urge to create, or the reward of peer appreciation. Money didn't motivate Einstein to invent special relativity theory any more than it motivated Linux Torvalds to create the free Linux operating system. In contrast, many people today fail to realize their full creative potential because they need to devote time and energy to less creative activities just to earn a living. By freeing scientists, artists, inventors and designers from their chores and enabling them to create from genuine desire, Marshall Brain's utopian society enjoys higher levels of innovations than today and correspondingly superior technology and standard of living.

Since we can't completely dismiss the possibility that we'll eventually build human-level AGI, let's devote this chapter to exploring what that might lead to. Let's begin ty tackling the elephant in the room: Can AI really take over the world, or enable humans to do so?

If you roll your eyes when people talk of gun-toting Terminator style robots taking over, then you're spot-on.: this is a really unrealistic and silly scenario. These Hollywood robots aren't that much smarter than us, and they don't even succeeded. In my opinion, the danger with the Terminator story isn't that it will happen, but that it distracts from the real risks and opportunities presented by AI. To actually get from today to AGI-powered world takeover requires three logical steps:

  • Step 1: Build human-level AGI.
  • Step 2: Use this AGI to create superintelligence
  • Step 3: use or unleash this superintelligence to take over the world 

Update: 12/12/2022

jueves, 31 de marzo de 2022

MITRE publishes 11 strategies of a world-class cybersecurity operations center

MITRE has published 11 Strategies of a World-Class Cybersecurity Operations Center, a practical book for enhancing digital defense for security operations center (SOC) operators. Ref

“Operating without commercial conflicts of interest, we’re working to arm a worldwide community of cyber defenders with vital information to thwart network intruders,” said Wen Masters, vice president, cyber technologies, MITRE. “We draw from a wealth of deep technical expertise at MITRE to address the ever-evolving challenges in cybersecurity. The authors of 11 Strategies of a World-Class Cybersecurity Operations Center bring forth the best principles and practices within MITRE to help the entire cyber ecosystem leverage up their defenses and operations.”

Download PDF

lunes, 6 de diciembre de 2021 in Riyadh, Saudi Arabia

Vision 2030 is a unique transformative economic and social blueprint that is opening Saudi Arabia to the world. 

"Our country is rich in its natural resources. We are not dependent solely on oil for our energy needs. Gold, phosphate, uranium, and many other valuable minerals are found beneath our lands. But our real wealth lies in the ambition of our people and the potential of our younger generation. They are our nation’s pride and the architects of our future."

Saudi Vision 2030

Under this program, @athack, the biggest infosec conference in Saudi Arabia was born. 

It had a comprehensive agenda with speakers all over the world so the Saudis don´t need to go outside to see on stage to gurus like Bruce Schneier, successful entrepreneurs like Robert. M. Lee, the people hacker Jenny Radcliffe, or the Hacker Jayson E. Street.

In total around 250 international security professionals worldwide were brought to the event. I had the extraordinary opportunity to assist to the @Hack Arsenal

In the @Hack Arsenal area I had the chance along many other security researches to demoed the tools we are working on.

The fraud in Arabia Saudi is aligned with the worldwide metrics, increasing constantly. 

I did show some last minute examples with fraudulent websites which popped up in my Twitter stream as Advertisements of Fraudulent websites!

Also with some Fraudulent websites in Arabic which I had no idea what they were about but someone from the public thankfully did clarify it to me :-)

It seems the audience got interested in the topic. 

After the session there were quite a few interesting questions and interactions with the audience:

I have had the opportunity to met new and quite interesting people, to learn a bit more about other cultures and the Islam, and even I did an interview for the Saudi Federation for Cybersecurity, Programming and drones, one of the main organizers in partnership with other entities :)

There is great young talent in Saudi Arabia and everyone has faith on the Saudi Vision 2030. Saudis know the importance of learning programming, soon it will be as important as learning to read and write. Part of their strategy is to create one programmer out of very 100 Saudi nationals by 2030, in addition to encouraging innovation and creativity and achieving global leadership. This was our grain of salt to support their vision. 

Thank you toolswatch team and to all the arsenal presenters for such a great experience!

I have to say it has been an impressive experience to visit the Kingdom of Saudi Arabia and to felt the warm and kindness of their people. Hats off to the organization of atHack!! 

viernes, 29 de octubre de 2021

Facebook refuses to drive scammers off its platform because it generates billions of dolars per year in revenue from Deceptive Facebook Ads

 The title of this post is the response to this other article "Facebook does not worry about the online counterfeiting fraud".

Recently I became aware that Facebook (or Meta) has been served with a lawsuit accusing it of actively soliciting and assisting scammers for its own financial gain and to users detriment.  

The whole document is worth a read for pearls like below:

4. Facebook has done much more than passively create and maintain a platform on which scammers can brazenly target users with scams. According to internal Facebook documents, and current and former Facebook employees and contractors recently interviewed by various investigative journalists at prominent publications,4 Facebook actively solicits, encourages, and assists scammers in numerous ways. On the revenue side, according to these investigations, Facebook’s sales teams have presented at conferences heavily attended by known scammers, socialized with known scammers for business development purposes, and met revenue quotas by encouraging known scammers to continue buying Facebook ads. Facebook’s sales teams have also been aggressively soliciting ad sales in China and providing extensive training services and materials to China-based advertisers, despite an internal study showing that nearly thirty percent (30%) of the ads placed by China-based advertisers — estimated to account for $2.6 billion in 2020 ad sales alone — violated at least one of Facebook’s own ad policies. 

5. On the enforcement side, according to these investigations, Facebook has affirmatively directed employees and contractors tasked with monitoring Facebook’s platform for deceptive ads to (i) ignore ads placed by hacked Facebook accounts and pages, as long as Facebook gets paid for these ads, and (ii) ignore violations of Facebook’s Ad Policies, especially by Chinabased advertisers (since Facebook “want[s] China revenue”). 

6. In October 2020, the Federal Trade Commission (“FTC”) reported that about 94% of the complaints it collected concerning online shopping fraud on social media identified Facebook (or its Instagram site) as the source.5   

Let's see how this lawsuit ends up.

jueves, 28 de octubre de 2021

Fraude de inversion con altos rendimientos eliminado a traves de

Este tipo de scam en ingles es conocido como "High Yield Investment program". Basicamente es un esquema ponzi online. Ahora con el tema de Crypto es uno de los mas populares, pero lleva años en Internet. 

Como funciona?, recientemente me llego este correo de un usuario de Veámoslo de primera mano:

La web tenia esta apariencia:

Tras analizarla con corrobore a través de metadatos que es fraudulenta. Ademas, ciertos patrones de datos de esta web se han incluido en el servicio de para mejorar la detección de paginas fraudulentas con similares características.

Adicionalmente se ha incluido en VirusTotal, para avisar a la comunidad:

Esta web estaba activa desde hace meses:

El hecho de que ninguna otra compañía detecte todavía la web como fraudulenta, indica que este tipo de fraude, pese a estar en crecimiento, no es tenido en cuenta por la industria de la seguridad de la información. Ello puede ser a que este tipo de actividades fraudulentas pertenece mas al campo del crimen financiero. En este aspecto, existen buscadores, no muy amigables, todo hay que decirlo, como el que proporciona la CNMV. Dicha web tampoco estaba en el punto de mira de los reguladores de mercado:

Por ultimo, viendo el exito que tuve con la eliminacion de otra web fraudulenta que habia estafado mas de $25000 a 40 personas en tres dias, he solicitado tambien la eliminacion de dicha web.

En menos de 2 horas ha sido eliminada:

Si tienes los contactos o recursos adecuados para ayudarme a desmantelar este tipo de fraudes a escala, no dudes en ponerte en contacto conmigo.

miércoles, 20 de octubre de 2021 ha impedido un fraude que llevaba acumulados mas de $25.000 en tres días el servicio online gratuito para detectar si una pagina web es fraudulenta o no a conseguido frustrar un fraude que en 3 días había estafado mas de $25.000 a 40 personas.

Todo empezó a través de este correo que llego a mi buzón:

Me llegan bastantes correos de gente que tiene dudas ante gestiones online potencialmente fraudulentas o que han sido estafadas y piden consejo. Reviso mails por encima y para optimizar tiempo respondo a los que veo más interesantes y que puedan servir para mejorar el servicio de Si deseas ponerte en contacto conmigo con garantía absoluta de que te responda, puedes hacerlo a través del servicio MyPublicInbox.

A dicho usuario le conteste para que me indicase a que pagina web se refería:

Dicho usuario me contesto sin hacer uso de muchas palabras:

Comprobé dicha web en y a través de diversos criterios del análisis de metadatos fue clasificada como fraudulenta. Abajo se puede ver el mensaje de fraudulenta a través del uso del plugin de Chrome.

Dicha web fraudulenta se aprovechaba del nombre de un conocido proyecto de Blockchain ( Dicha técnica se denomina Brandjacking. Una vez la web había sido clasificada como fraudulenta, notifique al usuario:

En este momento, también observe que la web fraudulenta estaba alojada sobre una plataforma de hosting que suele ser muy colaborativa en cuanto a la petición de eliminación de paginas fraudulentas, algo que no suele ser muy habitual por temas legales, y como no, de negocio. Así que me puse en contacto con ellos para notificarles que estaban alojando una pagina web fraudulenta. Mi sorpresa fue mayúscula cuando me respondieron a los pocos minutos indicando que dicha web había sido eliminada tras mi solicitud.

Así que con ese sentimiento de alegría y adrenalina que te da el trabajo bien hecho, notifique tambien al usuario que me había informado de dicha web:

Mi sorpresa final vino cuando dicho usuario me contesto:

Identificar a la persona titular de la web es ya asunto de las fuerzas policiales. 
El servicio de es un recurso gratuito para ayudar a cualquier persona a saber si una pagina web es fraudulenta o no.

Tengo muchas ideas en la cabeza para evitar este tipo de fraudes a escala. Pero para ello necesito los contactos adecuados en instituciones y cuerpos policiales, algo que he intentado pero sin mucho éxito todavía. No dudes en ponerte en contacto conmigo si crees que puedes ayudar. Muchas gracias.

miércoles, 24 de febrero de 2021

Rogue websites: Domain registrars have a duty to disconnect

This is quite a controversial topic thus this post is a placeholder for law/GDPR related articles on this topic.

Article 1)

"The German BGH decision confirms that domain registrars have a duty of care to disconnect domains used by websites dedicated to copyright infringement. It is interesting that the BGH did not see domain registrars as access providers, but still applied the duties of care for access providers to them. This needs to be welcomed as a clarification of open legal issues not only in Germany. That said, it would have been good if the BGH had referred some of the open EU law questions to the CJEU. We will have to wait for another day for a final decision on Union law." 
Rogue websites: Domain registrars have a duty to disconnect, says German BGH. Decision available in German.

Article 2)

The General Data Protection Regulation (GDPR) was adopted by the European Union (EU) and took full

effect on 25 May 2018. Which are the effects to its policy?


lunes, 17 de agosto de 2020

Would you say this website is legitimate or FAKE?

 With I come across the website as in the picture below:

Fig 1: Section of the main site

The web address is like: https://$ ( I have masked the brand purposely )

The domain will expire in 73 days since today as per the 2 pictures below:

Fig 2: Domain tools information about domain 

Fig 3: Information provided by about the domain

With just the above information would you say such website is legitimate or fake?.

Hint: Nowadays it´s not so easy to differentiate FAKE websites among legitimate ones.

lunes, 3 de agosto de 2020


The U.S. Federal Bureau of Investigation (FBI) today warned of an increased number of reports coming from victims of online shopping scams. 
This is an increasing fraud since few years ago. In 2017 I wrote the paper "Tracking online counterfeiters" and the above FBI alert just highlight what we already knew a while ago.
With the service I usually receive complains of users who have been lured online. The last example, I have this email in my inbox:

Usually the tips I give to users who write me are:
  1. Fill in a complaint into the nearest LEA office. Also if you are US based you can fill in a complain online here. If you are based in Europe, you can report it here.
  2. Before making any purchase online, verify into the website you are in front of. Still in doubts, you can just ask us.

In the above case, when I tried to analyze the website warned by the user, I noticed that the website had just been analyzed (minutes ago) into and to my surprise, it was automatically flagged as "Fraudulent!!"

Therefore, my advice to anyone online, before making any purchase online, you can either try to follow all the "FBI tips to avoid being victimized" or simply just type the web address of the website into and in a few seconds you will know whether is fraudulent or not.