UPDATE 23.06.2015: This campaign dated on 22.06.2015 is targeting an additional brand: RayBan, see below the recent created fake domains.
UPDATE2 24.6.2015: Instead of spending money to register fake domains they are now using subdomains of the compromised websites
UPDATE3 26.6.2015: Hundreds of compromised websites popping up on Google searchs and spam phase in Twitter through either fake or compromise accounts.
All the data collected by desenmascara.me is taken directly from the users asking for websites information. But regarding the new anti-counterfait features, I am playing with new methods to collect fresh information.
UPDATE2 24.6.2015: Instead of spending money to register fake domains they are now using subdomains of the compromised websites
UPDATE3 26.6.2015: Hundreds of compromised websites popping up on Google searchs and spam phase in Twitter through either fake or compromise accounts.
All the data collected by desenmascara.me is taken directly from the users asking for websites information. But regarding the new anti-counterfait features, I am playing with new methods to collect fresh information.
One of this new methods I am playing with is through twitter. I have some scripts collecting information with certain keywords and regularly that information is processed to extract the relevant URLs and then look by common fake patterns among them. By doing that I came across a massive campaign targeting Michael Kors and Oakley brands. The campaign seems is still in a recent stage as the content was not ready yet but the recently created fake Michael Kors domain (02.06.2015):
was already being served through the below HTTP request (which is collecting all the details about the User Agent, Operative System and screen size)
https://mediatracker.iljmp.com/track/click?product=42&url=http%3A%2F%2Fadaptik.com%2Fcheap-michael-kors-handbags-outlet-fake-michael-kors-handbags-outlet-6382%2F&user_agent=Mozilla%2F5.0%20(Windows%20NT%206.1%3B%20WOW64%3B%20rv%3A36.0)%20Gecko%2F20100101%20Firefox%2F36.0&screen=1366x768x24&identity=&rand=840
and this recently created fake Oakley domain (created on: 20.06.2015) was ready as well:
hxxp://sunglasssell.com/
hxxp://sunglasssell.com/
The below are just a small list of the compromised websites which are being spammed with spurious content pointing towards the yet preparing fake domains:
http://5slov.com/
http://acfutbol.ca
http://adaptik.com
http://asite-studio.ru/
http://blogdekoratora.ru/
http://blog.gigavoice.com
http://blog.luminux.ca
http://bookwormselc.com
http://DAlossilos.com
http://dot.armm.gov.ph/
http://extension.umaine.edu/
http://fortuner.com.vn/
http://insight.antares.no
http://jonnykennedy.co.uk/
http://lekaconstructions.com.au/
http://sekilass.com/
http://server.ashoresystems.com
http://shamlife.com/
http://simpleroot.com
http://siquiatrico.cl/
http://test.bymike.ch
http://tips4droid.com/
http://ucilna.si/
http://unesco-elearning.unir.net/
http://unidream.org/
http://wil.hk/
http://www.bodycopy.es/
http://www.buzzhunt.co.uk/
http://www.ciakluxury.com/
http://www.cuentos-infantiles.org/
http://www.elhumanista.net
http://www.eunaapa.eu/
http://www.gadgetmundi.com
http://www.katie-brown.co.uk/
http://www.hcitalia.it/
http://www.hondublog.com
http://www.marketingbyte.com
http://www.nexiantraining.es/
http://www.opticadirecta.es/
http://www.renewsworld.com
http://www.syllistudio.com/
http://www.tatsuzine.com/
http://www.thecollectivesa.com/
http://www.tuviaje.com/
http://www.unili.com/
http://www.videojuegosvirtuales.com
All the above compromised websites are based on Wordpress CMS but there are different versions either updates and quite old ones and different hostings so it is not clear how they become infected but most likely through some vulnerable wordpress plugin.
Screenshot of one of the compromised sites with the spam
Screenshot of another of the compromised sites with the spam
Screenshot of another of the compromised sites with the spam
Some of the fake domains which are being prepared for the campaign either through black hat seo tactics or as a chain redirects are:
(Creation date: 2015-06-22)
Michael Kors fake domains
http://cheapmichaelkoroutletshop.com/
http://cheapmichaelkorsol.com/
http://discountmichaelkorsshop.com/
http://fakemichaelkorsshop.com/
http://michaelkorsoutletc.com/
http://newmichaelkorshandbagoutlet.com/
http://newpatternoutletmichaelkorhandbag.com/
http://replicacheapmichaelkors.com/
http://wholesalemichaelkorsshop.com/
http://discountmichaelkorsshop.com/
http://fakemichaelkorsshop.com/
http://michaelkorsoutletc.com/
http://newmichaelkorshandbagoutlet.com/
http://newpatternoutletmichaelkorhandbag.com/
http://replicacheapmichaelkors.com/
http://wholesalemichaelkorsshop.com/
Oakley fake domains
http://cheaperfakeoakleys.com/
http://cheaperfakeoakleysunglasses.com/
http://cheapoakleysbat.com/
http://cheapoakleyscn.com/
http://cheapoakleysonline.com/
http://wholesalecheapoakleysunglasses.com/
http://wholesaleoakleydiscount.com/
UPDATE 1: New brand being targeted
http://cheaperfakeoakleys.com/
http://cheaperfakeoakleysunglasses.com/
http://cheapoakleysbat.com/
http://cheapoakleyscn.com/
http://cheapoakleysonline.com/
http://wholesalecheapoakleysunglasses.com/
http://wholesaleoakleydiscount.com/
UPDATE 1: New brand being targeted
RayBan fake domains
http://cheapraybanc.com/
http://cheapraybanl.com/
http://cheapraybanolshop.com/
http://cheapraybanshop.com/
http://discountraybanss.com
http://discountraybansshop.com/
http://discountraybanx.com/
http://fakecheapraybanssale.com/
http://fakecheapraybansunglasses.com/
http://fakeraybanshop.com/
http://fakeraybansss.com/
http://replicaraybansshop.com/
All the sites above had the same desenmascara.me score which means all are under the same infrastructure.
http://cheapraybanc.com/
http://cheapraybanl.com/
http://cheapraybanolshop.com/
http://cheapraybanshop.com/
http://discountraybanss.com
http://discountraybansshop.com/
http://discountraybanx.com/
http://fakecheapraybanssale.com/
http://fakecheapraybansunglasses.com/
http://fakeraybanshop.com/
http://fakeraybansss.com/
http://replicaraybansshop.com/
All the sites above had the same desenmascara.me score which means all are under the same infrastructure.
The picture below is a script found on a website prepared for future redirections towards the recent created fake domain pointed out above:
UPDATE 2: Today a new tactic was discovered; known as "Domain Shadowing".
ucilna.si is a compromised website which their web owners do not worry to much about their maintenance:
then the bad guys have at their disposal the infrastructure and then instead of investing money purchasing fake domains like pointed out above for the 3 brands, now they can leverage on poor maintained websites like this to create subodomains to host their fake sites.
Examples of another sites using the same tactic for another brands:
Website compromised with a Hermes fake shop within a subdomain
Another website compromised with a Reebok fake shop within a subdomain
UPDATE 3: Google results and twitter spam of this massive campaign.
In any of the compromised websites we can see a bunch more of links to another compromised websites like in this picture above:
In Google we can see this campaign does show 615 results:
In twitter this campaign is leveraging hundreds of compromised accounts:
Bottom line: Despite warning to the affected brands about this ongoing campaign which started on 22 of June, no feedback has been received and all the fake domains including the ready to shop:
hxxp://www.hotmichaelkors.com/
hxxp://sunglasssell.com/
are still actives at the time I am writing this (26.06.2015) update. For the rest of the fake domains which are still on preparation mode we can expect they become online during the next days.
All the fake domains detected in this campaign are already spoted by desenmascara.me
If you don´t know how to spot a fake website just either use desenmascara.me or send us feedback.