Based on the last OECD/EUIPO report (2016), the trade in counterfeit and pirated good amounted to up to 2.5% of world trade in 2013.
The main luxury, fashion and sports brands are being targeted online, many take some proactive measures such as trying to take down the websites affecting their brand, but it is a cat and mouse play, as new FAKE sites will pop it up like mushrooms.
But the Alexander Wang brand has set a precedent; a kind of warning to counterfeiters, as it has just won a $90 million lawsuit against 459 FAKE websites targeting their brand. It does not mean the wining brand will see some millions from this lawsuit as the FAKE sites owners did not show up in court. But the key point is that today it would be more difficult for potential Alexander Wang customers to be victims of online fraud than any other brand, as below (despite their social media efforts).
Endesa is the largest electric utility company in Spain. Recently it has been discovered a ransomware campaign using a fake invoice of a huge amount to pay, in order to trick users to verify it. A clever social engineering move.
More details and the full list of domains involved can be checked in the CSIRT-CV alert.
The interesting part of this new Ransomware campaign is that most of the domains hosting the malicious scripts are based on the popular Joomla CMS.
but as long as the FAKE website is online has been able to lure to dozens of unsuspected users, and counting, as you can check it out in the below blog post created by some victim to raise awareness about the aforementioned FAKE site.
"If any of the victims would have check it out previously the website address in desenmascara.me, they would have discovered that website is not safe to do business with."
" If you do not trust on a website, desenmsacaralo (unmask it) to see what is behind it "
VirusTotal,
a subsidiary of Google, is a free online service that analyzes files
and URLs enabling the identification of viruses, worms, trojans and
other kinds of malicious content detected by antivirus engines and
website scanners!
Desenmascara.me is a free online service that analyzes websites to spot mainly whether they are FAKEs (related with the online counterfeiting) or not.
How does a FAKE website might be related with malicious content?; let me give you a bit of background to understand it.
Fake luxury goods are sold all over the Internet. There is an underground economy where a large number of globally distributed criminals trade in data, knowledge and services with the goal to defraud users and business, and this is related with the black market commoditization; a recent innovation from the fraudsters.
The underground organizations have well defined roles with inter dependencies, let's take for example; to buy and sell compromised web servers, scam hosting, exploit kits, and wholesale access to stolen user records including usernames and passwords, credit card numbers, and other sensitive personal data.
Recently Google published a post about a research related to this topic: The underground market fueling for profit abuse. The researches mapped the relations between the specialized roles in the underground economy as in the picture below.
whose explanation step by step can be viewed dinamically in this video:
Where the division of labor based on the chain of specialization is clearly represented. This underground economy is the culprit of current online threats such as fake anti-virus, ransomware, Trojan banks and any kind of commodity crimeware available out there. While reading the aforementioned research paper, the below figures called my attention:
Where IOCs for most of the threads above are usually included in the vast amount of intelligence watchlists either propietary or open source in order to do some kind of:
Correlation: (i.e: we need to see incident A before incident B can trigger)
Validation: (i.e: customers IP-space is linked to an IOC)
Enrichment: (i.e: To provide more context to known threats)
But for the Luxury knock-offs strategy of the profit center: Spamvertised products, whereas the revenue numbers are even higher than in known threats such as Clickfraud or even close to the infamous Zeus, I was not aware of any kind of intelligence feed providing only such specific information.
Below you can find some metrics about data desenmascara.me is collecting:
Dashboard with all the brands detected
Availability of FAKE sites targeting to the PRADA brand
One of the main goals of the desenmascara.me webservice is to let anyone known with just 1 click whether a website is FAKE or not. All the information collected is shared with the community through this VirusTotal integration. In addition, if you are a brand protection professional:
you would want to follow the desenmascarame twitter account (tweeting automatically each time a FAKE site is spotted and warning to the affected brand), o maybe to join the service avisame in order to get all the metadata of the FAKE website affecting to your brand.
The talk: Hard lessons learned while defending Gmail users" by Elie Bursztein,Anti-Spam and abuse research Lead @Google, provide key lessons the Gmail team learned the hard way while protecting Gmail for over a decade, so everyone involved in building an online product can benefit from them.
I would like to highlight the Key Challenges they will face in 2016:
I like specially the "hacked site" challenge. For them, when a site is hacked they have to react very quickly but at the same time it is very hard for them to reach those people that have been hacked.
But what kind of good sites are being hacked?, despite of the PwnedWebsites resource to keep track of worth to mention websites which has been pwned, past statistics show revealed that legitimate websites visited by mass audiences have the highest concentration of online security threats than those pornography, pharmaceutical or gambling sites.
But there is another problem on top being flooded with false positives when using threat intelligence indicators as signatures. The bad guys know the enterprises are using this approach hence they are leveraging on it with some counter-offensive tactics. For instance there are public and private intelligence feeds which are being used by enterprises and SOCs to either create alerts based on hits or to auto escalate them based on use cases. Then, what do the bad guys are doing?
A given IOC is malicious in a short timeframe but enough as to be catched by some feed trackers out there. Once the IOC has been included in a tracker the bad guys then point the malicious domain (IOC) to a known IP such as Google or Facebook. Time to have fun on the enterprises relying on those IOCs.
Changing DNS entries often (fast-flux), this is a common technique to hide the delivery sites behind an ever-changing network of compromised sites but when this technique is used by pointing the malicious domains to legitimate IPs parts of the time; time to have fun again on those enterprises leveraging those IOCs.
Luxury brands Cartier and Montblanc won recently a U.K. court ruling that orders
Internet providers to block websites selling counterfeit goods including
watches and pens. [Source Bloomberg.]
While this is not the correct approach to go but instead the Prada one is the way to go. This open an interesting debate?: Must the Internet providers block sites offering counterfeit items?
Net neutrality is the key issue here. In US the FCC (Federal Communications Commission) promotes a strong Net neutrality to keep the Internet open and free with statements like below pointed out on May 2010:
The FCC introduces strong net neutrality protections that said internet
service providers could not block websites or impose limits on users. In
December, the FCC would go on to pass a final version, adopting their
first-ever rules to regulate Internet access.[Source Whitehouse.]
Mammut is a Swiss company specialized in mountain sports. Personally I was not familiar with this brand, but thanks to the desenmascara.me project a vast amount of brands, being counterfeited in the black corners of Internet, have become known for me.
Mammut logo
While doing some research about the Mammut brand in order to add it to the desenmascara.me service, I come across the below web domain:
http://www.bldgblok.com
Created on 2012-02-09, expired TODAY and registered through a proxy as it’s common on this
activities to not disclose owner details:
which shows (at the time of this writing) a tipical 'access denied' message as below:
Forbidden
You don't have permission to access /quickstart.html
on this server.
Additionally, a 403 Forbidden
error was encountered while trying to use an ErrorDocument to handle the request.
And based on this linkedin page, the above domain belongs to an Architecture and Planning company located in New York, without much activitylately as their last twitter was on 10. Jun 2014.
But then the thing is that such a web domain has some indexed resource such as:
Mammut keywords in the www.bldgblok.com site
With several misconfigured mammut links pointing to a vast amount of FAKE websites targeting to the main fashion brands such as:
Gucci FAKE website
Tiffany FAKE website
Moncler FAKE website
NFL FAKE website
Louboutin FAKE website
RayBan FAKE website
and even fashion FAKEs hoverboards
UGG FAKE website taken down
The above examples are just a few sites to give you an overview of the size of this knock-off luxury campaign which target to many luxury brands at once. But of course there are more roles involved on campaigns like this such as spammers either on twitter:
Notice the change when the twitter account is mentioned
or in the below google search (which at the time of this writing has no results anymore. -Well done Google.):
“link:http://www.bldgblok.com mammut“
The above google search did show hundreds of results with websites either compromised (due to old Joomla versions..) or spammed with comments to distribute this massive spam campaign of knock-off luxury products.
This knock-off luxury online campaign does show how this online counterfeit business operate in a conglomerate of entities linked between them with different roles and ramifications as pointed out in this Google research.
By collecting information from all the above FAKE websites there are email address and more information which is useful to track more FAKE online campaigns from the same actors. I tried to contact with some of the targeted brands but the communication was not successful so this article is just to let you know how this business operate online and to let you know what happen with a web domain which is not used anymore by their owners but it remains still active: it will be used by the bad guys!!.
If you are a brand representative of any of the brands affected either on this incident or any other online counterfeiting issue, do not hesitate to contact me for further details and cooperation.
A trust seal is a seal
granted by an entity to website or businesses for display. Often the
purpose is demonstrate to customers that this business is concerned with
security and their business identity. [Wiki]
Trust seal examples
This conversation about trust seal in websites is old and sometimes lead to wrong assumptions. It’s not the actual security of your page that matters the most to users as they have little to no technical understanding of how HTTP works (and they should NOT have). Rather it is the confidence a website show prior to make any purchase with them to that’s of importance to this vast majority of users.
Why am I speaking about this?, cause today I come across a website with this 'Hacker safe' seal:
which was compromised to store a FAKE website selling Adidas products, nothing secret, even Google knew something strange was going on it: