Fraudulent websites masquerading as different types of Spanish official applications

Update [08.11.2019]: Actors behind this massive online fraud are not only targeting Spanish public services, but also US based as shown below:


Fishing and hunting license in Florida --> https://www.fishingandhuntingflorida.com/

Fishing license in Texas --> https://www.texasfishinglicense.online/

Fishing license in Michigan --> https://www.michiganfishinglicense.online/

Fishing license in Georgia --> https://www.georgiafishinglicense.online/

This group of fraudsters have also registered a government alike domain: http://cbp-dhs-gov.com/
which at the time of writing this has just a landing page, the only purpose of these misleading domains (either once the website has been built up or just using the domain to send more credible phishing mails) is to lure users to steal their money and personal information:

end of update.



Fraud campaign in Spain:

Register of death? --> https://www.expedientedefuncion.online / www.solicitar-certificado-defuncion.online

Official documents (with apostilla)? --> https://www.apostillaylegalizacion.com/

Criminal certificate? --> https://www.certificadodelitospenales.online/

Birth certificate? --> https://www.certificadonacimiento.online/

Marriage certificate? --> https://www.actadematrimonio.online/

European health card? --> https://www.tarjetasanitariaeuropeaonline.com/

And so on with dozens of similar official certificates. This is common online fraud where fraudsters set up professional-looking websites to lure unsuspected users. Users unaware of how the bureaucracy system would work in Spain will look online to get a certificate based on their specific needs and they will end up on a fraudulent site like any of those. 

After the user submit its details and pay the fee, the website will show the user an error on the payment and the fraud is done. Money is available on the pocket of fraudsters and the victim receives nothing.

Never, ever buy services from a website whose legitimacy you are not sure about, in case of doubt just use the webservice https://desenmascara.me or ask us through the contact form.

The actor behind such fraudulent webs is a business registered in Florida (EEUU): Global Trading Solutions LLC, also associated with multimillionaire crypto fraud, and there is also an open investigation in a Spanish court.

Remember, if you have any doubt before making any purchase online, just use https://desenmascara.me to avoid being lured.

Annual Intellectual Property Report to US Congress

On April 26, 2018, President Trump, became the first President to formally recognize World Intellectual Property Day and proclaimed that “[o]n World Intellectual Property Day, we not only celebrate invention and innovation, but also we recognize how integral intellectual property rights are to our Nation’s economic competitiveness.” For this reason, the President stated that “[o]ur country will no longer turn a blind eye to the theft of American jobs, wealth, and intellectual property through the unfair and unscrupulous economic practices of some foreign actors.”

Annual Intellectual Property Report to US congress. February 2019

How easy a google product is being misuse to market counterfeit goods

Update (11.06.2020): Google allow now to request removal of "Counterfeit: sale of counterfeit goods" from google search results

Update (21.10.2019): INCOPRO has released a report about this same problem with key findings, metrics and a call to internet searches to act against this online fraud, and all quite well formatted for an easy and recommended reading.

"While our systems get better over time, counterfeiting remains a complex challenge, and we keep investing in anti-counterfeiting measures."  Kent Walker, Senior Vice President and General Counsel, Google. (2011)

"Just as in the offline world, people misuse legitimate online services to try to market counterfeit goods. This abuse hurts our users and our business; combating it its central to Google's operations." (Testimony of Kent Walker before the House Judiciary Subcommittee on Intellectual Property, Competition, and the Internet Hearing on 'Promoting Investment and Protectiong Commerce Online: Legitimate Sites v. Parasites, Part II' April 6, 2011)

A few years ago I wrote the SANS paper "Tracking online counterfeiters". At the time this paper provided some metrics of an OECD report dated in 2016 where the trade in counterfeit goods amounted for the 2.5% of world trade. Currently, based on the last OECD report now trade in fake goods is 3.3% of world trade and raising.

Also in the mentioned SANS paper I did include the research: "framing dependencies introduced by underground commoditization" which did show the federation of specialists selling capabilities, services, and resources explicitly tailored to the abuse ecosystem.

Revenue generation is outsourced to “affiliates”—independent contractors paid on a commission basis for each sale they bring in. [cited from original paper]

After bit more than a couple of years of the release the aforementioned SANS paper, lets take the two premises above and to dig a little deeper on this online counterfeiting fraud. I will expose briefly specific tactics online counterfeiters use to target different countries. Goal is to support the 2 previous premises: increasing online fraud and the specialists selling capabilities in the underground commoditization market, but also to highlight a huge abuse in a specific search engine I came across while investigating this tactic. An abuse specially "sensitive" as it affects to hundreds of the most famous and counterfeited brands.

This problem is specially outrageous as currently it allows to counterfeiters profit and abuse from free services even when in the past they used paid services. To not name about millions of users potentially being duped by this lack of protection against websites whose only purpose is commercial infringement.

Before going into the details, allow me to define what a FAKE website is.

"Defining what is a rogue site is not a simple task." (Testimony of Kent Walker before the House Judiciary Subcommittee on Intellectual Property, Competition, and the Internet Hearing on 'Promoting Investment and Protectiong Commerce Online: Legitimate Sites v. Parasites, Part II' April 6, 2011) 

The above statement is part of the testimony of Kent Walker before the House Judiciary Subcommittee on IP, which you can read fully on the link above. With all the respect and humbleness I do not agree with the above statement therefore let me explain my reasoning. I will use the term "rogue site" as a "FAKE site", and as I will deal with FAKE websites here, I will define first what the signs of a FAKE website are. To make it easier, I will follow the guidelines promoted by Europol to detect fraudulent sites selling fakes (also the basis the online tool https://desenmascara.me perform behind the scenes on top of many other checks to flag a website as FAKE). Here the only rectification I would do to those Europol guidelines is to remove the below red flag:

How to detect fraudulent sites selling fakes (Europol)

The above check to detect fraudulent sites is not true anymore. The mainstream use of free SSL certificates has made possible that counterfeiters use SSL as for instance the below FAKE site:

FAKE website using a SSL certificate

but lets go back to the point. I do think that to define what is a rogue site is a simple task, so simple I am still surprised no one is doing something like this yet.

To my humble understanding, a FAKE website is a rogue website that generate profits from the theft of intellectual property and/or lure users. Thats all. How can I back up such statement?, keep reading.

In one side we have the guidelines mentioned previously by Europol plus the yearly Europol operation In Our Sites (IOS) to seize domain names distributing counterfeit and pirated items online. The last edition in its ninth year was the most successful ever. In the other side, after years working to improve the accuracy of https://desenmascara.me to flag whether a website is FAKE or not, I did one thing to not only raise awareness of this online fraud to consumers but also to let brands offended know about FAKE websites abusing its trademark, I did this through the twitter bot desenmascarame, which only tweet a small percentage of FAKE websites being detected. At the time of writing this, this bot has tweeted around 15k times mentioning to hundreds of brands affected by FAKE websites:

Twitter bot desenmascara.me

Until now the twitter bot has not received any complain by the brands affected but the opposite; this information has been proved useful for the brands mentioned as per the feedback received by many of them:

Small extract of brands answering the twitter bot

All this experience working to detect counterfeit-related webs plus the feedback received by the brands and the request to provide such "intelligence" in formal ways, did allow me to set up a business based on a SaaS service out of this 4 years side project. The business goal is pretty simple but yet effective: to detect and flag counterfeit-related webs, to hand over either later or in real time this specific "intelligence" to the offended brands. Afterwards the brands (or their legal representatives) can initiate legal actions against the infringing websites. On top of that I do receive mails from users who have been lured by counterfeiters to find later that the online tool https://desenmascara.me would have avoided them to become victim of such fraud, these users also report websites which they think are FAKE but for whatever reason the online tool is not able to flag correctly.

It is this mix of technology + users what make the online tool https://desenmascara.me  a powerful proof of concept, but yet fully functional and in constant evolution. A proved novel solution which could be used as the basis to tackle the online counterfeiting fraud problem globally.

All this acumen allow me to affirm that to define what a rogue website is, it is not a complicated task, but yet a grey area. A grey area where the DMCA and a position to censor the Internet intersect. These facts lead to a situation where there is no incentive to be proactive with the online counterfeiting fraud but instead reactive by putting forms to report counterfeit goods aimed to trademark owners. Grey area as also it depends of country legislation and local judge considerations, for instance there are legal cases where Internet Service providers were ordered to block websites infringing trademarks, and other cases where the ISP could not be forced. Country specific legislations, right holders and internet freedom make this topic not only a grey area but a hard problem to solve where different actors should be aligned to act upon it at the scale it deserves.

The scale I am talking about is not about thousands but millions of domains being used by online counterfeiters to promote their items and to lure internet users. Despite all the efforts and huge investments big companies are making, this is happening with the complicity of search engines and social networks alike, plus the lack of security vendors making any effort on this area.

Is there any technology (i.e: Safebrowsing, proxy vendors, web of trust, blacklists...) right now which prevent you to browse any of these websites; (https:// www.swarovskijoyas .es), or this (https:// www.philippevente. online), or this ( https:// northfaces. store) or this one (https: //www. jackwholesaler.com)... ? (if so please do let me know).


After all this introduction of FAKE websites and the grey area they belong to, let me show you how I came across a specific google product being massively misuse to market counterfeit goods.

As part of improving the detection accuracy of desenmascara.me I spent time researching how online counterfeiters operate,  what their tactics are, how they are organized and what toolkits they are using to scale their business. Let's start with a simple FAKE web page like below:

http:// www.libredetabaco.es

This web fall easily under the red flags exposed by Europol:

• Prices seems good
• Contact us section pretty simple and generic
• Site looks unfinished with broken links
• Domain name is totally unrelated to the content
• and many more red flags...

Now looking at the html code let's focus our attention in the highlighted line:

Suspicious html code used by the counterfeiter actor

It seems a custom code used under the templates directory (to setup how the website looks) to create the website. If we look such specific string in google we do only see 4 organic results (3 domains used by the counterfeiters in the Search Engine Results Page, SERP) but the interesting part is in the "images product":

Google SERP of a specific template directory found in the html code

When we click on "Más imagenes de..." translated from spanish into english to "more images of.." we do see the following pictures under the highlighted domains (all FAKE based on Europol red flags and desenmascara.me)

Google images result with the string search wgtestwo136dkghnleejfliejf

There are several results pointing to around 7 different websites with the same code. It's likely that the code belongs to the creator of the website as in this specific case, all results are under the Top Level Domain (TLD) .es and with domains which were expired and leveraged afterwards by the FAKE sites creators, this is another typical tactic of the counterfeiters.

Lets try to confirm this with a different domain hosted in the same infrastructure as the previous FAKE website, now take a look to a slightly different but still following the same string format as the previous example:

Suspicious html code used by the counterfeiter actor

here we have around 10 counterfeit-related websites which belong to the same code and also as the previous example all those websites are under the TLD .es and all of them domain names unrelated to the webshop content:

Google images result with the string search wgtestwo134asuifheufhals

Here what we are observing is specific contractors creating FAKE websites under the TLD .es. These contractors are just a small part of the full suply chain of the online counterfeiting schemes as pointed out in the paper mentioned at the beginning of this article.

Now lets take a look to actors dedicated to different countries as for example Germany and Austria (.de and .at TLDs). The website template below looks quite similar to the previous website:

http:// www.circuitnoize.at

red flags are the same as the previous FAKE website, but now in the html code we notice a slightly different template name (tu2kitySHOPde):

"<div class="yccrFvaOgfCU"><img src="includes/templates/tu2kitySHOPde/images/cardd.gif"></div>"

Suspicious html code used by the counterfeiter actor

now we do the same as before, to perform a google search with such specific code. On this occasion 0 results came on the search but again it led us to the additional and interesting results on google images:

we click on google images and whoila!!, we do see few domains with the same type of pictures:

hxxp://www.guntenlauf.at/
hxxp://www.circuitnoize.at
hxxp://www.nikolabartenbachkunst.at
hxxp://www.awesome-riders.at
hxxp://www.strahlemannrockt.de/

also registration of the above domains did happen on the same consecutive days. This is just a small specific example of how actors operate to create FAKE shops with pre-built kits and to host them under previously used domains and TLDs they might be familiar with in terms of language or target market.

In order to avoid sensibilities with the above examples with google images, I have tried to avoid showing websites targeting specific brands. 

The fact that by looking those quite specific unique codes found in the html code of the FAKE sites, did raise just a few or none results on a google search but instead did raise results on the search image product, made me to explore some possibilities which after few tests were proved true: the google image search product open the door to thousands of results of FAKE websites offending literary every brand which might be counterfeited. These results while there are not available in the SERPs (at least not visible in the first pages), they are fully available through google search images:

Google image results leading to FAKE websites owned by online counterfeiters.

I have omitted any specific brand logo or trademark name buy as you can see above, a typical google search image might led to FAKE websites. All those websites were categorized as FAKE by the online tool desenmascara.me due to all of them having the red flags recommended by Europol to detect fraudulent websites. Also note that the web of trust icon (the green icon close to the website address) does not indicate any danger or suspicious flag, when actually, any user who would purchase items on any of those websites might be:

• Lured and will not receive anything
• Lured and will receive a counterfeit item
• Lured and their personal information will be misuse to feed this online fraud
• Lured and their credit card details will be stolen

In resume, users being directed towards these websites might be lured by the online counterfeiters.

To finalize, as already mentioned, this might be a grey area, but the true reality is that is not so difficult to detect and flag FAKE websites. Google has hundreds of PHDs working in Mountain View, Zurich and around the world to work on hard problems. Maybe this problem doesn't make the cut of the priority list right now?. Based on the World Economic Forum (WEF), online counterfeiting is part of one of the top illicit trades of the 21st century, along with drug trafficking, human trafficking, diamonds and few others. It is in the best interest of users, the brands affected and the society in general (terrorism finance, tax evasion, child work, poor conditions...) to keep these counterfeit sellers out of the Internet. We just need the will, proactivity and cooperation to tackle this online fraud.

Disclaimer: off course, I have a vested interest in taking these counterfeit websites out of Internet. I just want to test my proof of concept project at scale to show how this problem might be solve.

How to prevent Business Email Compromise (BEC) fraud ?

O en español; como prevenir el fraude del CEO.

The past year the FBI published an alert pointing out that the BEC fraud exceed $12 billion globally.

The report was based on data collected by the FBI´s Internet Crime Complaint Center (IC3), international law enforcement and financial institutions between October 2013 and May 2018. The amounts represent both money that was actually lost by victims and money they could have lost had they taken the bait.

Many of these attacks are skillfully crafted. Criminals lurking on websites and social media con uncover plenty of information for fine-tuned spear phishing emails: who suppliers are, what the management structure is, who is receiving new business pitches or expansion plans, etc. Executive travel plans are particularly useful for scenarios like this since the urgency of a task can be inflated from abroad: "I'm in Singapur and we need to make a payment ASAP to this supplier or we risk losing it. Don't delay - please wire these funds immediately."

How this fraud could be prevented?:

1. To train your leadership, specially in finance about the risks associated with these kind of attacks, methods of detection and manual authentication.
2. Methods of detection will include to be vigilant to:
• Pressure and a sense of urgency
• Unusual request in contradiction with internal procedures
• Typosquatted domains similar to your company (@R0CHE.COM instead of @ROCHE.COM)
3. To use DMARC. Domain-based Message Authentication, Reporting & Conformance, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author ("From:") domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.

You can check wether you organization has DMARC in place or not just by typing the domain part of your mail address into this resource.

DMARC check compliance for the gmail.com domain

Basically, DMARC is a technology that allows you to confirm whether an email is from the organization it claims to be from. This technology will not help you in cases where the corporate email has been compromised, and the attacker has full access to the mail account of the person in finance. Obviously this approach would require much more effort.

Since June 2016, the Global Cyber Alliance (GCA) has been working to accelerate adoption of DMARC through advocacy, by providing a set of easy-to-use tools and campaigns to drive deployement. GCA also measured the economic impact on this report. The benefits to deploy DMARC in your company are clear. What are you waiting for?

Criminal activity involving counterfeiting and the professionalised organized crime networks

Recently, the first EU-wide intellectual property crime threat assessment from Europol and the European Union Intellectual Property Office (EUIPO) was published. Press release by Europol.

Report available

The report contains 40 pages of insights about criminal activity involving counterfeiting and the professionalised organized crime networks, which can reap large profits while running relatively few risks. It was created with EU-wide data and strategic intelligence analysis. 

Below are the main points I would highlight on this report:

Metrics related:

• Counterfeit and pirated goods could make up as much as 6.8 % of EU imports, amounting to EUR 121 billion 
• In 2016, up to 6.8 % of EU imports constituted counterfeit and pirated goods, amounting to as much as EUR 121 billion. Compared to 5 % in 2013, this is a sharp increase in three years1. 
• The economic impact of counterfeit clothing and personal accessories is particularly high. It is estimated that counterfeiting causes losses of around EUR 26 billion per year to the clothing, footwear and accessories sector13 and around EUR 2 billion a year to the jewellery and watches sector in the EU14. 
  
  

Facts related:

• Although shipment of counterfeit goods to the EU still occurs largely in bulk by freight transport, in recent years there has been a strong increase in express transport. This sharp growth in trade via small parcels is related to the growth in online marketplaces selling counterfeit goods 
  
  
• Besides the traditional luxury items, a wide range of everyday goods are targeted by counterfeiters. This includes cosmetics, electronic components, food and drinks, pesticides, pharmaceuticals, tobacco products, toys and vehicle parts. 

• A growing number of counterfeit pharmaceuticals are detected in small parcels, facilitated by a continuous expansion of unauthorised and unregulated online pharmacies. 

• The market for counterfeit goods remains highly profitable, providing criminals with opportunities to generate huge profits while running few risks. Most criminal activity involving counterfeiting is undoubtedly performed by organised crime groups and there appears to be an overall professionalisation of these groups. 

• Counterfeiting and piracy are lucrative criminal activities, while at the same time generating relatively low detection risks. 

• several EU Member States have in recent years decreased their focus on fighting IP crime, in favour of other criminal activities that are deemed more serious and harmful, such as drugs trafficking, migrant smuggling, trafficking in human beings, and terrorism 

• Online marketplaces are increasingly becoming an important source of income for criminal groups engaged in the sale of counterfeit and pirated goods. 

• In a series of studies conducted by the EUIPO over the last few years, the direct annual losses of 13 market sectors that are particularly vulnerable to counterfeiting have been estimated. Collectively, these sectors lose EUR 60 billion a year, or 7.5 % of their total sales. 

• However, despite the large number of counterfeit clothes and shoes that are sold online, they are also still commonly sold on the streets of certain cities and in popular tourist areas. 

• A particularly worrisome development is that some of the jihadist terrorist attacks in the EU in recent years were partially financed by selling counterfeit clothing and shoes, although the most prominent example of this already stems from 2015. The Kouachi brothers, responsible for the terrorist attack on the Charlie Hebdo office, had been involved in selling counterfeit sports shoes. They had paid for the shoes via international payment services and imported them via parcel service from China. 

• Other criminal acts that are commonly committed by counterfeiting organised crime groups are excise fraud and VAT fraud. 

• Criminals are increasingly offering counterfeit goods through social media networks using specific URLs that can be hard to identify by law enforcement authorities. 

• A common modus operandi for online counterfeiters is to re-register previously used legitimate domain names, also referred to as cybersquatting. Domain names that have previously been used for a wide variety of purposes, including those used by commercial businesses, embassies or politicians, are systematically re-registered to operate as e-shops selling counterfeit goods. This reuse of legitimate websites ensures consistent internet traffic towards these e-shops41. 

Security related:

• While consumers are attracted to these kind of websites by the free content they can find there, in many cases these same websites are used to target exactly those types of consumers with phishing attempts or the dissemination of malware. It is estimated that one in four persons who stream illegally through a box or stick are affected by a virus or malware. Different kinds of malware and potentially unwanted programmes (PUPs) have been found on suspected websites sharing copyright-infringing content for free, which use deceptive techniques and social engineering to trick consumers into sharing sensitive personal information or even payment card details. This includes many PUPs for the Android OS, reflecting the growing popularity of mobile devices. 

Captchas being used by online counterfeiters to protect their FAKE webs

This is a new technique spotted by desenmascara.me. After digging a bit about the reason of some FAKE websites from different brands, being not flagged as such by desenmascara.me, I stumbled upon this new technique.

Captchas are mainly used as a security check to ensure only human users can pass through, usually used in form submissions, or online tools to avoid bots or any automatic misuse.

Desenmascara.me has included a new check to bypass this "protection" implemented recently by the online counterfeiters in their FAKE webs.

I keep improving desenmascara.me with the goal to become the only URL engine being able to spot any kind of FAKE website related with the counterfeiting. If you have any tips or feedback to improve this online service, please do let us know. Many thanks!