Illuminating online infrastructure for counterfeit goods

Background – Counterfeit goods on the Internet

I remember visiting New York City when I was young and seeing tablesfilled with bags, sunglasses and fancy clothes for sale on the sidewalk.They were expensive-looking items heavily discounted to attract buyers.Many people knew the items were counterfeit and just kept walking.Some stopped by the tables but may not have understood a crime wasbeing committed. If the items looked real enough, and if the potentialcustomer didn’t care about the risk of buying the black market items,they’d buy it.

The merchants ran a personal risk, though. If a lawyer from one ofcounterfeited brands noticed their merchandise, he or she could geta warrant to arrest the street merchant for the crime they committed.Yet counterfeit merchants no longer just sell their wares on the neareststreet corner. They also market counterfeit merchandise using onlinestores.

The Domain Name System (DNS) is key to every transaction on the Internet.To entice customers, fraudsters will manipulate the domain name of theirwebsite to closely resemble the actual brand name for two reasons:

1. A website name like https://www.BRANDNAME-outlet.com seems morelegitimate to visitors than visiting a numeric IP address or sellingitems through an online auction site.
2. A host or domain name that contains the words of the items you’reselling is more likely to be ranked higher by search engines.

Typically, counterfeit operators have registered “.com” names ornames in other global top-level domain (TLD) names that include thereal brand name in their counterfeited name. Yet technical detectivesrepresenting the brand name company easily find the fake domains and thenserve take-down notices to the website operator and even the registry.As a result, counterfeiters have been taking advantage of other nameslower in the DNS hierarchy where the registrations of their domain orhost names are not published. Until the sites draw enough attention,perhaps through search engines or spam, they are invisible.

Yet these fake domain or host names can’t hide from Passive DNS.

Passive DNS: How it Works

Passive DNS can play an important role in brand enforcement.It enables brand-name companies to see any fake names utilizedin the DNS as they are used and accessed. Collected from aglobal sensor array across Internet Service Providers (ISPs), DNSservice providers, universities, search engines, and social mediacompanies around the world, Farsight Security Passive DNS data andour derivative works enable corporations, security researchers andlaw enforcement to monitor infringement.

We have been collecting Passive DNS data since 2007 and have made thecurrent version of our Passive DNS historical database (DNSDB) available since mid-2010. If a domainhas been used on the Internet in the areas where we have sensors, wesee it and record it. As we see new domain names come throughour processing engines, they’re tagged and broadcast in real time on ourSecurity Information Exchange (SIE) or made available in DNS blacklist(DNSBL) or DNS firewall (DNS Response Policy Zones) products.

NOD

Newly Observed Domains (NOD) enables brand detectives to see new names as they are used in real-time. One can especially keepan eye out for names that contain a brand name or frequently utilizedtypographic errors that are close enough to a brand name.

One of the benefits of utilizing NOD is that it doesn’t depend on updates froma registry. Effective top-level domains where we see new domains include:

• Legacy top-level domains (like COM, BIZ, INFO)
• Country code based top-level domain (like CO, US, DE, RU)
• Second-level effective top level domains (like COM.CN, CO.UK)
• New ICANN global top-level domains (like TECH, SUCKS, TRAVEL, BLACK)
• Publicly-registered providers of dynamic infrastructure (like DYNDNS.ORG,CLOUDAPP.NET, AZUREWEBSITES.NET).

Here’s a five-second snippet from April 20, 2015:

$ nmsgtool -C ch212 | grep domain:
domain: sweepnoses.com.
domain: bizsucces.fr.
domain: toldmilord.com.
domain: tiltedgenus.com.
domain: gpcgojra.edu.pk.
domain: id.here.
domain: beghin.ch.
domain: verhuizenblog.nl.
domain: metrocity.ge.
domain: detalhecases.com.br.
domain: hax0r005.no-ip.biz.
domain: radiofutrono.cl.
domain: aptm0.tk.
domain: mirador-schindellegi.ch.
domain: deutscheindustriewartung.eu.
domain: make348today.biz.
domain: comfortedsoon.pw.
domain: kidcam-dev.cloudapp.net.
domain: jameela.doomdns.com.
^C


When someone registers a domain infringing a brand or trademark name,it’s likely to be seen in NOD. One can easily create a search to lookfor strings like “fake”, “watch”, “replica”, and fuzzy matches on theirbrands like “r0lex”.

SIE Real-Time Feeds

We operate the Security Information Exchange (SIE onto which Passive DNSdata and other real-time data is made available locally to co-locatedcustomer servers or remotely over encrypted tunnels via the SIE Remote Access service. The datathat goes into our DNS database product (DNSDB) isalso available as a real-time feed. If one is watching the feed, they cangenerate alerts any time they see a regular expression that matches theirname.

DNSDB

Our historical Passive DNS data is stored in a searchable database where one can see thehistory for a domain or host name, or answer questions like:

• What else is served at this IP address?
• What other hostnames are under this domain?
• What other domains utilize this name server?
• What names begin with a certain keyword?

If one has a DNS or IP identifier related to known badness, they can utilizeAPI queries into our DNSDB service to discover related orsimilar resources and expand their knowledge and map infrastructure. Thedatabase is also available for downloads for incorporating intocustomers’ custom correlation engines or for enabling linear searches of the data.Instead of looking at the live feed, a brand detective can search throughperiodic summaries from the database as updates become available.

Brand Infringement Examples

In the examples below, I was interested in finding some fake “Rolex”watches. I started looking on an SIE stream for the word “rolex”and found a few right away. Utilizing a command line DNSDB lookuptool (

dnsdb_query.py

), I was able to enumerate some other counterfeitinfrastructure.

$ nmsgtool -C ch208 -e '|' | fgrep "rolex" | sed -e 's/|/\n/g'


rolexreplicawatches-uk.com

response_ip: 2400:cb00:2049:1::adf5:3b3a
rrname: rolexreplicawatches-uk.com.
rrclass: IN (1)
rrtype: A (1)
rdata: 104.28.8.15
rdata: 104.28.9.15


This domain could have been easily found through a domain registry dumpand looking up the domain name in DNS to find the same information.It was registered to a Chinese identity protection service and served bya web proxy service (Cloudflare). I point out here that monitoring isagnostic to IPv4 and IPv6. Because Passive DNS monitoring is persistent,it allows DNSDB to store not only the current information, but historicalinformation as well.

$ dnsdb_query.py -r \*.rolexreplicawatches-uk.com/A --after=2015-04-01
;; bailiwick: rolexreplicawatches-uk.com.
;; count: 505
;; first seen: 2015-01-23 23:49:55 -0000
;; last seen: 2015-04-13 00:38:50 -0000
rolexreplicawatches-uk.com. IN A 46.249.33.202

;; bailiwick: rolexreplicawatches-uk.com.
;; count: 115
;; first seen: 2015-04-13 08:26:53 -0000
;; last seen: 2015-04-21 17:44:51 -0000
rolexreplicawatches-uk.com. IN A 104.28.8.15
rolexreplicawatches-uk.com. IN A 104.28.9.15

;; bailiwick: rolexreplicawatches-uk.com.
;; count: 179
;; first seen: 2015-01-16 14:36:37 -0000
;; last seen: 2015-04-09 23:38:00 -0000
www.rolexreplicawatches-uk.com. IN A 46.249.33.202

;; bailiwick: rolexreplicawatches-uk.com.
;; count: 10
;; first seen: 2015-04-13 23:20:54 -0000
;; last seen: 2015-04-19 18:50:35 -0000
www.rolexreplicawatches-uk.com. IN A 104.28.8.15
www.rolexreplicawatches-uk.com. IN A 104.28.9.15


Between Jan 23 and April 13, the same name pointed to address

46.249.33.202

which is served by a web hosting provider in theNetherlands. That same address was observed to host 22 other names withthe words “replica”, “rolex”, “fake”, or “watch” in the name this year(some of them registered in

.co

or

.co.uk

).

$ dnsdb_query.py -i 46.249.33.202 --after=2015-04-01 |\
egrep 'rolex|fake|replica|watch' | grep -v www | head
rolex-replicas.co.uk. IN A 46.249.33.202
replica-watches.uk.com. IN A 46.249.33.202
replicawatchessale.uk.com. IN A 46.249.33.202
qiwuwatch.com. IN A 46.249.33.202
finewatchuk.com. IN A 46.249.33.202
qiwuwatchuk.com. IN A 46.249.33.202
cheapfakewatch.com. IN A 46.249.33.202
fakewatchchina.com. IN A 46.249.33.202
replicawatchus.com. IN A 46.249.33.202
rolexreplica-uk.com. IN A 46.249.33.202


rolexdaytonavip.ru

response_ip: 194.85.252.62
rrname: rolexdaytonavip.ru.
rrclass: IN (1)
rrtype: NS (2)
rdata: ns1.fullspace.ru.
rdata: ns2.fullspace.ru.


While I may not directly have access to “RU” gTLD data, the

rolexdaytonavip.ru

name was found in the Passive DNS streams.To confirm, I notice that the Google translation of the sitestates: “You’ve come to the site, located on the hostingFullSpace. Work on this site is suspended.” (Yay!)

rolex-replicawatches.us.com

response_ip: 112.90.82.194
rrname: rolex-replicawatches.us.com.
rrclass: IN (1)
rrtype: SOA (6)
rdata: f1g1ns1.dnspod.net. freednsadmin.dnspod.com. 1422885176 3600 180 1209600 180


The domain

us.com

is not subject to making all of their domain informationavailable dialy like

.com

. Through Passive DNS, sub-domains are stilldiscoverable. I fond some heavily discounted pro football gear at the sameaddress as the fake rolex site.

$ dnsdb_query.py -r rolex-replicawatches.us.com/A --after=2015-01-01
;; bailiwick: rolex-replicawatches.us.com.
;; count: 11
;; first seen: 2014-11-27 18:04:41 -0000
;; last seen: 2015-01-16 19:21:23 -0000
rolex-replicawatches.us.com. IN A 103.231.84.140

;; bailiwick: rolex-replicawatches.us.com.
;; count: 17
;; first seen: 2015-02-15 03:43:12 -0000
;; last seen: 2015-04-16 06:34:50 -0000
rolex-replicawatches.us.com. IN A 103.231.85.99

$ dnsdb_query.py -i 103.231.85.99 --after=2015-01-01
rolex-replicawatches.us.com. IN A 103.231.85.99
www.rolex-replicawatches.us.com. IN A 103.231.85.99
www.cheapnfljersey-outlet.com. IN A 103.231.85.99
www.cheap-nfljersey.in.net. IN A 103.231.85.99

$ dnsdb_query.py -i 103.231.84.140 --after=2015-01-01 |\
grep -v www
canadagooseuk.cc. IN A 103.231.84.140
canada--goose.co.uk. IN A 103.231.84.140
canadagoose.me.uk. IN A 103.231.84.140
rolex-replicawatches.us.com. IN A 103.231.84.140
moncleroutlet-jackets.com. IN A 103.231.84.140
moncleroutlet2013.net. IN A 103.231.84.140
monclerjacketsoutlet.net. IN A 103.231.84.140


To help confirm that the above sites were counterfeit (asidefrom the low prices), I checked out anti-counterfeiting informationfrom the brand retailers. The real Canada Goose site has atoolthat reports

canadagooseuk.cc

as a counterfeit retailer. AMoncler fan site claims,“Moncler’s official website (

www.moncler.com

) is the ONLYlegitimate website containing the brand name, no exceptions.”In a call to one of their retail stores, a representative confirmedthat there is no online discount outlet for their merchandise.

fakerolex.bigcartel.com

response_ip: 208.78.71.5
rrname: fakerolex.bigcartel.com.
rrclass: IN (1)
rrtype: A (1)
rdata: 66.209.77.19


This is an example of a hosting provider that houses many customers that letthe customer use a hostname within their domain name. I used to work for ane-commerce provider, and understand how difficult it is to make your toolsand site widely available. Eventually someone comes along and violatesthe site terms of use. As long as customers get to choosetheir names when they sign up, it’s possible for them to start a site like

fakerolex.bigcartel.com

or

replicawatchesblvd.bigcartel.com

.Looking up what else is hosted on

bigcartel.com

utilizing DNSDB, mostof the 200,000+ site names under their domain appear to be benignproduct pages, so contacting the abuse team at the website might be enough totake down a site.

Conclusion

Organizations that want to monitor how their brand namescan utilize Passive DNS to discover the use or their namesin near real-time and look at correlations between current and historicalinfrastructure utilized by the same actors to effect quickertakedowns. If the counterfeit stores are shut down more quickly,they become less profitable. If operators have to avoid using brandnames in their DNS names, they may become forced to be less effective intheir marketing.

Eric Ziegast is a Senior Distributed Systems Engineer for Farsight Security,Inc.