*The following blog solely represents the views of Emilio Casbas
In the context of online counterfeiting, there are four classes of domain that warrant discussion:
- Registered by counterfeiters
- Free hosting based
- Legitimate but compromised
In order to know more about each type you can take a look to the SANS paper “Tracking online counterfeiters“. For the purpose of this blog I will focus on using one counterfeit domain (http://www.pradaus[.]com, which was active while writing this blog) to unearth and map a full-fledged campaign.
Figure 1: Counterfeit-related website www.pradaus[.]com
Even counterfeiters must register their domains through a registrar but despite this, Whois data can be spoofed. In fact, if the counterfeiter never had the intention of managing their domain, they could use a fake email address. This scenario mostly works for the bad guys registering Command and Control (C2) domains, but is not usually the case for counterfeit-related websites, as in the example above:
Figure 2: Legitimate mail address used to register the counterfeit-related website www.pradaus[.]com
Other considerations are that registration services often sell privacy protection as a service. In those cases, only the privacy proxy service and registrar have the information provided by the registrant. The privacy proxy service transfers domain ownership to the registrant shortly after the purchase. In this situation (also regularly seen on C2 domain registrations) the initial registration would act as a proxy, and then registrant data may be updated later to reflect the actual domain owner. This type of change in registration information is something you can easily track as a DomainTools alert. For example, a domain spoofing Adidas changed registrant information:
Figure 3: Domaintools alert about new domain owner
One domain I track with DomainTools’ monitors is desenmascara[.]me. I make a habit of keeping an eye out for counterfeit-related domains and how they are maturing. Immersed in these tasks, I investigated the domain: http://www.123australian[.]com. This domain interested me because despite showing all the signs of a counterfeit domain, it had block countermeasures in place on the counterfeit domain server.
Figure 4: Register domains extracted with DomainTools.com
A similar behavior was exposed by the domain: http://111MediaGroup[.]com. In this case, the domain was spoofing Adidas, but in Danish.
Figure 5: Register domains extracted with DomainTools.com
Based on the Whois public data observed, I started to suspect that both of these domains shared the same nameserver. Additionally, both domains had been recently created and the email registrations both leveraged the domain yeah[.]net (a China- based company).
Both figures 4 and 5 were extracted with the free DomainTools Whois Lookup Tool. On the other hand, Iris Investigate is a product that provides additional insights while investigating online fraud. In this case, by using Iris Investigate to investigate the domains mentioned above, I found an extensive and new campaign of around 50,000 counterfeit-related websites (all in less than five minutes)!
Below is the step by step process I used to unravel this large campaign:
1. I accessed DomainTools Iris Investigate from https://research.domaintools.com/Iris:
Figure 6: Iris main website
2. I searched on an IOC I unearthed in a previous investigation: 111mediagroup[.]com:
Figure 7: Web domain being investigated with the Iris tool
3. In the Whois data, I exposed the same email addresses as devised in the Whois Lookup Tool plus two additional email addresses. By right-clicking on the email address yinchu4c@163[.]com, I was able to see the number of additional domains that share this registrant email.
Figure 8: Pivoting over an Indicator (web mail address)
4. 53,361 domains shared this value. In order to evaluate domains that share the same registrant email, I clicked “Expand Search”. In the top menu I could see a new filter:
Figure 9: Multi-filter search (web domain and web mail address)
By simply scrolling through the domains included in this query, I can tell that this campaign is targeting a number of brands by simply using TLDs like .com, .de and .top.
In addition to investigating IOCs, DomainTools Iris allows me to share information with other organizations or partners in three formats: CSV, STIX 1.2 or STIX 2.0.
Let’s take a look at some examples under the different TLDs.
Figure 10: Counterfeit-related website targeted the New Balance brand: 122ratto[.]com
Figure 11: Multi Brand counterfeit-related website: 0entropie[.]de
Figure 12: Multi Brand Counterfeit-related website: a1ecosolutions.co[.]uk
Figure 13: Counterfeit-related website targeted to Reebok: reebokclassic[.]es
Figure 14: Multi brand Counterfeit-related website (car parts, toys, electronics…): aamumalls[.]top
Figure 15: Multi brand counterfeit-related website: aan-massage[.]nl
Figure 16: Multi brand counterfeit-related website: 10sharks[.]org
In conclusion, I was able to take one IOC and expand upon it and identify an entire campaign targeting well known brands. This technique is particularly valuable for brands who like to protect their consumers, and proactively purchase domains to ensure that their brand equity is not used against them.
Update: The Indicator yinchu4c@163[.]com continues to register additional counterfeit-related domains. Around 1,400 new counterfeit-related domains were registered within a few days by the same actor.