Illuminating online infrastructure for counterfeit goods

← Blog Home

By

Background – Counterfeit goods on the Internet

I remember visiting New York City when I was young and seeing tables filled with bags, sunglasses and fancy clothes for sale on the sidewalk. They were expensive-looking items heavily discounted to attract buyers. Many people knew the items were counterfeit and just kept walking. Some stopped by the tables but may not have understood a crime was being committed. If the items looked real enough, and if the potential customer didn’t care about the risk of buying the black market items, they’d buy it.

The merchants ran a personal risk, though. If a lawyer from one of counterfeited brands noticed their merchandise, he or she could get a warrant to arrest the street merchant for the crime they committed. Yet counterfeit merchants no longer just sell their wares on the nearest street corner. They also market counterfeit merchandise using online stores.

The Domain Name System (DNS) is key to every transaction on the Internet. To entice customers, fraudsters will manipulate the domain name of their website to closely resemble the actual brand name for two reasons:

  1. A website name like https://www.BRANDNAME-outlet.com seems more legitimate to visitors than visiting a numeric IP address or selling items through an online auction site.
  2. A host or domain name that contains the words of the items you’re selling is more likely to be ranked higher by search engines.

Typically, counterfeit operators have registered “.com” names or names in other global top-level domain (TLD) names that include the real brand name in their counterfeited name. Yet technical detectives representing the brand name company easily find the fake domains and then serve take-down notices to the website operator and even the registry. As a result, counterfeiters have been taking advantage of other names lower in the DNS hierarchy where the registrations of their domain or host names are not published. Until the sites draw enough attention, perhaps through search engines or spam, they are invisible.

Yet these fake domain or host names can’t hide from Passive DNS.

Passive DNS: How it Works

Passive DNS can play an important role in brand enforcement. It enables brand-name companies to see any fake names utilized in the DNS as they are used and accessed. Collected from a global sensor array across Internet Service Providers (ISPs), DNS service providers, universities, search engines, and social media companies around the world, Farsight Security Passive DNS data and our derivative works enable corporations, security researchers and law enforcement to monitor infringement.

We have been collecting Passive DNS data since 2007 and have made the current version of our Passive DNS historical database (DNSDB) available since mid-2010. If a domain has been used on the Internet in the areas where we have sensors, we see it and record it. As we see new domain names come through our processing engines, they’re tagged and broadcast in real time on our Security Information Exchange (SIE) or made available in DNS blacklist (DNSBL) or DNS firewall (DNS Response Policy Zones) products.

NOD

Newly Observed Domains (NOD) enables brand detectives to see new names as they are used in real-time. One can especially keep an eye out for names that contain a brand name or frequently utilized typographic errors that are close enough to a brand name.

One of the benefits of utilizing NOD is that it doesn’t depend on updates from a registry. Effective top-level domains where we see new domains include:

  • Legacy top-level domains (like COM, BIZ, INFO)
  • Country code based top-level domain (like CO, US, DE, RU)
  • Second-level effective top level domains (like COM.CN, CO.UK)
  • New ICANN global top-level domains (like TECH, SUCKS, TRAVEL, BLACK)
  • Publicly-registered providers of dynamic infrastructure (like DYNDNS.ORG, CLOUDAPP.NET, AZUREWEBSITES.NET).

Here’s a five-second snippet from April 20, 2015:

    $ nmsgtool -C ch212 | grep domain:
    domain: sweepnoses.com.
    domain: bizsucces.fr.
    domain: toldmilord.com.
    domain: tiltedgenus.com.
    domain: gpcgojra.edu.pk.
    domain: id.here.
    domain: beghin.ch.
    domain: verhuizenblog.nl.
    domain: metrocity.ge.
    domain: detalhecases.com.br.
    domain: hax0r005.no-ip.biz.
    domain: radiofutrono.cl.
    domain: aptm0.tk.
    domain: mirador-schindellegi.ch.
    domain: deutscheindustriewartung.eu.
    domain: make348today.biz.
    domain: comfortedsoon.pw.
    domain: kidcam-dev.cloudapp.net.
    domain: jameela.doomdns.com.
    ^C

When someone registers a domain infringing a brand or trademark name, it’s likely to be seen in NOD. One can easily create a search to look for strings like “fake”, “watch”, “replica”, and fuzzy matches on their brands like “r0lex”.

SIE Real-Time Feeds

We operate the Security Information Exchange (SIE onto which Passive DNS data and other real-time data is made available locally to co-located customer servers or remotely over encrypted tunnels via the SIE Remote Access service. The data that goes into our DNS database product (DNSDB) is also available as a real-time feed. If one is watching the feed, they can generate alerts any time they see a regular expression that matches their name.

DNSDB

Our historical Passive DNS data is stored in a searchable database where one can see the history for a domain or host name, or answer questions like:

  • What else is served at this IP address?
  • What other hostnames are under this domain?
  • What other domains utilize this name server?
  • What names begin with a certain keyword?

If one has a DNS or IP identifier related to known badness, they can utilize API queries into our DNSDB service to discover related or similar resources and expand their knowledge and map infrastructure. The database is also available for downloads for incorporating into customers’ custom correlation engines or for enabling linear searches of the data. Instead of looking at the live feed, a brand detective can search through periodic summaries from the database as updates become available.

Brand Infringement Examples

In the examples below, I was interested in finding some fake “Rolex” watches. I started looking on an SIE stream for the word “rolex” and found a few right away. Utilizing a command line DNSDB lookup tool (dnsdb_query.py), I was able to enumerate some other counterfeit infrastructure.

     $ nmsgtool -C ch208 -e '|' | fgrep "rolex" | sed -e 's/|/\n/g'
rolexreplicawatches-uk.com
    response_ip: 2400:cb00:2049:1::adf5:3b3a
    rrname: rolexreplicawatches-uk.com.
    rrclass: IN (1)
    rrtype: A (1)
    rdata: 104.28.8.15
    rdata: 104.28.9.15

This domain could have been easily found through a domain registry dump and looking up the domain name in DNS to find the same information. It was registered to a Chinese identity protection service and served by a web proxy service (Cloudflare). I point out here that monitoring is agnostic to IPv4 and IPv6. Because Passive DNS monitoring is persistent, it allows DNSDB to store not only the current information, but historical information as well.

    $ dnsdb_query.py -r \*.rolexreplicawatches-uk.com/A --after=2015-04-01
    ;;  bailiwick: rolexreplicawatches-uk.com.
    ;;      count: 505
    ;; first seen: 2015-01-23 23:49:55 -0000
    ;;  last seen: 2015-04-13 00:38:50 -0000
    rolexreplicawatches-uk.com. IN A 46.249.33.202
    
    ;;  bailiwick: rolexreplicawatches-uk.com.
    ;;      count: 115
    ;; first seen: 2015-04-13 08:26:53 -0000
    ;;  last seen: 2015-04-21 17:44:51 -0000
    rolexreplicawatches-uk.com. IN A 104.28.8.15
    rolexreplicawatches-uk.com. IN A 104.28.9.15
    
    ;;  bailiwick: rolexreplicawatches-uk.com.
    ;;      count: 179
    ;; first seen: 2015-01-16 14:36:37 -0000
    ;;  last seen: 2015-04-09 23:38:00 -0000
    www.rolexreplicawatches-uk.com. IN A 46.249.33.202
    
    ;;  bailiwick: rolexreplicawatches-uk.com.
    ;;      count: 10
    ;; first seen: 2015-04-13 23:20:54 -0000
    ;;  last seen: 2015-04-19 18:50:35 -0000
    www.rolexreplicawatches-uk.com. IN A 104.28.8.15
    www.rolexreplicawatches-uk.com. IN A 104.28.9.15

Between Jan 23 and April 13, the same name pointed to address 46.249.33.202 which is served by a web hosting provider in the Netherlands. That same address was observed to host 22 other names with the words “replica”, “rolex”, “fake”, or “watch” in the name this year (some of them registered in .co or .co.uk).

    $ dnsdb_query.py -i 46.249.33.202 --after=2015-04-01 |\
      egrep 'rolex|fake|replica|watch' | grep -v www | head
    rolex-replicas.co.uk. IN A 46.249.33.202
    replica-watches.uk.com. IN A 46.249.33.202
    replicawatchessale.uk.com. IN A 46.249.33.202
    qiwuwatch.com. IN A 46.249.33.202
    finewatchuk.com. IN A 46.249.33.202
    qiwuwatchuk.com. IN A 46.249.33.202
    cheapfakewatch.com. IN A 46.249.33.202
    fakewatchchina.com. IN A 46.249.33.202
    replicawatchus.com. IN A 46.249.33.202
    rolexreplica-uk.com. IN A 46.249.33.202
rolexdaytonavip.ru
    response_ip: 194.85.252.62
    rrname: rolexdaytonavip.ru.
    rrclass: IN (1)
    rrtype: NS (2)
    rdata: ns1.fullspace.ru.
    rdata: ns2.fullspace.ru.

While I may not directly have access to “RU” gTLD data, the rolexdaytonavip.ru name was found in the Passive DNS streams. To confirm, I notice that the Google translation of the site states: “You’ve come to the site, located on the hosting FullSpace. Work on this site is suspended.” (Yay!)

rolex-replicawatches.us.com
    response_ip: 112.90.82.194
    rrname: rolex-replicawatches.us.com.
    rrclass: IN (1)
    rrtype: SOA (6)
    rdata: f1g1ns1.dnspod.net. freednsadmin.dnspod.com. 1422885176 3600 180 1209600 180

The domain us.com is not subject to making all of their domain information available dialy like .com. Through Passive DNS, sub-domains are still discoverable. I fond some heavily discounted pro football gear at the same address as the fake rolex site.

    $ dnsdb_query.py -r rolex-replicawatches.us.com/A --after=2015-01-01
    ;;  bailiwick: rolex-replicawatches.us.com.
    ;;      count: 11
    ;; first seen: 2014-11-27 18:04:41 -0000
    ;;  last seen: 2015-01-16 19:21:23 -0000
    rolex-replicawatches.us.com. IN A 103.231.84.140
    
    ;;  bailiwick: rolex-replicawatches.us.com.
    ;;      count: 17
    ;; first seen: 2015-02-15 03:43:12 -0000
    ;;  last seen: 2015-04-16 06:34:50 -0000
    rolex-replicawatches.us.com. IN A 103.231.85.99
    
    $ dnsdb_query.py -i 103.231.85.99 --after=2015-01-01
    rolex-replicawatches.us.com. IN A 103.231.85.99
    www.rolex-replicawatches.us.com. IN A 103.231.85.99
    www.cheapnfljersey-outlet.com. IN A 103.231.85.99
    www.cheap-nfljersey.in.net. IN A 103.231.85.99
    
    $ dnsdb_query.py -i 103.231.84.140 --after=2015-01-01 |\
      grep -v www
    canadagooseuk.cc. IN A 103.231.84.140
    canada--goose.co.uk. IN A 103.231.84.140
    canadagoose.me.uk. IN A 103.231.84.140
    rolex-replicawatches.us.com. IN A 103.231.84.140
    moncleroutlet-jackets.com. IN A 103.231.84.140
    moncleroutlet2013.net. IN A 103.231.84.140
    monclerjacketsoutlet.net. IN A 103.231.84.140

To help confirm that the above sites were counterfeit (aside from the low prices), I checked out anti-counterfeiting information from the brand retailers. The real Canada Goose site has a tool that reports canadagooseuk.cc as a counterfeit retailer. A Moncler fan site claims, “Moncler’s official website (www.moncler.com) is the ONLY legitimate website containing the brand name, no exceptions.” In a call to one of their retail stores, a representative confirmed that there is no online discount outlet for their merchandise.

fakerolex.bigcartel.com
    response_ip: 208.78.71.5
    rrname: fakerolex.bigcartel.com.
    rrclass: IN (1)
    rrtype: A (1)
    rdata: 66.209.77.19

This is an example of a hosting provider that houses many customers that let the customer use a hostname within their domain name. I used to work for an e-commerce provider, and understand how difficult it is to make your tools and site widely available. Eventually someone comes along and violates the site terms of use. As long as customers get to choose their names when they sign up, it’s possible for them to start a site like fakerolex.bigcartel.com or replicawatchesblvd.bigcartel.com. Looking up what else is hosted on bigcartel.com utilizing DNSDB, most of the 200,000+ site names under their domain appear to be benign product pages, so contacting the abuse team at the website might be enough to take down a site.

Conclusion

Organizations that want to monitor how their brand names can utilize Passive DNS to discover the use or their names in near real-time and look at correlations between current and historical infrastructure utilized by the same actors to effect quicker takedowns. If the counterfeit stores are shut down more quickly, they become less profitable. If operators have to avoid using brand names in their DNS names, they may become forced to be less effective in their marketing.

Eric Ziegast is a Senior Distributed Systems Engineer for Farsight Security, Inc.

← Blog Home

Protect against cybercriminal activity in real-time.

Request demo

Email: sales@farsightsecurity.com Phone: +1-650-489-7919