Illuminating online infrastructure for counterfeit goods
By Eric Ziegast
Background – Counterfeit goods on the Internet
I remember visiting New York City when I was young and seeing tables filled with bags, sunglasses and fancy clothes for sale on the sidewalk. They were expensive-looking items heavily discounted to attract buyers. Many people knew the items were counterfeit and just kept walking. Some stopped by the tables but may not have understood a crime was being committed. If the items looked real enough, and if the potential customer didn't care about the risk of buying the black market items, they'd buy it.
The merchants ran a personal risk, though. If a lawyer from one of counterfeited brands noticed their merchandise, he or she could get a warrant to arrest the street merchant for the crime they committed. Yet counterfeit merchants no longer just sell their wares on the nearest street corner. They also market counterfeit merchandise using online stores.
The Domain Name System (DNS) is key to every transaction on the Internet. To entice customers, fraudsters will manipulate the domain name of their website to closely resemble the actual brand name for two reasons:
- A website name like
https://www.BRANDNAME-outlet.comseems more legitimate to visitors than visiting a numeric IP address or selling items through an online auction site.
- A host or domain name that contains the words of the items you're selling is more likely to be ranked higher by search engines.
Typically, counterfeit operators have registered ".com" names or names in other global top-level domain (TLD) names that include the real brand name in their counterfeited name. Yet technical detectives representing the brand name company easily find the fake domains and then serve take-down notices to the website operator and even the registry. As a result, counterfeiters have been taking advantage of other names lower in the DNS hierarchy where the registrations of their domain or host names are not published. Until the sites draw enough attention, perhaps through search engines or spam, they are invisible.
Yet these fake domain or host names can't hide from Passive DNS.
Passive DNS: How it Works
Passive DNS can play an important role in brand enforcement. It enables brand-name companies to see any fake names utilized in the DNS as they are used and accessed. Collected from a global sensor array across Internet Service Providers (ISPs), DNS service providers, universities, search engines, and social media companies around the world, Farsight Security Passive DNS data and our derivative works enable corporations, security researchers and law enforcement to monitor infringement.
We have been collecting Passive DNS data since 2007 and have made the current version of our Passive DNS historical database (DNSDB) available since mid-2010. If a domain has been used on the Internet in the areas where we have sensors, we see it and record it. As we see new domain names come through our processing engines, they're tagged and broadcast in real time on our Security Information Exchange (SIE) or made available in DNS blacklist (DNSBL) or DNS firewall (DNS Response Policy Zones) products.
Newly Observed Domains (NOD) enables brand detectives to see new names as they are used in real-time. One can especially keep an eye out for names that contain a brand name or frequently utilized typographic errors that are close enough to a brand name.
One of the benefits of utilizing NOD is that it doesn't depend on updates from a registry. Effective top-level domains where we see new domains include:
- Legacy top-level domains (like COM, BIZ, INFO)
- Country code based top-level domain (like CO, US, DE, RU)
- Second-level effective top level domains (like COM.CN, CO.UK)
- New ICANN global top-level domains (like TECH, SUCKS, TRAVEL, BLACK)
- Publicly-registered providers of dynamic infrastructure (like DYNDNS.ORG, CLOUDAPP.NET, AZUREWEBSITES.NET).
Here's a five-second snippet from April 20, 2015:
$ nmsgtool -C ch212 | grep domain: domain: sweepnoses.com. domain: bizsucces.fr. domain: toldmilord.com. domain: tiltedgenus.com. domain: gpcgojra.edu.pk. domain: id.here. domain: beghin.ch. domain: verhuizenblog.nl. domain: metrocity.ge. domain: detalhecases.com.br. domain: hax0r005.no-ip.biz. domain: radiofutrono.cl. domain: aptm0.tk. domain: mirador-schindellegi.ch. domain: deutscheindustriewartung.eu. domain: make348today.biz. domain: comfortedsoon.pw. domain: kidcam-dev.cloudapp.net. domain: jameela.doomdns.com. ^C
When someone registers a domain infringing a brand or trademark name, it's likely to be seen in NOD. One can easily create a search to look for strings like "fake", "watch", "replica", and fuzzy matches on their brands like "r0lex".
SIE Real-Time Feeds
We operate the Security Information Exchange (SIE onto which Passive DNS data and other real-time data is made available locally to co-located customer servers or remotely over encrypted tunnels via the SIE Remote Access service. The data that goes into our DNS database product (DNSDB) is also available as a real-time feed. If one is watching the feed, they can generate alerts any time they see a regular expression that matches their name.
Our historical Passive DNS data is stored in a searchable database where one can see the history for a domain or host name, or answer questions like:
- What else is served at this IP address?
- What other hostnames are under this domain?
- What other domains utilize this name server?
- What names begin with a certain keyword?
If one has a DNS or IP identifier related to known badness, they can utilize API queries into our DNSDB service to discover related or similar resources and expand their knowledge and map infrastructure. The database is also available for downloads for incorporating into customers' custom correlation engines or for enabling linear searches of the data. Instead of looking at the live feed, a brand detective can search through periodic summaries from the database as updates become available.
Brand Infringement Examples
In the examples below, I was interested in finding some fake "Rolex"
watches. I started looking on an SIE stream for the word "rolex"
and found a few right away. Utilizing a command line DNSDB lookup
dnsdb_query.py), I was able to enumerate some other counterfeit
$ nmsgtool -C ch208 -e '|' | fgrep "rolex" | sed -e 's/|/\n/g'
response_ip: 2400:cb00:2049:1::adf5:3b3a rrname: rolexreplicawatches-uk.com. rrclass: IN (1) rrtype: A (1) rdata: 184.108.40.206 rdata: 220.127.116.11
This domain could have been easily found through a domain registry dump and looking up the domain name in DNS to find the same information. It was registered to a Chinese identity protection service and served by a web proxy service (Cloudflare). I point out here that monitoring is agnostic to IPv4 and IPv6. Because Passive DNS monitoring is persistent, it allows DNSDB to store not only the current information, but historical information as well.
$ dnsdb_query.py -r \*.rolexreplicawatches-uk.com/A --after=2015-04-01 ;; bailiwick: rolexreplicawatches-uk.com. ;; count: 505 ;; first seen: 2015-01-23 23:49:55 -0000 ;; last seen: 2015-04-13 00:38:50 -0000 rolexreplicawatches-uk.com. IN A 18.104.22.168 ;; bailiwick: rolexreplicawatches-uk.com. ;; count: 115 ;; first seen: 2015-04-13 08:26:53 -0000 ;; last seen: 2015-04-21 17:44:51 -0000 rolexreplicawatches-uk.com. IN A 22.214.171.124 rolexreplicawatches-uk.com. IN A 126.96.36.199 ;; bailiwick: rolexreplicawatches-uk.com. ;; count: 179 ;; first seen: 2015-01-16 14:36:37 -0000 ;; last seen: 2015-04-09 23:38:00 -0000 www.rolexreplicawatches-uk.com. IN A 188.8.131.52 ;; bailiwick: rolexreplicawatches-uk.com. ;; count: 10 ;; first seen: 2015-04-13 23:20:54 -0000 ;; last seen: 2015-04-19 18:50:35 -0000 www.rolexreplicawatches-uk.com. IN A 184.108.40.206 www.rolexreplicawatches-uk.com. IN A 220.127.116.11
Between Jan 23 and April 13, the same name pointed to address
18.104.22.168 which is served by a web hosting provider in the
Netherlands. That same address was observed to host 22 other names with
the words "replica", "rolex", "fake", or "watch" in the name this year
(some of them registered in
$ dnsdb_query.py -i 22.214.171.124 --after=2015-04-01 |\ egrep 'rolex|fake|replica|watch' | grep -v www | head rolex-replicas.co.uk. IN A 126.96.36.199 replica-watches.uk.com. IN A 188.8.131.52 replicawatchessale.uk.com. IN A 184.108.40.206 qiwuwatch.com. IN A 220.127.116.11 finewatchuk.com. IN A 18.104.22.168 qiwuwatchuk.com. IN A 22.214.171.124 cheapfakewatch.com. IN A 126.96.36.199 fakewatchchina.com. IN A 188.8.131.52 replicawatchus.com. IN A 184.108.40.206 rolexreplica-uk.com. IN A 220.127.116.11
response_ip: 18.104.22.168 rrname: rolexdaytonavip.ru. rrclass: IN (1) rrtype: NS (2) rdata: ns1.fullspace.ru. rdata: ns2.fullspace.ru.
While I may not directly have access to "RU" gTLD data, the
rolexdaytonavip.ru name was found in the Passive DNS streams.
To confirm, I notice that the Google translation of the site
states: "You've come to the site, located on the hosting
FullSpace. Work on this site is suspended." (Yay!)
response_ip: 22.214.171.124 rrname: rolex-replicawatches.us.com. rrclass: IN (1) rrtype: SOA (6) rdata: f1g1ns1.dnspod.net. freednsadmin.dnspod.com. 1422885176 3600 180 1209600 180
us.com is not subject to making all of their domain information
available dialy like
.com. Through Passive DNS, sub-domains are still
discoverable. I fond some heavily discounted pro football gear at the same
address as the fake rolex site.
$ dnsdb_query.py -r rolex-replicawatches.us.com/A --after=2015-01-01 ;; bailiwick: rolex-replicawatches.us.com. ;; count: 11 ;; first seen: 2014-11-27 18:04:41 -0000 ;; last seen: 2015-01-16 19:21:23 -0000 rolex-replicawatches.us.com. IN A 126.96.36.199 ;; bailiwick: rolex-replicawatches.us.com. ;; count: 17 ;; first seen: 2015-02-15 03:43:12 -0000 ;; last seen: 2015-04-16 06:34:50 -0000 rolex-replicawatches.us.com. IN A 188.8.131.52 $ dnsdb_query.py -i 184.108.40.206 --after=2015-01-01 rolex-replicawatches.us.com. IN A 220.127.116.11 www.rolex-replicawatches.us.com. IN A 18.104.22.168 www.cheapnfljersey-outlet.com. IN A 22.214.171.124 www.cheap-nfljersey.in.net. IN A 126.96.36.199 $ dnsdb_query.py -i 188.8.131.52 --after=2015-01-01 |\ grep -v www canadagooseuk.cc. IN A 184.108.40.206 canada--goose.co.uk. IN A 220.127.116.11 canadagoose.me.uk. IN A 18.104.22.168 rolex-replicawatches.us.com. IN A 22.214.171.124 moncleroutlet-jackets.com. IN A 126.96.36.199 moncleroutlet2013.net. IN A 188.8.131.52 monclerjacketsoutlet.net. IN A 184.108.40.206
To help confirm that the above sites were counterfeit (aside
from the low prices), I checked out anti-counterfeiting information
from the brand retailers. The real Canada Goose site has a
canadagooseuk.cc as a counterfeit retailer. A
Moncler fan site claims,
"Moncler’s official website (
www.moncler.com) is the ONLY
legitimate website containing the brand name, no exceptions."
In a call to one of their retail stores, a representative confirmed
that there is no online discount outlet for their merchandise.
response_ip: 220.127.116.11 rrname: fakerolex.bigcartel.com. rrclass: IN (1) rrtype: A (1) rdata: 18.104.22.168
This is an example of a hosting provider that houses many customers that let
the customer use a hostname within their domain name. I used to work for an
e-commerce provider, and understand how difficult it is to make your tools
and site widely available. Eventually someone comes along and violates
their names when they sign up, it's possible for them to start a site like
Looking up what else is hosted on
bigcartel.com utilizing DNSDB, most
of the 200,000+ site names under their domain appear to be benign
product pages, so contacting the abuse team at the website might be enough to
take down a site.
Organizations that want to monitor how their brand names can utilize Passive DNS to discover the use or their names in near real-time and look at correlations between current and historical infrastructure utilized by the same actors to effect quicker takedowns. If the counterfeit stores are shut down more quickly, they become less profitable. If operators have to avoid using brand names in their DNS names, they may become forced to be less effective in their marketing.
Eric Ziegast is a Senior Distributed Systems Engineer for Farsight Security, Inc.