Online Advertising Techniques for Counterfeit Goods and Illicit Sales
Transcription
Online Advertising Techniques for Counterfeit Goods and Illicit Sales
Online Advertising Techniques for Counterfeit Goods and Illicit Sales Andrea Stroppa Independent security researcher Huffington Post Italia andst7@gmail.com Agostino Specchiarello Università degli studi di Palermo Stefano Zanero Politecnico di Milano zanero@polimi.it Author Contributor Author Bernardo Perrella Contributor Alessandra Spada TSC Consulting Carlo Turri TSC Consulting Chiara Congedo TSC Consulting Contributor Contributor Contributor Introduction Today’s Internet enables us to easily purchase any kind of item online, from clothes and hi-tech gadgets to jewelry and kitchen tools. Along with major online “general stores” (such as eBay, Amazon, or Alibaba) featuring low prices and competitive options, many other e-commerce websites empower local small- and medium-size companies to directly sell their products via postal services – potentially reaching a worldwide customer base. However, the Internet is a mirror of our physical world for better or for worse, and therefore also provides opportunities for people intent on fraud and counterfeiting to take full advantage of our digital tools. In this our independent and self-produced research focus on illicit Facebook advertising pointing to websites selling counterfeit goods. We outline their technical features to expose the overall damage of this practice for society at large – particularly targeting name brand companies, online users and even Facebook’s own reputation. Online marketplace and counterfeiting activities The global counterfeiting market has reached unprecedented levels: Counterfeit goods now account for nearly 10 percent of worldwide trade, an estimated $500 billion annually, according to 1 the World Customs Organization . Beside the obvious losses for big brand names and fraud galore for consumers, this black market produces a huge, illicit income for organized criminal organizations, with the additional danger to the health and safety of unwitting consumers (i.e., in the counterfeit medicine market, well 2 documented in the UNICRI website ), in addition to its suspicious online payment systems. The development of counterfeiting of goods and their online sales has closely followed the Net evolution, and today is mostly based on three channels: email, discussion fora and blogs, ad-hoc websites. Email Unfortunately, all of us are very familiar with spam emails offering any number of items at unbelievably competitive prices. Even if, according to online security firm Symantec, this trend is currently “declining”, we are still dealing with very notable figures: recently they went down from 6,000 billion spam emails per month to “just” about 1,000 billion per 3 month. 1 Black Market for Counterfeit Goods Rakes in $500 Billion Yearly (http://news.yahoo.com/blogs/nightline-fix/black-market-counterfeit-goods-rakes-500-billion-yearly140659855.html) 2 United Nations Interregional Crime and Justice Research Institute:http://www.unicri.it/topics/counterfeiting/ 3 For more detailed data please see "Spam Volumes: Past & Present, Global & Local" by Symantec‘s Message Labs.http://krebsonsecurity.com/2013/01/spam-volumes-past-present-global-local/) This decrease is probably due to the reduced effectiveness of these strategies, given the proliferation of today’s anti-spam filters that redirect any unwanted emails to specific folders usually never accessed by its user. Forum A second option for selling counterfeit goods is through various discussion fora and blogs. This strategy employs so-called “bots”, automatic programs looking for vulnerable websites to publish their spam messages, hoping to attract naïve users. According to 4 renowned anti-spam plug-in Akismet , it is able to filter out an average of 7,5 million comments per hour over the Internet. However, this problem is still so widespread that the most famous blogging platform, WordPress, provides a detailed page to its user with 5 specific suggestions for fighting obnoxious spam comments. Forums and blogs Accordingly, now the vehicle of choice for today’s counterfeit criminals is the creation of full websites to showcase and sell their illicit goods. But, given the wide spread use of anti-spam tools, how can these vendors gain online visibility and make their websites easily found by potential buyers? The answer is somewhat surprising: they are directly featured in Google search results, mostly through the AdWords system, a do-it-yourself marketplace for advertisers introduced in 2000. This outcome, along with intense pressure by brand owners, has now has forced Google to closely monitor its ad-placing 6 system. Another important research about social spam that explains how spam works on 7 social media is "Detecting Spammers on Social Networks". Targeted advertising on the rise What happens after we’ve searched the Net comparing websites for a possible car purchase? As if by magic, in the following hours and days, our browsing experience is filled with side ads about car offerings similar to models and price ranges we checked out earlier – even when we land on websites that have nothing to do with automobiles, such as current news outlets. Known as “targeted advertising”, this practice takes advantage of tracking strategies to display ads suited to the needs or preferences of specific users. 8 The same is true for Facebook. After we click on the “like” button for fashion brands pages such as Louis Vuitton, Prada, or Armani, log into your Facebook account again and you will face a variety of fashion ads – not only in right column of your homepage normally devoted to ads, but also in your newsfeed, even if labeled as “sponsored ads”. This is due to the fact that advertisers explicitly request a targeted user profile based on similar preferences and marketplaces. It’s no secret, for example, that Facebook, Google, and Apple are deploying new and more sophisticated tracking and profiling techniques for the rapid emergence of mobile devices, while 9 the “cookie” option is quickly becoming obsolete. 4 To keep spam off of the web: http://akismet.com/how/ Combating Comment Spam: http://codex.wordpress.org/Combating_Comment_Spam 6 "Google partners with luxury giant lvmh to fight counterfeits online": http://www.fastcompany.com/3035247/most-innovative-companies/google-partners-with-luxury-giant-lvmhto-fight-counterfeits-onlin 7 "Detecting Spammers on Social Networks" http://www0.cs.ucl.ac.uk/staff/G.Stringhini/papers/socialnet-spam.pdf 8 The number one global social network, with over 1.3 billion registered users http://files.shareholder.com/downloads/AMDA-NJ5DZ/3349478089x0x770377/abc6b6d4-df03-44e1-bb4d7877f01c41e0/FB%20Q2 5 Just as Google has became a de facto electronic advertising sales company, today’s Facebook business model is rooted in advertising and, according to its official data and other media 10 reports , it seems quite successful: “Revenue for the quarter ending June 30 totalled $2.91 bn, an increase of 61% over the $1.81 bn reported in the same quarter of 2013. Excluding the impact of year-over-year changes in foreign exchange rates, Facebook said revenue would have increased by 59%”. Our research method on counterfeit luxury and fashion markets Our research is focused on luxury and fashion markets because they are the most targeted by 11 counterfeit criminals, as detailed in a report on current trends. Particularly in the fashion market, the Italian tradition is still very strong and it’s imperative to protect its artistic and innovative position. And according to FashionUnited, a major source for fashion business news, in 2012 the US fashion market accounted for about $284 billion dollars in 12 revenue. We first set up a few automatic Facebook accounts (the so-called “bots”) to activate and gather the specific ads promoted by this social network. Then we proceeded with an accurate manual analysis of such ad links, in order to determine and divulge in detail the underpinnings of illicit online practices related to counterfeit activities. Our main research goal is qualitative rather than quantitative: instead of trying to study “all” websites selling counterfeit items, we focus on just a few high-profile cases in order to highlight the basic mechanisms of such illicit enterprises. 9"The cookie is dead. Here’s how Facebook, Google, and Apple are tracking you now" http://venturebeat.com/2014/10/06/the-cookie-is-dead-heres-how-facebook-google-and-apple-are-trackingyou-now/ 10 "Facebook earnings beat expectations as ad revenues soar" http://www.theguardian.com/technology/2014/jul/23/facebook-earnings-beat-expectations-ad-revenues "Anti-counterfeiting in the fashion and luxury sectors: trends and strategies" http://www.worldtrademarkreview.com/Intelligence/Anti-Counterfeiting/2013/Industry-insight/Anticounterfeiting-in-the-fashion-and-luxury-sectors-trends-and-strategies. 12 " Global fashion industry statistics - International apparel" http://www.fashionunited.com/global-fashion-industry-statistics-international-apparel 11 Case study Case study #1: Luxottica’s Ray Ban 13 Two Sponsored Ads on Facebook In this case, both ads linked to a website with no affiliation to Ray Ban, managed by an organization that owned over 80 Internet domains, registered through a Chinese registrar, to sell counterfeit items under the Luxottica brand (Italy-based world’s largest eyewear company). Even if it’s dispersed through hosting servers based in different countries, including USA and the Netherlands, all websites share some specific features (link appearances, download code referencing to Chinese websites, etc.) and the same Chinese registrar – thus validating our suspicion that the organization is actually based in mainland China. What emerges here is a variety of techniques aimed at deceiving consumers while at the same time trying to “safeguard” an illegal business: 14 1. Ownership of multiple domains including the word “Rayban” in their URLs,such as : - "Ray-Ban Official Site - USA"(www.ray-ban.com/) - "Ray-Ban Sito Ufficiale - Italy"(www.ray-ban.com/italy) - "Occhiali da sole - Spedizione GRATUITA"(www.ray-ban.com/italy/occhiali-da-sole/clp) - "Ray-Ban Official Site - International"(www.ray-ban.com/international) 2. Ownership of several domains including specific country names in their URLs, such as: "http://rayban-ireland.com" 3. Use of graphic templates resembling an official brand website: 13 Luxottica: http://en.wikipedia.org/wiki/Luxottica 14 http://rayban-[…].com 4. Fake warranty buttons and payment system logos. Often these illicit website pages feature logos and marks belonging to well-known security companies and online payment systems. Properly added at the bottom of most pages, these images aim at deceiving users and falsely infer that the website is being approved and authorized by those payment systems and security companies. 5.Online payment systems that are unknown, dubious and opaque. All payment options use a service, sslcreditpay.com, that points to a website already associated 15 to other illicit goods vendors. Besides a bad reputation, the studied websites do not provide details on this service company nor on its data protection policy. Finally, these websites apply outdated security protocols, thus showing a complete disregard for the safety and security of its user personal data. Case study #2: LVMH’s Louis Vuitton 16 In this instance the ad link pointed to a website that had nothing to do with the official Louis Vuitton website. It is registered through a US registrar and provider, whose server also hosts more than 100 domains – all of them with similar names and selling counterfeit goods. It should also be noted that initially the original website, reached via a Facebook sponsored ad, had been registered through a Chinese provider. Here is a summary of the various options deployed to deceive internet users and “protect” an illicit business: 1. The domain name resembled that of the official targeted brand, but with an extra letter at the end (or similar tiny changes in other cases) – i.e., Louisvuittona.com 2. As shown in the image below, the homepage features the same design and colors used by the official French brand website, including the distinctive Louis Vuitton trademark. 15 "If It Sounds Too Good To Be True…" http://krebsonsecurity.com/2014/06/if-it-sounds-too-good-to-be-true/#more-26236 16 Louis Vuitton: http://en.wikipedia.org/wiki/LVMH 3. To further resemble a legitimate major e-commerce venture, this website featured a “Live Support” option: users could open a window to chat in real time with a local operator – based on 17 the “Jivo chat” system . 4. As in the previous case study, all payments are processed through the same sslcreditpay.com service: an interesting connection between the two illicit website operations. 5. Each webpage footer included official certification logos of renowned security companies (especially McAfee and Verisign). By clicking on the McAfee logo, for example, a user lands on a page like this: 18 At a first sight, the McAfee Secure certifies that our website is absolutely safe, protecting users from “identify theft, viruses, spyware and other online threats”. However, this is just a fake page using the official McAfee logo and wording, under a domain name very similar to the original 19 McAfee name. Only a very vigilant user, or someone alerted by a weird detail here and there, could become suspicious and jump to the actual McAfee homepage to verify the authenticity of that website name. Indeed, when entering it at the page: https://www.mcafeesecure.com/verify?host=www.mcafeesecure.com, we discover that is an obvious fake. The same procedure applies to the VeriSign logo: by clicking on it, we land on a page with a domain name containing the actual “Verisign” name and an “official” screenshot, as in the following image: 17 Jivo chat: https://www.jivochat.com/ 18 https://www.mcafeesecure.com/tour http://mcafeesecuresinfo.com 19 Apparently this page confirms the website’s SSL certification status and its encrypted data transmission to protect user personal data. The identity of the website owner is also being verified, to reassure us that this is a legitimate company website. Unfortunately, a simple check 20 on the official VeriSign website reveals that we dealing with a completely fake website. Case study #3: LVMH’s Louis Vuitton In another instance involving Louis Vuitton (one of the most targeted brands on the web), the following Facebook sponsored ad pointed to a website completely different from the official Louis Vuitton website. This illicit website looks similar to the previous cases, with several options aimed at deceiving users and “verify” its “legitimate” business – including the following features: 1. The domain name adds to the official brand a specific item name, i.e.: louisvuitton-shoes.com 2. The homepage features the same design and colors used by the official French brand website, including the distinctive Louis Vuitton trademark. 3. We tried to buy an item and pay directly with a credit card. Here is a short description of the payment procedure. 20 https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp After checking the source code for the last page (when prompted to enter credit card info), we found a gateway to the online payment system called cybersecuritypay.com, which is protected by a whois-guard, making it therefore impossible to look up for its owner. The cybersecuritypay.com domain has been registered in China, with a web hosting based in Canada. Case study #4: multi-brand shops We studied discountbrandshop.net, as an example of illicit websites selling mostly counterfeit merchandise from worldwide luxury and fashion brands (along with items from cheaper brands). As shown in the images above, this website covers several renowned brands, such as: Armani, Burberry, Prada, Bulgari, Dior, RayBan, Boss, Calvin Klein, Versace, Diesel, Abercrombie & Fitch, Adidas, Nike, Ralph Lauren. Instead of a website that tries hard to resemble an original brand website, in this case we have an online “general store” selling a variety of counterfeit items (t-shirts, glasses, shoes, jackets, belts, etc.) at “truly unbeatable” prices. This website is hosted in the Netherlands and has been registered through a Chinese provider/registrar. The prominent features and procedures of this (and similar websites) can be summarized as follows: Most domains appear to be registered through the same few (4-5) registrars based in China and employ some form of identity/privacy protection for the registrants (which in itself it is not uncommon nor malicious). However, some registrars do not have a completely clean slate. For instance, a registrar still widely used today is Xin Net Technology, until a few years back almost predominant, being the first launched in China. This registrar alone accounts for many documented 21 violations of the ICANN rules. They also appear to have a slow reaction against threats such as Zeus. In other words, they do not seem malicious but maybe just slower to react upon notice, and not so great at record-keeping – which is pretty much what website operators need to do. It is also worth noting that, in China, any domain registration requires a National ID card, and website operations require a specific license (ICP) linked to an individual. This, however, only applies to .cn domain names, and to IP addresses beyond the Chinese Great Firewall. Therefore, the chances of tracking down individual operators are very slim. Possible clues about the geographic origin of these illicit websites Even if, according to the whois registry, most of those domains are registered in China and often their owners are Chinese citizens with email accounts based in China, it is impossible to actually prove that these illicit websites are run by Chinese organizations. However, a few elements of evidence provide some valuable clues. Quite often the English language used throughout those websites includes mistakes and typos, clearly suggesting nonEnglish authors. Even more peculiar are some technical features shared by all websites analyzed in our research. The vast majority of them uses ZenCart, a well-known e-commerce CMS, but in its Chinese version (ZenCart-cn), thus hinting that their webmasters can read and understand Chinese. An additional, compelling is that most websites studied here point to payment systems based in China. It seems that each illicit operation relies on a managing team, with different people taking care of website management, administrative tasks, customer care, counterfeit goods production, and online advertising (such Facebook sponsored ad campaigns). Obviously, different components of the team may be of different geographic background. 21 https://www.icann.org/en/system/files/correspondence/serad-to-he-08jul14-en.pdf Use of redirects and estimates on phenomenon views We identified also the following peculiar Facebook ad pointing to an illicit website selling counterfeit Louis Vuitton merchandise. This ad is particularly interesting because it uses a redirection through bit.ly, the famous link shortening service. The usage of redirections through URL shorteners to ensure durability of malicious content and protection to the content authors has already been studied extensively in 22 the past . As shown below, eventually that bit.ly link pointed to a clone of the official Louis Vuitton website: its domain reads as “Louis--Vuitton.co”. However, in this case, the malicious use of a shortener to hide the real website name backfired. Thanks to bit.ly, we were able to retrieve some useful statistics on click-throughs on the ad: the th th following diagram covers a total of 966 clicks between October 12 and October 15 : 22 Nick Nikiforakis, Federico Maggi, Gianluca Stringhini, M. Zubair Rafique, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna, Stefano Zanero: Stranger Danger: Exploring the Ecosystem of Ad-based URL Shortening Services, in Proceedings of the 23rd International Conference on World Wide Web, pp. 51–62: http://wwwconference.org/proceedings/www2014/proceedings/p51.pdf The vast majority of traffic was clearly generated through Facebook, and the amount of people clicking through this ad in just a few days is definitely relevant. A widespread phenomenon Along with the three case studies detailed above, a more general overview of many other websites confirms a shared strategy to carry out such fraud and counterfeit activities. First of all, the Facebook ads have a similar look and very often use some recognizable “keywords.” In some cases, they also feature images without mentioning any specific brand in their description – suggesting a certain caution on their part. As shown in the following images, certainly on Facebook it is quite easy to bump into these kinds of ads, thus implying widespread diffusion of online counterfeit operations. "The description does not provide references to any particular brand, but the image displays a Ralph Lauren t-shirt". "The description does not provide references to any particular brand, but the image displays a Canada Goose overcoat". "Here there is a 0 [zero] instead of the letter O in the name of world’s largest eyewear company Luxottica". "Same as above: there is a 0 [zero] instead of the letter O in the name KORS Handbag company". Organizational Outline Conclusions A technical journalist previewing this research commented aptly: «This phenomenon is similar to having your local TV channel run a commercial about some street stores selling counterfeit items». Unfortunately, the vast majority of users are not aware that there are some websites advertised on a major website such as Facebook that sell counterfeit brand items. As explained above, in some cases those are high-quality websites featuring the same design and colors of the targeted official website, a domain name including a name similar to the brand name, and certification and security logos to “validate” their purchases. To put this in context, there is an important difference between a real and a virtual environment: it is much easier to recognize a counterfeit item in the former, while in the latter you must have both technical skills and a good dose of intuition to distinguish a fake ad or website from a legitimate one. Also, in the case of a brick-and-mortar shop usually you can take back a counterfeit item, get a refund and/or alert authorities – while on the Internet it is very difficult or almost impossible to have direct personal contact to file a complaint or ask for a refund. And even when officials manage to block or seize one of these online criminal organizations (according to different laws in different countries), often they are quick to reopen shop with a new domain and a new web hosting service to sell their counterfeit goods. At the same time, it would be ingenerous to blame Facebook for such practices: even if at a close look it becomes clear that they are running illicit activities, very often their ads look so legitimate that they might mislead even a skilled advertisement editor, unless specifically trained and made aware of the problem. And their job gets even harder when criminal webmasters set up multiple re-directing links, a technique often used in the cybercrime world; or when they run multi-brand shops offering bargain prices, as opposed to “fake” shop of major brands (which are far easier to spot). Needless to say, this widespread phenomenon produces serious damage at different levels of our society. Companies are compelled to act to prevent growing counterfeit activities, lawful retailers lose potential customers, and online users waste their money for very low quality items (in some cases even toxic or harmful to our health). Moreover, as shown in our research, dubious or opaque online payment systems could jeopardize credit cards info and other personal data. Finally, advertisement networks such as the one run by Facebook risk losing their credibility, and face an increasing cost in their practices to protect their users from fraud and damage. In regards to these latter issues, we are glad to report that, since the inception of our research project, many of these illicit Facebook ads have been removed and many websites selling counterfeit goods have been promptly blocked or seized by local authorities. This research is completely independent, self-produced and for educational purpose only. Anybody is welcome to quote, copy and redistribute this research content with the appropriate credit and attribution.