Online Advertising Techniques for Counterfeit Goods and Illicit Sales

Online Advertising Techniques for Counterfeit Goods and Illicit Sales
Andrea Stroppa
Independent security researcher
Huffington Post Italia
[email protected]
Agostino Specchiarello
Università degli studi di
Palermo
Stefano Zanero
Politecnico di Milano
[email protected]
Author
Contributor
Author
Bernardo Perrella
Contributor
Alessandra Spada
TSC Consulting
Carlo Turri
TSC Consulting
Chiara Congedo
TSC Consulting
Contributor
Contributor
Contributor
Introduction
Today’s Internet enables us to easily purchase any kind of item online, from clothes and hi-tech
gadgets to jewelry and kitchen tools. Along with major online “general stores” (such as eBay,
Amazon, or Alibaba) featuring low prices and competitive options, many other e-commerce
websites empower local small- and medium-size companies to directly sell their products via
postal services – potentially reaching a worldwide customer base.
However, the Internet is a mirror of our physical world for better or for worse, and therefore also
provides opportunities for people intent on fraud and counterfeiting to take full advantage of our
digital tools.
In this our independent and self-produced research focus on illicit Facebook advertising pointing
to websites selling counterfeit goods. We outline their technical features to expose the overall
damage of this practice for society at large – particularly targeting name brand companies, online
users and even Facebook’s own reputation.
Online marketplace and counterfeiting activities
The global counterfeiting market has reached unprecedented levels: Counterfeit goods now
account for nearly 10 percent of worldwide trade, an estimated $500 billion annually, according to
1
the World Customs Organization .
Beside the obvious losses for big brand names and fraud galore for consumers, this black market
produces a huge, illicit income for organized criminal organizations, with the additional danger to
the health and safety of unwitting consumers (i.e., in the counterfeit medicine market, well
2
documented in the UNICRI website ), in addition to its suspicious online payment systems.
The development of counterfeiting of goods and their online sales has closely followed the Net
evolution, and today is mostly based on three channels: email, discussion fora and blogs, ad-hoc
websites.
 Email
Unfortunately, all of us are very familiar with spam emails offering any number of items at
unbelievably competitive prices. Even if, according to online security firm Symantec, this
trend is currently “declining”, we are still dealing with very notable figures: recently they
went down from 6,000 billion spam emails per month to “just” about 1,000 billion per
3
month.
1
Black Market for Counterfeit Goods Rakes in $500 Billion Yearly
(http://news.yahoo.com/blogs/nightline-fix/black-market-counterfeit-goods-rakes-500-billion-yearly140659855.html)
2
United Nations Interregional Crime and Justice Research Institute:http://www.unicri.it/topics/counterfeiting/
3
For more detailed data please see "Spam Volumes: Past & Present, Global & Local" by Symantec‘s
Message Labs.http://krebsonsecurity.com/2013/01/spam-volumes-past-present-global-local/)
This decrease is probably due to the reduced effectiveness of these strategies, given the
proliferation of today’s anti-spam filters that redirect any unwanted emails to specific
folders usually never accessed by its user.

Forum
A second option for selling counterfeit goods is through various discussion fora and
blogs. This strategy employs so-called “bots”, automatic programs looking for vulnerable
websites to publish their spam messages, hoping to attract naïve users. According to
4
renowned anti-spam plug-in Akismet , it is able to filter out an average of 7,5 million
comments per hour over the Internet. However, this problem is still so widespread that
the most famous blogging platform, WordPress, provides a detailed page to its user with
5
specific suggestions for fighting obnoxious spam comments.

Forums and blogs
Accordingly, now the vehicle of choice for today’s counterfeit criminals is the creation of
full websites to showcase and sell their illicit goods. But, given the wide spread use of
anti-spam tools, how can these vendors gain online visibility and make their websites
easily found by potential buyers? The answer is somewhat surprising: they are directly
featured in Google search results, mostly through the AdWords system, a do-it-yourself
marketplace for advertisers introduced in 2000. This outcome, along with intense
pressure by brand owners, has now has forced Google to closely monitor its ad-placing
6
system. Another important research about social spam that explains how spam works on
7
social media is "Detecting Spammers on Social Networks".
Targeted advertising on the rise
What happens after we’ve searched the Net comparing websites for a possible car purchase? As
if by magic, in the following hours and days, our browsing experience is filled with side ads about
car offerings similar to models and price ranges we checked out earlier – even when we land on
websites that have nothing to do with automobiles, such as current news outlets. Known as
“targeted advertising”, this practice takes advantage of tracking strategies to display ads suited to
the needs or preferences of specific users.
8
The same is true for Facebook.
After we click on the “like” button for fashion brands pages such as Louis Vuitton, Prada, or
Armani, log into your Facebook account again and you will face a variety of fashion ads – not only
in right column of your homepage normally devoted to ads, but also in your newsfeed, even if
labeled as “sponsored ads”. This is due to the fact that advertisers explicitly request a targeted
user profile based on similar preferences and marketplaces.
It’s no secret, for example, that Facebook, Google, and Apple are deploying new and more
sophisticated tracking and profiling techniques for the rapid emergence of mobile devices, while
9
the “cookie” option is quickly becoming obsolete.
4
To keep spam off of the web: http://akismet.com/how/
Combating Comment Spam: http://codex.wordpress.org/Combating_Comment_Spam
6
"Google partners with luxury giant lvmh to fight counterfeits online":
http://www.fastcompany.com/3035247/most-innovative-companies/google-partners-with-luxury-giant-lvmhto-fight-counterfeits-onlin
7 "Detecting Spammers on Social Networks"
http://www0.cs.ucl.ac.uk/staff/G.Stringhini/papers/socialnet-spam.pdf
8 The number one global social network, with over 1.3 billion registered users
http://files.shareholder.com/downloads/AMDA-NJ5DZ/3349478089x0x770377/abc6b6d4-df03-44e1-bb4d7877f01c41e0/FB%20Q2
5
Just as Google has became a de facto electronic advertising sales company, today’s Facebook
business model is rooted in advertising and, according to its official data and other media
10
reports , it seems quite successful:
“Revenue for the quarter ending June 30 totalled $2.91 bn, an increase of 61% over the $1.81 bn
reported in the same quarter of 2013. Excluding the impact of year-over-year changes in foreign
exchange rates, Facebook said revenue would have increased by 59%”.
Our research method on counterfeit luxury and fashion markets
Our research is focused on luxury and fashion markets because they are the most targeted by
11
counterfeit criminals, as detailed in a report on current trends.
Particularly in the fashion market, the Italian tradition is still very strong and it’s imperative to
protect its artistic and innovative position. And according to FashionUnited, a major source for
fashion business news, in 2012 the US fashion market accounted for about $284 billion dollars in
12
revenue.
We first set up a few automatic Facebook accounts (the so-called “bots”) to activate and gather
the specific ads promoted by this social network. Then we proceeded with an accurate manual
analysis of such ad links, in order to determine and divulge in detail the underpinnings of illicit
online practices related to counterfeit activities.
Our main research goal is qualitative rather than quantitative: instead of trying to study “all”
websites selling counterfeit items, we focus on just a few high-profile cases in order to highlight
the basic mechanisms of such illicit enterprises.
9"The
cookie is dead. Here’s how Facebook, Google, and Apple are tracking you now"
http://venturebeat.com/2014/10/06/the-cookie-is-dead-heres-how-facebook-google-and-apple-are-trackingyou-now/
10 "Facebook earnings beat expectations as ad revenues soar"
http://www.theguardian.com/technology/2014/jul/23/facebook-earnings-beat-expectations-ad-revenues
"Anti-counterfeiting in the fashion and luxury sectors: trends and strategies"
http://www.worldtrademarkreview.com/Intelligence/Anti-Counterfeiting/2013/Industry-insight/Anticounterfeiting-in-the-fashion-and-luxury-sectors-trends-and-strategies.
12 " Global fashion industry statistics - International apparel"
http://www.fashionunited.com/global-fashion-industry-statistics-international-apparel
11
Case study

Case study #1: Luxottica’s Ray Ban
13
Two Sponsored Ads on Facebook
In this case, both ads linked to a website with no affiliation to Ray Ban, managed by an
organization that owned over 80 Internet domains, registered through a Chinese registrar, to sell
counterfeit items under the Luxottica brand (Italy-based world’s largest eyewear company). Even
if it’s dispersed through hosting servers based in different countries, including USA and the
Netherlands, all websites share some specific features (link appearances, download code
referencing to Chinese websites, etc.) and the same Chinese registrar – thus validating our
suspicion that the organization is actually based in mainland China.
What emerges here is a variety of techniques aimed at deceiving consumers while at the same
time trying to “safeguard” an illegal business:
14
1. Ownership of multiple domains including the word “Rayban” in their URLs,such as :
- "Ray-Ban Official Site - USA"(www.ray-ban.com/)
- "Ray-Ban Sito Ufficiale - Italy"(www.ray-ban.com/italy)
- "Occhiali da sole - Spedizione GRATUITA"(www.ray-ban.com/italy/occhiali-da-sole/clp)
- "Ray-Ban Official Site - International"(www.ray-ban.com/international)
2. Ownership of several domains including specific country names in their URLs, such as:
"http://rayban-ireland.com"
3. Use of graphic templates resembling an official brand website:
13
Luxottica: http://en.wikipedia.org/wiki/Luxottica
14
http://rayban-[…].com
4. Fake warranty buttons and payment system logos.
Often these illicit website pages feature logos and marks belonging to well-known security
companies and online payment systems. Properly added at the bottom of most pages, these
images aim at deceiving users and falsely infer that the website is being approved and authorized
by those payment systems and security companies.
5.Online
payment
systems
that
are
unknown,
dubious
and
opaque.
All payment options use a service, sslcreditpay.com, that points to a website already associated
15
to other illicit goods vendors. Besides a bad reputation, the studied websites do not provide
details on this service company nor on its data protection policy. Finally, these websites apply
outdated security protocols, thus showing a complete disregard for the safety and security of its
user personal data.

Case study #2: LVMH’s Louis Vuitton
16
In this instance the ad link pointed to a website that had nothing to do with the official Louis
Vuitton website. It is registered through a US registrar and provider, whose server also hosts
more than 100 domains – all of them with similar names and selling counterfeit goods. It should
also be noted that initially the original website, reached via a Facebook sponsored ad, had been
registered through a Chinese provider.
Here is a summary of the various options deployed to deceive internet users and “protect” an illicit
business:
1. The domain name resembled that of the official targeted brand, but with an extra letter at the
end (or similar tiny changes in other cases) – i.e., Louisvuittona.com
2. As shown in the image below, the homepage features the same design and colors used by the
official French brand website, including the distinctive Louis Vuitton trademark.
15
"If It Sounds Too Good To Be True…"
http://krebsonsecurity.com/2014/06/if-it-sounds-too-good-to-be-true/#more-26236
16 Louis Vuitton: http://en.wikipedia.org/wiki/LVMH
3. To further resemble a legitimate major e-commerce venture, this website featured a “Live
Support” option: users could open a window to chat in real time with a local operator – based on
17
the “Jivo chat” system .
4. As in the previous case study, all payments are processed through the same sslcreditpay.com
service: an interesting connection between the two illicit website operations.
5. Each webpage footer included official certification logos of renowned security companies
(especially McAfee and Verisign). By clicking on the McAfee logo, for example, a user lands on a
page like this:
18
At a first sight, the McAfee Secure certifies that our website is absolutely safe, protecting users
from “identify theft, viruses, spyware and other online threats”. However, this is just a fake page
using the official McAfee logo and wording, under a domain name very similar to the original
19
McAfee name. Only a very vigilant user, or someone alerted by a weird detail here and there,
could become suspicious and jump to the actual McAfee homepage to verify the authenticity of
that website name.
Indeed, when entering it at the page:
https://www.mcafeesecure.com/verify?host=www.mcafeesecure.com, we discover that is an
obvious fake.
The same procedure applies to the VeriSign logo: by clicking on it, we land on a page with a
domain name containing the actual “Verisign” name and an “official” screenshot, as in the
following image:
17
Jivo chat: https://www.jivochat.com/
18
https://www.mcafeesecure.com/tour
http://mcafeesecuresinfo.com
19
Apparently this page confirms the website’s SSL certification status and its encrypted data
transmission to protect user personal data. The identity of the website owner is also being
verified, to reassure us that this is a legitimate company website. Unfortunately, a simple check
20
on the official VeriSign website reveals that we dealing with a completely fake website.

Case study #3: LVMH’s Louis Vuitton
In another instance involving Louis Vuitton (one of the most targeted brands on the web), the
following Facebook sponsored ad pointed to a website completely different from the official Louis
Vuitton website.
This illicit website looks similar to the previous cases, with several options aimed at deceiving
users and “verify” its “legitimate” business – including the following features:
1. The domain name adds to the official brand a specific item name, i.e.: louisvuitton-shoes.com
2. The homepage features the same design and colors used by the official French brand website,
including the distinctive Louis Vuitton trademark.
3. We tried to buy an item and pay directly with a credit card. Here is a short description of the
payment procedure.
20
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
After checking the source code for the last page (when prompted to enter credit card info), we
found a gateway to the online payment system called cybersecuritypay.com, which is protected
by a whois-guard, making it therefore impossible to look up for its owner. The
cybersecuritypay.com domain has been registered in China, with a web hosting based in Canada.

Case study #4: multi-brand shops
We studied discountbrandshop.net, as an example of illicit websites selling mostly counterfeit
merchandise from worldwide luxury and fashion brands (along with items from cheaper brands).
As shown in the images above, this website covers several renowned brands, such as: Armani,
Burberry, Prada, Bulgari, Dior, RayBan, Boss, Calvin Klein, Versace, Diesel, Abercrombie &
Fitch, Adidas, Nike, Ralph Lauren.
Instead of a website that tries hard to resemble an original brand website, in this case we have an
online “general store” selling a variety of counterfeit items (t-shirts, glasses, shoes, jackets, belts,
etc.) at “truly unbeatable” prices.
This website is hosted in the Netherlands and has been registered through a Chinese
provider/registrar.
The prominent features and procedures of this (and similar websites) can be summarized as
follows:

Most domains appear to be registered through the same few (4-5) registrars based in
China and employ some form of identity/privacy protection for the registrants (which in
itself it is not uncommon nor malicious).

However, some registrars do not have a completely clean slate. For instance, a registrar
still widely used today is Xin Net Technology, until a few years back almost predominant,
being the first launched in China. This registrar alone accounts for many documented
21
violations of the ICANN rules. They also appear to have a slow reaction against threats
such as Zeus. In other words, they do not seem malicious but maybe just slower to react
upon notice, and not so great at record-keeping – which is pretty much what website
operators need to do.

It is also worth noting that, in China, any domain registration requires a National ID card,
and website operations require a specific license (ICP) linked to an individual. This,
however, only applies to .cn domain names, and to IP addresses beyond the Chinese
Great Firewall. Therefore, the chances of tracking down individual operators are very
slim.
Possible clues about the geographic origin of these illicit websites
Even if, according to the whois registry, most of those domains are registered in China and often
their owners are Chinese citizens with email accounts based in China, it is impossible to actually
prove that these illicit websites are run by Chinese organizations.
However, a few elements of evidence provide some valuable clues. Quite often the English
language used throughout those websites includes mistakes and typos, clearly suggesting nonEnglish authors. Even more peculiar are some technical features shared by all websites analyzed
in our research. The vast majority of them uses ZenCart, a well-known e-commerce CMS, but in
its Chinese version (ZenCart-cn), thus hinting that their webmasters can read and understand
Chinese.
An additional, compelling is that most websites studied here point to payment systems based in
China. It seems that each illicit operation relies on a managing team, with different people taking
care of website management, administrative tasks, customer care, counterfeit goods production,
and online advertising (such Facebook sponsored ad campaigns). Obviously, different
components of the team may be of different geographic background.
21
https://www.icann.org/en/system/files/correspondence/serad-to-he-08jul14-en.pdf

Use of redirects and estimates on phenomenon views
We identified also the following peculiar Facebook ad pointing to an illicit website selling
counterfeit Louis Vuitton merchandise.
This ad is particularly interesting because it uses a redirection through bit.ly, the famous link
shortening service. The usage of redirections through URL shorteners to ensure durability of
malicious content and protection to the content authors has already been studied extensively in
22
the past . As shown below, eventually that bit.ly link pointed to a clone of the official Louis
Vuitton website: its domain reads as “Louis--Vuitton.co”.
However, in this case, the malicious use of a shortener to hide the real website name backfired.
Thanks to bit.ly, we were able to retrieve some useful statistics on click-throughs on the ad: the
th
th
following diagram covers a total of 966 clicks between October 12 and October 15 :
22 Nick Nikiforakis, Federico Maggi, Gianluca Stringhini, M. Zubair Rafique, Wouter Joosen, Christopher
Kruegel, Frank Piessens, Giovanni Vigna, Stefano Zanero: Stranger Danger: Exploring the Ecosystem of
Ad-based URL Shortening Services, in Proceedings of the 23rd International Conference on World Wide
Web, pp. 51–62: http://wwwconference.org/proceedings/www2014/proceedings/p51.pdf
The vast majority of traffic was clearly generated through Facebook, and the amount of people
clicking through this ad in just a few days is definitely relevant.

A widespread phenomenon
Along with the three case studies detailed above, a more general overview of many other
websites confirms a shared strategy to carry out such fraud and counterfeit activities. First of all,
the Facebook ads have a similar look and very often use some recognizable “keywords.” In some
cases, they also feature images without mentioning any specific brand in their description –
suggesting a certain caution on their part.
As shown in the following images, certainly on Facebook it is quite easy to bump into these kinds
of ads, thus implying widespread diffusion of online counterfeit operations.
"The description does not provide
references to any particular brand,
but the image displays a Ralph
Lauren t-shirt".
"The description does not provide references
to any particular brand, but the image displays
a Canada Goose overcoat".
"Here there is a 0 [zero] instead
of the letter O in the name of
world’s largest eyewear
company Luxottica".
"Same as above: there is a 0 [zero]
instead of the letter O in the name
KORS Handbag company".
Organizational Outline
Conclusions
A technical journalist previewing this research commented aptly: «This phenomenon is similar to
having your local TV channel run a commercial about some street stores selling counterfeit
items».
Unfortunately, the vast majority of users are not aware that there are some websites advertised
on a major website such as Facebook that sell counterfeit brand items. As explained above, in
some cases those are high-quality websites featuring the same design and colors of the targeted
official website, a domain name including a name similar to the brand name, and certification and
security logos to “validate” their purchases.
To put this in context, there is an important difference between a real and a virtual environment: it
is much easier to recognize a counterfeit item in the former, while in the latter you must have both
technical skills and a good dose of intuition to distinguish a fake ad or website from a legitimate
one. Also, in the case of a brick-and-mortar shop usually you can take back a counterfeit item, get
a refund and/or alert authorities – while on the Internet it is very difficult or almost impossible to
have direct personal contact to file a complaint or ask for a refund. And even when officials
manage to block or seize one of these online criminal organizations (according to different laws in
different countries), often they are quick to reopen shop with a new domain and a new web
hosting service to sell their counterfeit goods.
At the same time, it would be ingenerous to blame Facebook for such practices: even if at a close
look it becomes clear that they are running illicit activities, very often their ads look so legitimate
that they might mislead even a skilled advertisement editor, unless specifically trained and made
aware of the problem. And their job gets even harder when criminal webmasters set up multiple
re-directing links, a technique often used in the cybercrime world; or when they run multi-brand
shops offering bargain prices, as opposed to “fake” shop of major brands (which are far easier to
spot). Needless to say, this widespread phenomenon produces serious damage at different levels
of our society. Companies are compelled to act to prevent growing counterfeit activities, lawful
retailers lose potential customers, and online users waste their money for very low quality items
(in some cases even toxic or harmful to our health). Moreover, as shown in our research, dubious
or opaque online payment systems could jeopardize credit cards info and other personal data.
Finally, advertisement networks such as the one run by Facebook risk losing their credibility, and
face an increasing cost in their practices to protect their users from fraud and damage. In regards
to these latter issues, we are glad to report that, since the inception of our research project, many
of these illicit Facebook ads have been removed and many websites selling counterfeit goods
have been promptly blocked or seized by local authorities.
This research is completely independent, self-produced and for educational purpose only.
Anybody is welcome to quote, copy and redistribute this research content with the appropriate
credit and attribution.