What do premier watches, designer handbags and prescription pharmaceuticals all have in common? These are just a few items being sold on the Internet, as counterfeits of actual brand names, for enormous profits. In fact, according to the International Trademark Association, $460bn (£323.11bn) of counterfeit goods were bought and sold last year, mostly online.
Online fraud not only represents millions of dollars in lost revenue, it also tarnishes and devalues premium brand names. As an example, Gucci America, recently won judgements worth more than $9m (£6.3m) against a group of nearly 100 websites selling knock-off merchandise. Sites that used “Gucci” in their domain names were ordered to pay additional damages totalling $110,000 (£77,000).
In order to lure unsuspecting consumers to malicious websites to purchase counterfeit goods, cybercriminals abuse the Domain Name System (DNS). By taking a close look at the methods cybercriminals use to undermine their legitimacy, we came to understand how the abuse of their brand, by counterfeiting and other malicious activities, is significant.
How criminals abuse DNS to commit fraud
Due to the easy availability of inexpensive domain names, criminals will often register, use, and abandon new domains within a window of just minutes. Once new domains are set up, their operators will deploy the following tactics to mimic, undermine or lure prospective customers of the legitimate brand to their imitation domain:
- Phishing: Lookalike malicious domains used to create websites or emails to lure unsuspecting users for fraud, the download of malware, and other cybercrimes.
- Brand Infringement: Unauthorized use of a brand or trademark as part of a domain name.
- Brand Dilution: Brands, if not protected and reserved for use by the brand-holder, are at risk of becoming generic references to a class of goods rather than a specific reference to a company’s product. This has happened to some photocopier brands, for example, or to some over the-counter drug brands.
- Brand Diminishment: Mislabeled or inferior knock-off products diminish the prestige and perception of quality that the brand owner has worked hard to establish for their authentic goods.
- Brandjacking: A common example is using brand names in a web page’s keywords, even if the keywords have nothing to do with what is on that page
- Brand Typosquatting: Here, criminals will register a “typo domain” that is lexically similar to an entity’s brand with the intention of launching an attack listed above.
Retailers, specifically luxury brands, remain a lucrative target for cybercriminals. To reveal the enormous scope of this risk, Farsight Security and DomainTools examined the domains of four international luxury brands known for their sought-after designer watches, clothing, handbags and accessories – Burberry, Prada, Cartier and Gucci. By using Farsight historical Passive DNS and DomainTools domain registration and profile data, security researchers from the two firms revealed how cybercriminals are exploiting DNS to commit fraud – using cheap domains and other techniques to lure unsuspecting consumers to buy knock-off luxury goods.
Among the findings of the report:
- A given brand could have 100,000 or more possible domain name permutations for each of its properties.
- Hundreds of domains exist with terms such as “cheap and “fake,” as well as domains purporting to be retail outlets, but whose registration records showed no connection to the brand or related operations.
- Brand infringement domains appear to have relatively low rates of malware, phishing and spam.
Brand holders don’t use Whois privacy, but imitators do
Following the report, the DomainTools research team analysed domains mimicking Cartier, Givenchy, Louis Vuitton, Burberry, Hermes, Chanel, Prada and Gucci using PhishEye. PhishEye allows users to search for existing and new domains that spoof legitimate brand, product, organization, or other names. In total, there were 538 domains identified as high risk that contained the brand names. Some examples include:
The ease at which anyone can create a domain is great for the average person looking to start their own website, but it is a never ending nuisance for brands. The bigger and more lucrative the brand, the more of a target it becomes for cybercriminals.
Consumers will commonly see these domains being used in Facebook scams that ask them to ‘share’ a coupon and in phishing emails. Criminals bet on user trust and brand equity to overcome any suspicion that the site doesn’t look quite like what they are used to. The inferior goods that are delivered (or, in the case of some scams, not delivered) damage the hard-earned brand equity with the customer and likely cost the company a sale in the process.
Many companies have taken to defensively registering their own typo variants and searching for other existing domains that contain their brand name in order to fight this. Companies are well-advised to take advantage of domain and DNS-related data and tools in order to take proactive measures against all the forms of domain-based online brand abuse. But, as we have seen, it is not practical for any company to defensively register all of the possible variations of its brand. It is therefore incumbent upon all of us to be vigilant against abuse.
Top tips to avoid falling foul of a spoof website
Watch out for domains that have COM-[text] in them. We’re so accustomed to seeing .com that we can easily overlook the extra text that’s appended to it with a dash. An example is “com-latte[.]us” which was used in conjunction with phony Starbucks coupons.
Look for typos on the website, coupon, or link that is directing you – for example, check for extra added letters in the domain, such as Yahooo[.]com
Look out for ‘rn’ disguised as an ‘m’, such as modem.com versus modern.com
Watch all website redirects by hovering over URLs to see where the link will take you.
Realise that if something is too good to be true, it likely is.
Tim Helming is the director of product management at DomainTools. DomainTools is an American company that provides DNS research tools that use a database of domain name, IP address, and WHOIS data. These tools are used for brand protection, domain monitoring, domain valuation, and cybercrime investigation.