Digital Online Shop Commerce Market Office Concept
Cybercrime | News | Scams

Of Counterfeit Sites and Denali Jackets

Posted: June 10, 2015 by Malwarebytes Labs

At hpHosts, Malwarebytes’s trusted blacklist of malicious sites, we also receive tip-offs or reports from users about one or two dodgy URLs they may have encountered while surfing the Web on top of those our engineers gather themselves.

The latest tip we received recently was on a fake The North Face website. As per Hosts‘s classification, it’s filed under FSA, meaning it’s a site “engaged in the selling or distribution of bogus or fraudulent applications and/or provision of fraudulent services.” It’s located at thenorthfaceoutlet(dot)in(dot)net, with the following screenshot of the default page below:

00

(click to enlarge)

Majority of sites, such as the above, offer counterfeit products which are shipped from China. Some just charge the unwary visitor but have no intention of shipping the product. Some still include JavaScript code onto their domains that security sites deem malicious.

Regular users, on the other hand, may class thenorthfaceoutlet(dot)in(dot)net, and others like it, as simply scam or even phishing campaigns. The former, we can readily prove here in this post; the latter, I’m afraid, takes more than just conjecture.

The Skinny

We dug deeper into the case of this particular fake The North Face site. Below are our observations based on its whois data and generally what’s on the site:

  • The email address used to register the domain is from @163.com, a popular Chinese Web portal operated by NetEase, Inc. It was also used to register multiple domains
  • The domain is hardly four months old.
  • Although the domain’s IP is said to be hosted in Singapore, the personally identifiable information (PII) used to register thenorthfaceoutlet(dot)in(dot)net are someone from the US. We reckon that whoever was really behind the site scraped information they needed from publicly-available sources online, such as free people search engines.
  • We have observed that its purported support email, onlineservice_001@live.com, has been associated with other equally dodgy domains that are selling products of big names such as Michael Kors, Louis Vitton, Ralph Polo Lauren and others.
  • The site listed a US Head Office address that actually belonged to Barbour, another clothing brand.
  • In order for would-be buyers to make a purchase on the site, it requires them to register. They ask for login, payment, address, and contact details.
  • This counterfeit site’s URL, along with others like it that we’ve seen, shows no signs of typo-squatting.
  • This site also uses decent resolution of photos, further removing the hint of phoniness about it.

During our research, it’s no surprise to see that there are more URLs similar to the fake The North Face site we’re discussing here—more than 50 in our count, at least.

There were probably more campaigns that have gone down these past few months and being created as we speak.

A recent APWG global phishing survey (PDF) published revealed more phishers in China are registering domains due to dropping prices.

APWG believed this will attract more bad actors into setting up their own sites, regardless of their malicious purpose: phishing, distribution of malware, and, yes, even establishment of domains selling counterfeit products. Below are screenshots of the eight out of the 50+ sites on our list that are still online, as of this writing:

The Means

At some point, these campaigns have to be “marketed” somewhere. Unfortunately for us, most if not all of these sites have excellent SEO scores that may rival their legitimate counterparts. That alone may up the chances of users unfamiliar of a brand’s official URL to go to search engines for help.

Another tactic the bad guys rely on is, of course, spam:

carpet-bombed-spam

(click to enlarge)

What you see above is a carpet bomb of links posted on a legitimate website about London. We’ve see more posted on comments sections and guest book entries of actual donation pages, travel sites, eSports sites, and tribute pages.

Probably unrelated to the dubious site above, but we’ve also came across complaints about certain Facebook users having an online yard sale, enticing people to buy their affordable, slightly used knock-offs.

The Counter

We’re pleased to see that The North Face redirects URLs selling counterfeit products to the IP 167.64.243.157, which actually shows a Notice to Consumers graphic, informing them that the site they’re attempting to visit is actually is wrong and points them to the correct destinations instead. Screenshot below:

notice

(click to enlarge)

Although not all of the bad sites redirect this way, which is no vendor’s fault, we still think it’s a decent way to educate users and to curb the number of potential victims of these fake sites.

The best way to combat counterfeiters is to report them, either to the official channels of the brand being mimicked, to a blacklist site like hpHosts, which also reports to proper authorities, or to your favorite AV vendor.

Most (if not all) AV software now have built-in Web protection solutions that block malicious sites and unwanted redirects as long as they’re in their blacklist. Keep that in mind.

Other steps users may take to protect themselves are as follows:

  1. Bookmark online stores you frequent, removing the need of memorizing their URLs.
  2. When buying online, it’s more advantageous to use your credit card instead of your debit card. Most credit card companies already have insurance or a chargeback scheme in place while banks that issue debit cards have yet to emulate this.
  3. Keep your AV software updated.
  4. When you enter information to a site, make sure that it is secure first. How to tell if a site is secure? The URL should start with “https://”, with the operative letter being the “s”. If it’s not there, avoid entering your information.

Other related post(s):

RELATED ARTICLES

Fishing in a lake
Cybercrime

Law enforcement reels in phishing-as-a-service whopper

April 18, 2024 - A major international law enforcement effort has disrupted the notorious LabHost phishing-as-a-service platform.

CONTINUE READING 0 Comments
Cerebral logo
News | Privacy

Mental health company Cerebral failed to protect sensitive personal data, must pay $7 million

April 18, 2024 - The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data.

CONTINUE READING 0 Comments
JuicyFields investment scam
News | Scams

Cannabis investment scam JuicyFields ends in 9 arrests

April 18, 2024 - JuicyFields was an investment scam that urged victims to invest in cannabis production.

CONTINUE READING 0 Comments
A mobile phone in the hands of a young woman in a dark colored t-shirt.
Privacy

Should you share your location with your partner?

April 17, 2024 - Location sharing is popular among couples. But is it something you want in your own relationship?

CONTINUE READING 0 Comments
Giant Tiger logo
News | Personal

Giant Tiger breach sees 2.8 million records leaked

April 16, 2024 - A threat actor claims to be in possession of 2.8 million records originating from a hack at Canadian retail chain Giant Tiger

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Malwarebytes Labs

Malwarebytes Labs

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams