Online Advertising Techniques for Counterfeit Goods and Illicit Sales

Introduction

Todays Internet enables us to easily purchase any kind of item online, from clothes and hi-tech
gadgets to jewelry and kitchen tools. Along with major online general stores (such as eBay,
Amazon, or Alibaba) featuring low prices and competitive options, many other e-commerce
websites empower local small- and medium-size companies to directly sell their products via
postal services potentially reaching a worldwide customer base.
However, the Internet is a mirror of our physical world for better or for worse, and therefore also
provides opportunities for people intent on fraud and counterfeiting to take full advantage of our
digital tools.
In this our independent and self-produced research focus on illicit Facebook advertising pointing
to websites selling counterfeit goods. We outline their technical features to expose the overall
damage of this practice for society at large particularly targeting name brand companies, online
users and even Facebooks own reputation.


Online marketplace and counterfeiting activities

The global counterfeiting market has reached unprecedented levels: Counterfeit goods now
account for nearly 10 percent of worldwide trade, an estimated $500 billion annually, according to
the World Customs Organization
1
.
Beside the obvious losses for big brand names and fraud galore for consumers, this black market
produces a huge, illicit income for organized criminal organizations, with the additional danger to
the health and safety of unwitting consumers (i.e., in the counterfeit medicine market, well
documented in the UNICRI website
2
), in addition to its suspicious online payment systems.

The development of counterfeiting of goods and their online sales has closely followed the Net
evolution, and today is mostly based on three channels: email, discussion fora and blogs, ad-hoc
websites.
Email
Unfortunately, all of us are very familiar with spam emails offering any number of items at
unbelievably competitive prices. Even if, according to online security firm Symantec, this
trend is currently declining, we are still dealing with very notable figures: recently they
went down from 6,000 billion spam emails per month to just about 1,000 billion per
month.
3


1
Black Market for Counterfeit Goods Rakes in $500 Billion Yearly
(http://news.yahoo.com/blogs/nightline-fix/black-market-counterfeit-goods-rakes-500-billion-yearly-
140659855.html)
2
United Nations Interregional Crime and Justice Research Institute:http://www.unicri.it/topics/counterfeiting/
3
For more detailed data please see "Spam Volumes: Past & Present, Global & Local" by Symantecs
Message Labs.http://krebsonsecurity.com/2013/01/spam-volumes-past-present-global-local/)
Stefano Zanero
Politecnico di Milano
zanero@polimi.it
Contributor
Agostino Specchiarello
Universit degli studi di
Palermo
Author
Andrea Stroppa
Independent security researcher
Huffington Post Italia
andst7@gmail.com
Author
Chiara Congedo
TSC Consulting
Contributor
Bernardo Perrella
Contributor
Alessandra Spada
TSC Consulting
Contributor

Carlo Turri
TSC Consulting
Contributor
This decrease is probably due to the reduced effectiveness of these strategies, given the
proliferation of todays anti-spam filters that redirect any unwanted emails to specific
folders usually never accessed by its user.

Forum
A second option for selling counterfeit goods is through various discussion fora and
blogs. This strategy employs so-called bots, automatic programs looking for vulnerable
websites to publish their spam messages, hoping to attract nave users. According to
renowned anti-spam plug-in Akismet
4
, it is able to filter out an average of 7,5 million
comments per hour over the Internet. However, this problem is still so widespread that
the most famous blogging platform, WordPress, provides a detailed page to its user with
specific suggestions for fighting obnoxious spam comments.
5


Forums and blogs
Accordingly, now the vehicle of choice for todays counterfeit criminals is the creation of
full websites to showcase and sell their illicit goods. But, given the wide spread use of
anti-spam tools, how can these vendors gain online visibility and make their websites
easily found by potential buyers? The answer is somewhat surprising: they are directly
featured in Google search results, mostly through the AdWords system, a do-it-yourself
marketplace for advertisers introduced in 2000. This outcome, along with intense
pressure by brand owners, has now has forced Google to closely monitor its ad-placing
system.
6
Another important research about social spam that explains how spam works on
social media is "Detecting Spammers on Social Networks".
7




Targeted advertising on the rise

What happens after weve searched the Net comparing websites for a possible car purchase? As
if by magic, in the following hours and days, our browsing experience is filled with side ads about
car offerings similar to models and price ranges we checked out earlier even when we land on
websites that have nothing to do with automobiles, such as current news outlets. Known as
targeted advertising, this practice takes advantage of tracking strategies to display ads suited to
the needs or preferences of specific users.

The same is true for Facebook.
8

After we click on the like button for fashion brands pages such as Louis Vuitton, Prada, or
Armani, log into your Facebook account again and you will face a variety of fashion ads not only
in right column of your homepage normally devoted to ads, but also in your newsfeed, even if
labeled as sponsored ads. This is due to the fact that advertisers explicitly request a targeted
user profile based on similar preferences and marketplaces.

Its no secret, for example, that Facebook, Google, and Apple are deploying new and more
sophisticated tracking and profiling techniques for the rapid emergence of mobile devices, while
the cookie option is quickly becoming obsolete.
9


4
To keep spam off of the web: http://akismet.com/how/
5
Combating Comment Spam: http://codex.wordpress.org/Combating_Comment_Spam
6
"Google partners with luxury giant lvmh to fight counterfeits online":
http://www.fastcompany.com/3035247/most-innovative-companies/google-partners-with-luxury-giant-lvmh-
to-fight-counterfeits-onlin
7
"Detecting Spammers on Social Networks"
http://www0.cs.ucl.ac.uk/staff/G.Stringhini/papers/socialnet-spam.pdf
8
The number one global social network, with over 1.3 billion registered users
http://files.shareholder.com/downloads/AMDA-NJ5DZ/3349478089x0x770377/abc6b6d4-df03-44e1-bb4d-
7877f01c41e0/FB%20Q2

Just as Google has became a de facto electronic advertising sales company, todays Facebook
business model is rooted in advertising and, according to its official data and other media
reports
10
, it seems quite successful:
Revenue for the quarter ending June 30 totalled $2.91 bn, an increase of 61% over the $1.81 bn
reported in the same quarter of 2013. Excluding the impact of year-over-year changes in foreign
exchange rates, Facebook said revenue would have increased by 59%.


Our research method on counterfeit luxury and fashion markets

Our research is focused on luxury and fashion markets because they are the most targeted by
counterfeit criminals, as detailed in a report on current trends.
11

Particularly in the fashion market, the Italian tradition is still very strong and its imperative to
protect its artistic and innovative position. And according to FashionUnited, a major source for
fashion business news, in 2012 the US fashion market accounted for about $284 billion dollars in
revenue.
12


We first set up a few automatic Facebook accounts (the so-called bots) to activate and gather
the specific ads promoted by this social network. Then we proceeded with an accurate manual
analysis of such ad links, in order to determine and divulge in detail the underpinnings of illicit
online practices related to counterfeit activities.

Our main research goal is qualitative rather than quantitative: instead of trying to study all
websites selling counterfeit items, we focus on just a few high-profile cases in order to highlight
the basic mechanisms of such illicit enterprises.



















9
"The cookie is dead. Heres how Facebook, Google, and Apple are tracking you now"
http://venturebeat.com/2014/10/06/the-cookie-is-dead-heres-how-facebook-google-and-apple-are-tracking-
you-now/
10
"Facebook earnings beat expectations as ad revenues soar"
http://www.theguardian.com/technology/2014/jul/23/facebook-earnings-beat-expectations-ad-revenues
11
"Anti-counterfeiting in the fashion and luxury sectors: trends and strategies"
http://www.worldtrademarkreview.com/Intelligence/Anti-Counterfeiting/2013/Industry-insight/Anti-
counterfeiting-in-the-fashion-and-luxury-sectors-trends-and-strategies.
12
" Global fashion industry statistics - International apparel"
http://www.fashionunited.com/global-fashion-industry-statistics-international-apparel
Case study

Case study #1: Luxotticas Ray Ban
13



Two Sponsored Ads on Facebook

In this case, both ads linked to a website with no affiliation to Ray Ban, managed by an
organization that owned over 80 Internet domains, registered through a Chinese registrar, to sell
counterfeit items under the Luxottica brand (Italy-based worlds largest eyewear company). Even
if its dispersed through hosting servers based in different countries, including USA and the
Netherlands, all websites share some specific features (link appearances, download code
referencing to Chinese websites, etc.) and the same Chinese registrar thus validating our
suspicion that the organization is actually based in mainland China.

What emerges here is a variety of techniques aimed at deceiving consumers while at the same
time trying to safeguard an illegal business:

1. Ownership of multiple domains including the word Rayban in their URLs,such as
14
:
- "Ray-Ban Official Site - USA"(www.ray-ban.com/)
- "Ray-Ban Sito Ufficiale - Italy"(www.ray-ban.com/italy)
- "Occhiali da sole - Spedizione GRATUITA"(www.ray-ban.com/italy/occhiali-da-sole/clp)
- "Ray-Ban Official Site - International"(www.ray-ban.com/international)

2. Ownership of several domains including specific country names in their URLs, such as:
"http://rayban-ireland.com"

3. Use of graphic templates resembling an official brand website:



13
Luxottica: http://en.wikipedia.org/wiki/Luxottica
14
http://rayban-[].com
4. Fake warranty buttons and payment system logos.
Often these illicit website pages feature logos and marks belonging to well-known security
companies and online payment systems. Properly added at the bottom of most pages, these
images aim at deceiving users and falsely infer that the website is being approved and authorized
by those payment systems and security companies.




5.Online payment systems that are unknown, dubious and opaque.
All payment options use a service, sslcreditpay.com, that points to a website already associated
to other illicit goods vendors.
15
Besides a bad reputation, the studied websites do not provide
details on this service company nor on its data protection policy. Finally, these websites apply
outdated security protocols, thus showing a complete disregard for the safety and security of its
user personal data.



Case study #2: LVMHs Louis Vuitton
16


In this instance the ad link pointed to a website that had nothing to do with the official Louis
Vuitton website. It is registered through a US registrar and provider, whose server also hosts
more than 100 domains all of them with similar names and selling counterfeit goods. It should
also be noted that initially the original website, reached via a Facebook sponsored ad, had been
registered through a Chinese provider.
Here is a summary of the various options deployed to deceive internet users and protect an illicit
business:

1. The domain name resembled that of the official targeted brand, but with an extra letter at the
end (or similar tiny changes in other cases) i.e., Louisvuittona.com

2. As shown in the image below, the homepage features the same design and colors used by the
official French brand website, including the distinctive Louis Vuitton trademark.


15
"If It Sounds Too Good To Be True"
http://krebsonsecurity.com/2014/06/if-it-sounds-too-good-to-be-true/#more-26236
16
Louis Vuitton: http://en.wikipedia.org/wiki/LVMH

3. To further resemble a legitimate major e-commerce venture, this website featured a Live
Support option: users could open a window to chat in real time with a local operator based on
the Jivo chat system
17
.

4. As in the previous case study, all payments are processed through the same sslcreditpay.com
service: an interesting connection between the two illicit website operations.

5. Each webpage footer included official certification logos of renowned security companies
(especially McAfee and Verisign). By clicking on the McAfee logo, for example, a user lands on a
page like this:




At a first sight, the McAfee Secure
18
certifies that our website is absolutely safe, protecting users
from identify theft, viruses, spyware and other online threats. However, this is just a fake page
using the official McAfee logo and wording, under a domain name very similar to the original
McAfee name.
19
Only a very vigilant user, or someone alerted by a weird detail here and there,
could become suspicious and jump to the actual McAfee homepage to verify the authenticity of
that website name.
Indeed, when entering it at the page:
https://www.mcafeesecure.com/verify?host=www.mcafeesecure.com, we discover that is an
obvious fake.
The same procedure applies to the VeriSign logo: by clicking on it, we land on a page with a
domain name containing the actual Verisign name and an official screenshot, as in the
following image:

17
Jivo chat: https://www.jivochat.com/
18
https://www.mcafeesecure.com/tour
19
http://mcafeesecuresinfo.com



Apparently this page confirms the websites SSL certification status and its encrypted data
transmission to protect user personal data. The identity of the website owner is also being
verified, to reassure us that this is a legitimate company website. Unfortunately, a simple check
on the official VeriSign website
20
reveals that we dealing with a completely fake website.


Case study #3: LVMHs Louis Vuitton

In another instance involving Louis Vuitton (one of the most targeted brands on the web), the
following Facebook sponsored ad pointed to a website completely different from the official Louis
Vuitton website.



This illicit website looks similar to the previous cases, with several options aimed at deceiving
users and verify its legitimate business including the following features:

1. The domain name adds to the official brand a specific item name, i.e.: louisvuitton-shoes.com

2. The homepage features the same design and colors used by the official French brand website,
including the distinctive Louis Vuitton trademark.

3. We tried to buy an item and pay directly with a credit card. Here is a short description of the
payment procedure.


20
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp


After checking the source code for the last page (when prompted to enter credit card info), we
found a gateway to the online payment system called cybersecuritypay.com, which is protected
by a whois-guard, making it therefore impossible to look up for its owner. The
cybersecuritypay.com domain has been registered in China, with a web hosting based in Canada.







Case study #4: multi-brand shops


We studied discountbrandshop.net, as an example of illicit websites selling mostly counterfeit
merchandise from worldwide luxury and fashion brands (along with items from cheaper brands).












As shown in the images above, this website covers several renowned brands, such as: Armani,
Burberry, Prada, Bulgari, Dior, RayBan, Boss, Calvin Klein, Versace, Diesel, Abercrombie &
Fitch, Adidas, Nike, Ralph Lauren.

Instead of a website that tries hard to resemble an original brand website, in this case we have an
online general store selling a variety of counterfeit items (t-shirts, glasses, shoes, jackets, belts,
etc.) at truly unbeatable prices.

This website is hosted in the Netherlands and has been registered through a Chinese
provider/registrar.

The prominent features and procedures of this (and similar websites) can be summarized as
follows:

Most domains appear to be registered through the same few (4-5) registrars based in
China and employ some form of identity/privacy protection for the registrants (which in
itself it is not uncommon nor malicious).

However, some registrars do not have a completely clean slate. For instance, a registrar
still widely used today is Xin Net Technology, until a few years back almost predominant,
being the first launched in China. This registrar alone accounts for many documented
violations of the ICANN rules.
21
They also appear to have a slow reaction against threats
such as Zeus. In other words, they do not seem malicious but maybe just slower to react
upon notice, and not so great at record-keeping which is pretty much what website
operators need to do.

It is also worth noting that, in China, any domain registration requires a National ID card,
and website operations require a specific license (ICP) linked to an individual. This,
however, only applies to .cn domain names, and to IP addresses beyond the Chinese
Great Firewall. Therefore, the chances of tracking down individual operators are very
slim.


Possible clues about the geographic origin of these illicit websites

Even if, according to the whois registry, most of those domains are registered in China and often
their owners are Chinese citizens with email accounts based in China, it is impossible to actually
prove that these illicit websites are run by Chinese organizations.

However, a few elements of evidence provide some valuable clues. Quite often the English
language used throughout those websites includes mistakes and typos, clearly suggesting non-
English authors. Even more peculiar are some technical features shared by all websites analyzed
in our research. The vast majority of them uses ZenCart, a well-known e-commerce CMS, but in
its Chinese version (ZenCart-cn), thus hinting that their webmasters can read and understand
Chinese.







An additional, compelling is that most websites studied here point to payment systems based in
China. It seems that each illicit operation relies on a managing team, with different people taking
care of website management, administrative tasks, customer care, counterfeit goods production,
and online advertising (such Facebook sponsored ad campaigns). Obviously, different
components of the team may be of different geographic background.







21
https://www.icann.org/en/system/files/correspondence/serad-to-he-08jul14-en.pdf
Use of redirects and estimates on phenomenon views


We identified also the following peculiar Facebook ad pointing to an illicit website selling
counterfeit Louis Vuitton merchandise.



This ad is particularly interesting because it uses a redirection through bit.ly, the famous link
shortening service. The usage of redirections through URL shorteners to ensure durability of
malicious content and protection to the content authors has already been studied extensively in
the past
22
. As shown below, eventually that bit.ly link pointed to a clone of the official Louis
Vuitton website: its domain reads as Louis--Vuitton.co.




However, in this case, the malicious use of a shortener to hide the real website name backfired.
Thanks to bit.ly, we were able to retrieve some useful statistics on click-throughs on the ad: the
following diagram covers a total of 966 clicks between October 12
th
and October 15
th
:




22 Nick Nikiforakis, Federico Maggi, Gianluca Stringhini, M. Zubair Rafique, Wouter Joosen, Christopher
Kruegel, Frank Piessens, Giovanni Vigna, Stefano Zanero: Stranger Danger: Exploring the Ecosystem of
Ad-based URL Shortening Services, in Proceedings of the 23rd International Conference on World Wide
Web, pp. 5162: http://wwwconference.org/proceedings/www2014/proceedings/p51.pdf


The vast majority of traffic was clearly generated through Facebook, and the amount of people
clicking through this ad in just a few days is definitely relevant.



A widespread phenomenon

Along with the three case studies detailed above, a more general overview of many other
websites confirms a shared strategy to carry out such fraud and counterfeit activities. First of all,
the Facebook ads have a similar look and very often use some recognizable keywords. In some
cases, they also feature images without mentioning any specific brand in their description
suggesting a certain caution on their part.
As shown in the following images, certainly on Facebook it is quite easy to bump into these kinds
of ads, thus implying widespread diffusion of online counterfeit operations.














"The description does not provide
references to any particular brand,
but the image displays a Ralph
Lauren t-shirt".










"The description does not provide references
to any particular brand, but the image displays
a Canada Goose overcoat".















"Here there is a 0 [zero] instead
of the letter O in the name of
worlds largest eyewear
company Luxottica".











"Same as above: there is a 0 [zero]
instead of the letter O in the name
KORS Handbag company".






Organizational Outline







Conclusions

A technical journalist previewing this research commented aptly: This phenomenon is similar to
having your local TV channel run a commercial about some street stores selling counterfeit
items.
Unfortunately, the vast majority of users are not aware that there are some websites advertised
on a major website such as Facebook that sell counterfeit brand items. As explained above, in
some cases those are high-quality websites featuring the same design and colors of the targeted
official website, a domain name including a name similar to the brand name, and certification and
security logos to validate their purchases.
To put this in context, there is an important difference between a real and a virtual environment: it
is much easier to recognize a counterfeit item in the former, while in the latter you must have both
technical skills and a good dose of intuition to distinguish a fake ad or website from a legitimate
one. Also, in the case of a brick-and-mortar shop usually you can take back a counterfeit item, get
a refund and/or alert authorities while on the Internet it is very difficult or almost impossible to
have direct personal contact to file a complaint or ask for a refund. And even when officials
manage to block or seize one of these online criminal organizations (according to different laws in
different countries), often they are quick to reopen shop with a new domain and a new web
hosting service to sell their counterfeit goods.
At the same time, it would be ingenerous to blame Facebook for such practices: even if at a close
look it becomes clear that they are running illicit activities, very often their ads look so legitimate
that they might mislead even a skilled advertisement editor, unless specifically trained and made
aware of the problem. And their job gets even harder when criminal webmasters set up multiple
re-directing links, a technique often used in the cybercrime world; or when they run multi-brand
shops offering bargain prices, as opposed to fake shop of major brands (which are far easier to
spot). Needless to say, this widespread phenomenon produces serious damage at different levels
of our society. Companies are compelled to act to prevent growing counterfeit activities, lawful
retailers lose potential customers, and online users waste their money for very low quality items
(in some cases even toxic or harmful to our health). Moreover, as shown in our research, dubious
or opaque online payment systems could jeopardize credit cards info and other personal data.
Finally, advertisement networks such as the one run by Facebook risk losing their credibility, and
face an increasing cost in their practices to protect their users from fraud and damage. In regards
to these latter issues, we are glad to report that, since the inception of our research project, many
of these illicit Facebook ads have been removed and many websites selling counterfeit goods
have been promptly blocked or seized by local authorities.
This research is completely independent, self-produced and for educational purpose only.
Anybody is welcome to quote, copy and redistribute this research content with the appropriate
credit and attribution.