Cedric PERNET - Threat Intel, APT & Cybercrime

Hi all,

I just published this quick one about some opportunistic fraudsters pretending to be the DarkSide threat. Enjoy :-)

Hello,

J'ai publié ce mois-ci un article "première approche" sur le Darknet et la cybercriminalité qui tourne autour, dans le magazine Dalloz IP / IT.

Hi all,

Here is my latest blog post about a clever BEC attack that targets a lot of different companies in France:

French companies Under Attack from Clever BEC Scam

Le Monde newspaper published a very nice French article about it here.

Also, the article from Le Figaro.

Hey there :-)

I just contributed to a new blog post about some cybercriminals using advanced tools to spread a cryptocurrency miner.

The full blog post is here.

Cheers !

So here's the second part of that serie on fraudulent domain monitoring and takedown.

Here.

Hope you'll enjoy :-)

Hi all :-)

I just released a new white paper about the whole french cybercrime underground, available here. The full paper is available here.

Hello à tous/toutes,

Je vous avais promis un article MISC qui pour une fois ne parlerait pas d' APT, c'est chose faite dans MISC 87.

Vous y trouverez un article que j'ai écrit sur le phénomène du "Business e-mail compromise". J'espère qu'il vous plaira ! :-)

Je suis un peu sec pour de nouveaux sujets MISC en ce moment, si vous avez des idées n'hésitez pas à me solliciter ! ;-)

Hi all,

Please be advised I have published a new blog post entitled "French Dark Bets: Betting On Euro 2016"

French people in particular might be interested... ;-)

Here is the link to a new blog post I wrote with friends Kenney Lu and Dark Luo from Trend Micro.

It has several interesting aspects, in my mind:

• The fact that there is an ongoing campaign against french people, using french material, which is rare enough to be worth mentioning;
• The fact that there is a kit used to drop different payloads: Gootkit, CryptoWall, some banking trojan...;
• The fact that it uses an innovating method to infect the victims computers.

Hope you will enjoy the read ! :-)

Well, as you probably know, I am french. Some of my friends do not agree, and say that I am not a real french, because I do not like strong cheese, I do not like eating ducks (in any way), and all wine tastes the same for me, in opposite to beer. Also, I hate european football, but loooooove american football, my favorite team being the Patriots from New England.

On the other hand, I must admit I have a little kink for american football team's jerseys. I already have one from the Patriots, yet I wanted one from the Miami Dolphins.

So here I am, googling to find a new jersey at an attractive price, in french language.

Using a simple request like "jersey miami dolphins pas cher" which means "jersey miami dolphins cheap" in Google, I get the following as first result:

As you can see, the first results are from "Google Shopping" and do provide links to legitimate websites like nike.com.

Then, more interestingly, I get results from Google Image. The first image shown, on which my mouse pointer is, leads to a domain named maillot-foot-nfl-nba.com.

Following this link, I get a nice page from an online store showing me the jersey of my dreams:

At this point, there are several little details which should raise suspicion for anyone:

• At the top of the web page, there's a line "Vente de DIR_WS_SEO_KEYWORD" which looks very ugly and unprofessional. Would a real seller really keep this ugly line up there ? Probably not.
• Look at the price !!! 69% discount on that product !!! It brings the price from 99€ (which is quite the usual price for that product) down to 30.99€.
• Bad language. I am writing this blog post in english and showing french stuff, ok, but I can tell you that if you go to any page of the web site, you'll see loads of spelling mistakes and even sentences which do not mean anything. The "general conditions" page is a must-read for french people, it is full of language problems.

Clicking on some of the general pages of the web site is quite instructive. In the middle of the description for shipping, written in french, some spanish can be seen: "Aceptamos Visa, Mastercard, Paypal y tarjeta de crédito!" ...

There can only be one conclusion to all of this: this website is fraudulent, selling counterfeit products, and no one should buy products there.

Now if I come back to my Google research, and look at the Google image links on the right of the one I followed, the domains are:

• www.boutiquesprofr.com
• www.forschungsinfo.de
• www.giacche.eu

By carefully watching these websites (except for forschungsinfo.de, which to clarify is a real site which has just hosted links to a fraudulent one, and the link has been removed), we could come to the same conclusion: counterfeit products are sold there.

Now one might think that these websites are build up by isolated fraudsters looking for easy money. The reality is a bit different, and that's why I am blogging, I wanted to bring some more insight to this kind of fraud and raise some awareness for people on Internet.

For starters, once again if you look carefully at all pages from such a website, you can find something more interesting than spelling mistakes: links to other websites.

Reading the "shipping info" from boutiquesprofr.com for example, the first line mentions that "sacmiumiu.com offre la livraison gratuite" , which means that "sacmiumiu.com offers free shipping".

Why the hell is a website called sacmiumiu.com mentioned in the shipping info of boutiquesprofr.com (which by the way means "prostorefr.com") ?

Well, the reason for that is that fraudsters do not build a single website to sell counterfeit products. They do build LOADS of different websites. You might think it takes a lot of time to do it, but it takes less than one or two hours to do. These fraudsters do use websites templates, which they just slightly modify from one site to the other. From the single sentence found on boutiquesprofr.com, we can expect it to use almost the same template as sacmiumiu.com.

sacmiumiu.com does not exist anymore, yet just by googling this name you would find interesting stuff : ads for it in guestbooks showing links to other counterfeit products websites, etc... Looking for it on archive.org, a website which shows past versions of websites, you would even find that the website has indeed been transfered by judge decision to Louis Vuitton because it was selling counterfeit products.

So, with few googling and wise use of archive.org, we already found out that our guys from "boutiquesprofr.com" were somehow connected to "sacmiumiu.com".

What else can be found ?

Let's go back to the first website I found, maillot-foot-nfl-nba.com.

At the top left part of the website, a logo from the company "NEW ERA" is visible. Let's be a bit clever and use it to find other websites which contain the exact same logo. To do that, we can save the logo from maillot-foot-nfl-nba.com and then submit it to a Google Image search. By doing that, Google will show us all referenced websites which contain the same picture :

Note: what you do not see in the screenshot is the fact that Google Image offers results showing images which are "close" to the image you submit. We need to focus on the exact same image, to avoid false positives. Moreover, if the fraudsters took the image from a legitimate website and did not modify it, we will get false positives we need to remove from the analysis.

Once again, the results are quite interesting: we easily fall on several fake products sellers.

This provides us a very easy method to group fake websites.

Ok, what do we know now ? We know that there are hundreds of websites selling fake products, using more or less the same templates and techniques.

How about having a look at the people who register these domain names ?

Let's have a look at the Whois information for our favorite website, maillot-foot-nfl-nba.com.

Registrant Name: mingsheng zheng
Registrant Organization: zhengxiansheng
Registrant Street: haikoulu10
Registrant City: haikou
Registrant State/Province: hainan
Registrant Postal Code: 570100
Registrant Country: CN
Registrant Phone: +86.13800000000
Registrant Phone Ext: 
Registrant Fax: +86.13800000000
Registrant Fax Ext: 
Registrant Email: registrar@mail.zgsj.com
Admin Name: mingsheng zheng
Admin Organization: 
Admin Street: haikoulu10
Admin City: haikou
Admin State/Province: hainan
Admin Postal Code: 570100
Admin Country: CN
Admin Phone: +86.13800000000
Admin Phone Ext: 
Admin Fax: +86.13800000000
Admin Fax Ext: 
Admin Email: capsshopnet@gmail.com

Once again, this really does not look like Whois information a legitimate merchant would use: the phone numbers seems to be fake, and the e-mail address is on gmail.com, yet this is very interesting for us in terms of investigation.

So, by doing some reverse whois researches, we can find 23 domains, additionally to maillot-foot-nfl-nba.com, which have been registered by capsshopnet@gmail.com :

Oh my, our friend "capsshopnet" has counterfeit stuff in french, spanish, and german, what a great linguist, this might explain all the spelling mistakes on these websites ;-)

What about the hosting ? Well, maillot-foot-nfl-nba.com is currently hosted on 223.26.62.200, which belongs to:

inetnum:        223.26.62.0 - 223.26.62.255
netname:        SUN-HK
descr:          Sun Network - DataCenter Service
                TRANS ASIA CENTER, KWAI CHUNG
country:        HK
admin-c:        DA179-AP

Let's look at some Passive DNS information. Which other domains have lead to this precise IP address currently or in the past ?

The results are other counterfeit products websites (except for kkk345.com which is about pornographic stuff)

kkk345.com
www.kkk345.com
www.gorras-obey.com
gorrasbaratas.com
www.gorrasbaratas.com
maillot-pascher.com
www.maillot-pascher.com
zapatos-baratas.com
www.zapatos-baratas.com
www.maillot-foot-nfl-nba.com
www.kkk3.org

Now let me please represent all this data in a structured form (click to enlarge):

I will end this blog post here. I just wanted people to be a bit aware that the underground of counterfeit products is huge, and that few minutes of investigation can lead to the discovery of a complex web of Internet websites run by fraudsters.

One might wonder about the number of people involved in that kind of fraud. There are probably several people to register the websites, several people to build the content (and we can be pretty sure some other people are selling the web pages templates), to handle the orders, to manufacture the products (probably hundreds/thousands of people here), etc.

I stopped my investigation at this point, because it was done on a rainy night at home. A lot is uncovered here: I did not look for every domain whois, I did not look for all the hosting data and IP ranges, I did not really search for any real person attribution.

By digging more on all these data, we could probably find much more fake products websites and persons involved, but once again, my goal here was just to raise awareness on a kind of fraud and describe it a bit.

So what have we learned here ?

• There are people probably working fulltime on registering websites, building websites (and people making/selling templates), having them indexed on Google and other places (black SEO), to sell counterfeit products coming mostly from China (that's what you discover when you order something), all of this in several different languages.
• Dozens of websites are handled by the same people
• These people do sell every kind of products you can think of: fake jerseys, fake tshirts, fake caps, fake shoes, fake handbags, fake sunglasses ... (you can guess it looking at the domain names from the previous image)
• The fraud is obvious when you take the time to really analyze the content a bit. You should NEVER BUY A PRODUCT WHICH LOOKS AMAZINGLY CHEAP, or from a website with loads of spelling mistakes.

Thank you for your reading, this was some kind of fun post blog I've done in a hurry last night. See you soon ! :-)