How to identify fake shopping websites

When you want to buy something on Internet, you generally search for cheap clothes, or cheap shoes, but that is not always the best way to find a trusted and legit shopping website. Many scam websites are located on the top pages on Google search engine when you search for a brand name followed by the word “cheap”, “cheapest” or “wholesale”.

Fake shopping websites are similar to any other legit e-commerce website, with a good HTML template, with all the logos related to payments accepted, such as credit cards, paypal, etc and with logos related to (fake) trustworthiness certificates.

Now I will tell you few ways to identify fake shopping sites, taking as example:

hxxp://gstarshopengland.com/ ---> fake shopping website

fake-shopping-site-template

1) Check the website with URLVoid

Before buy something from a website, I would recommend to always check the website with our free service URLVoid, so the website can be analyzed with multiple scanning engines to facilitate the detection of malicious and fraudulent websites.

2) Look at the prices, low prices are not always good

When you see too low prices, with discounts of 50%, 55% or even more, you should become a bit suspicious. The website may promote low prices to quickly sell the fake or inexistent items, before that their website become detected as fraudulent by security software and services.

3) Check the footer text and look for the company name

fake-shopping-site-footer

From the footer you can read this text:

Copyright C 2005-2011 G Star jackets for men Sale Powered by www. gstarshopengland .com All Rights Reserved.

Is the name “G Star jackets for men Sale Powered” a legit company name ? Of course it is not. There is no reference to a legit company name, an address or a contact information. Every legitimate and trusted website should always have the name of the company located in the footer near the copyright text, with at least the company’s address or the company’s VAT/IVA ID (if in EU).

4) Compare the copyright date with the domain creation date

The website states it was born in 2005 with the text “Copyright 2005-2011”, but if you do a whois lookup on the domain name, you can clearly see that the website was created on 19 August 2013, only few months ago:

Updated Date: 19-aug-2013
Creation Date: 19-aug-2013
Expiration Date: 19-aug-2014

5) Avoid buying clothes from young websites

With a whois lookup, make sure to always check the domain creation date, if the domain name was registered only few months ago, I would recommend you to not buy anything because there are not enough details to tell if the website is a legit website or a fraudulent website.

6) Check who is the owner of the website

From the whois data, you can see that the website was registered in Beijin (China):

Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN

The name servers are also Chinese (.CN):

Name Server: NS13.DNS.COM.CN
Name Server: NS14.DNS.COM.CN

The organization name is also Chinese:

Organisation Name.... yanfang li
Organisation Address. xiantaoshishahuzhenfenglecun1zu55hao
Organisation Address.
Organisation Address. Jingzhou
Organisation Address. 433019
Organisation Address. HB
Organisation Address. CN

The email and telephone number of the website owner are also Chinese:

Tech Email........... xiandailihao@163.com
Tech Phone........... +86.7282640476
Tech Fax............. +86.7282640476

Personally, I would not buy G-Star clothes from a website that was registered in China, I would prefer to buy them from the official store or from other stores near the place where I live, so I can more easily make a telephone call to the owner or visit their shop directly in case of a problem.

7) Make sure the website has HTTPS support

fake-shopping-site-no-ssl

When you try to buy an item, if you go to the checkout, you can see that there is no secure connection HTTPS, every legitimate e-commerce website should have HTTPS support when the user is supposed to insert sensitive information or credit card details. I would never buy something from a website that has no HTTPS support.

8) Visit the about or contacts page to find valid contact information

fake-shopping-site-no-contacts

As you can see from the above image, the website has no information about how to contact the shop, such as a telephone number, an email address, or the company’s address. I would never buy something from a shopping website that has only a contact form, I prefer to have a phone number, a valid email address and a valid company’s address to verify. Take in mind that most scam websites use public email addresses, such as @gmail.com, @yahoo.com, @163.com, @hotmail.com, etc. A legitimate website should use the website’s email address, for example info@website.com.

9) Analyze the domain name string

If you see a website that has the domain name similar to: buy-cheap-shoes.com, or buycheapshoes.com, or super-cheap-shoes.com, or jordanairmaxshop.com, or wholesalenikeshoes.com, gstarshoppingengland.com or similar, you should avoid buying something from there. A legit website, should not contain the brand name in the domain name and should not contain the word “cheap”, “cheapest”, “wholesale”, etc.

10) Make sure the English language is correct

Even if a legitimate website may contain grammar errors, some fake shopping sites may have a lot of grammar errors, so make sure to read few pages and check the language grammar, if you see too many errors, you may become a bit suspicious on the trustworthiness of the website.

11) Google is your friend to search information about a website

You can search on Google more information about a suspicious website, such as you can search the telephone number, the email address, the website owner name, the organization name, or simply search if other users had a bad experience with that website. You can also search the IP address on Google, to see if there are other useful information about that IP.

12) Analyze the websites hosted in the same IP address

urlvoid-ip-address-websites

If a website comes up as clean on URLVoid, you can always analyze if there are other websites hosted in the same IP address, that are malicious or detected by other scanning engines. URLVoid offer the possibility to see how many websites are hosted in an IP address, but you can also search on Google to see if another website has more information.

13) Analyze the website’s IP address with IPVoid

I would recommend to scan the IP address of the website with IPVoid, a free service used to better know if an IP address has been blacklisted by anti-spam services or if it has participated in illicit activities.

This post may be updated with time, so keep an eye here.

Malware: UPS Delivery Notification Tracking Number

We recently logged some emails with attached two suspicious files:

ups-malware

As you can see, the email has a subject and an address that may seem coming from the UPS, but in reality the email is a scam and it is used to spread as attachment a file named invoiceCM0V9ORWJF23KX8PAP.PDF.exe, that is the executable file of the (in)famous Zbot trojan, used by cybercriminals to monitor the PC of the victims and to steal bank data and other sensitive information.

More information about the attached file:

File: invoiceCM0V9ORWJF23KX8PAP.PDF.exe
Size: 167.2 KB ( 171261 bytes )
SHA256: 2695e33e671c4eee1e55ad534d9b33445a56b8ffeff50b7c63fa12f266de1088
SHA1: 3c0e4f12faef99cc80f8a091a8210b34a2c7c9fb
MD5: 015e60d0ddff09d7df66d926d3793cc8

Google Translate used by spammers to bypass Anti-Spam filters

Google Translate is a free service created by Google that translates any web page, content or document from native language to a language specified by the user that is using the service. We have noticed that some spam messages contain links to websites that use the service Google Translate to translate their page content, but those links are used to promote fraudulent pharmaceutical products, and they seem to use Google Translate to masquerade the malicious website.

In short, when you translate an URL with Google Translate, it appends the URL of the web page in the HTTP query string, but the initial domain name remains translate.googleusercontent.com, so the anti-spam filters may be bypassed because the URL of Google Translate is classified as legitimate.

To get a better idea about what I am talking about, check this image:

translate-google-used-for-spam

We have extracted some URLs from the spam messages and they are all subdomains of yolasite(dot)com, they are used to promote selling of fake pharmaceutical products and subscriptions to fraudulent casino websites:

hxxp:// myonlinestore1. yolasite.com/shop
hxxp:// onlineshop63. yolasite.com/shop
hxxp:// onlinecasino27. yolasite.com/casino2

Never click on links that start with the domain “translate.googleusercontent.com”, because they may use Google Translate to translate a malicious website and exploit vulnerabilities in your web browser or other applications installed in your system (such as Adobe Flash, PDF Readers, Java) to infect your PC.

If you want to translate a website, you should visit directly with your browser the website of Google Translate and type the URL that you want to translate. Avoid clicking on links related to Google Translate, present in emails or in other unknown websites.

Phishing: PayPal Notice of Policy Updates

Be aware, we have logged a lot of phishing emails that are targeting PayPal users on these days. The phishing email message looks like almost identical to the real PayPal message, but the link present in the message redirects the user to an URL shortener service.

pshishing-paypal-notice-of-policy-update

The malicious link present in the email is:

hxxp://lnko.in/bhqr

The user is redirected to these malicious links (in order):

hxxp://107.6.59.96/recordings/misc/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/95622de1bba96186ae6cc72e1d311c0c

The HTML page of the last malicious link is encrypted:

phishing-paypal-html-page-encrypted

If the JavaScript is enabled in your browser, the HTML page loads correctly:

phishing-paypal-final-url

When the user enters the login details, the form sends the POST data to a script:

phishing-paypal-post-fields

The malicious script is named:

paypal.php

The script is used to collect the login details entered by the user.

This kind of phishing attack can be easily detected because the user can quickly check the address bar of the web browser and notice that the website is not paypal.com (legit) but it is an IP address, plus there is no HTTPS secure connection, and in case the user has JavaScript disabled, the HTML page is blank.

Spam: New Product to Lose up to 15 lbs.

We noted an increase amount of email messages that promote a new product that should help people to lose weight. All the email messages we have captured, redirect users to .RU websites used to promote some king of green tea product used to lose weight, that is of course a scam.

email-image

This is one of the malicious URLs extracted from the email message:

hxxp://nerabrop.ru/

A screenshot of the homepage:

green-tea-product-scam

The links present in the website redirect the user to:

hxxp://nerabrop.ru/get.html

The user is redirected to another malicious URL:

malicious-urlspam

hxxp://184.107.166.107/~greencof/

geen-coffee-scam-url2

As you can see, the website asks you to fill a web form with your name, surname, address and other sensitive information. The data that is submitted in the form, is then sent to a new malicious URL that use HTTPS:

hxxps://www.wbsoffers.com/index.php?main_page=two_step_form_processor

The website seems to be created few days ago, the homepage looks like this:

green-tea-product-scam2-empty-site

Most probably, the website is used to steal the data that is sent through the web form.

A list of malicious URLs captured:

hxxp://suprepuse.ru/?467180f36c66a1=ec2a783969663172f963f3
hxxp://gurectert.ru/?072ee6cd259=39aed15d96aac07360448c56
hxxp://hecktorshep.ru/?c414440270f=0b7436226103fb43a93aee9dcb811
hxxp://hersperga.ru/?2732230b36ea=0a37d9834b494a999f85797
hxxp://harloro.ru/?81686e766dfe1b53004=d4a87cc187ec881fef42bacc
hxxp://ottertold.ru/?3b08cf59e59=b8d243ff2b21a8c3d402c069f83cfe
hxxp://nerabrop.ru/?1aae4387163d36f2=4ed971b43a917c86c285
hxxps://www.wbsoffers.com/index.php?main_page=two_step_form_processor
hxxp://184.107.166.107/~greencof/
hxxp://nerabrop.ru/get.html

Scan reports generated by URLVoid:

http://www.urlvoid.com/scan/wbsoffers.com/
http://www.urlvoid.com/scan/suprepuse.ru/
http://www.urlvoid.com/scan/hecktorshep.ru/
http://www.urlvoid.com/scan/harloro.ru/
http://www.urlvoid.com/scan/ottertold.ru/
http://www.urlvoid.com/scan/nerabrop.ru/

There are more than 18 malicious websites hosted in:

193.106.28.144

193-106-28-144-ip-address

Source: http://www.urlvoid.com/ip/193.106.28.144/

There are more than 50 malicious websites hosted in:

111.121.193.200

111-121-193-200-ip-address

Source: http://www.urlvoid.com/ip/111.121.193.200/

WordPress-how-to-videos(dot)com Spreads Java Exploits

When we analyzed few Twitter followers in one of our websites, we noted that there was an user that was following us, see the image:

We have analyzed the website (infected):

www (dot) wordpress-how-to-videos (dot) com

The website wordpress-how-to-videos(dot)com is hosted at BSE Software GmbH and its current IP address is 82.220.34.22 (330.hostserv.eu). The server machine is located in Switzerland (CH) and in the same server there are hosted other 0 websites. The domain is registered with the suffix COM and the keyword of the domain is wordpress-how-to-videos. The organization is hosttech GmbH.

The above website is used to redirect users to a malicious URL that tries to exploit the user’s browser with a Java exploit, as you can see from this image:

Java Exploit

The malicious redirect is activated only if the user browse the malicious website with a referer that contains the string of search engines, such as Google. Using the free service HTML Sniffer we can simulate the Google referer and we can see that we are redirected to the exploit URL:

The exploit URL seems to be updated very frequently:

garliccommercial .ru /pavilion?8
midwaydance .ru /pavilion?8

Both malicious URLs are hosted in this IP address:

206.53.52 .13

The Java exploit is loaded from another malicious URL:

ypcbpukqt. lflinkup .com /PJeHubmUDaovPDRCJxGMEzlYXdvvppcg

Pay attention when clicking on websites of your Twitter followers!

URLVoid API v2.0

URLVoid API is a free service (for non commercial use) that allow users to query our database of already analyzed domains and receive, in XML format, detailed details about each submitted domain. The URLVoid API supports multiple domains in one single query, so you can submit 250 domains and receive details of each domains in just few seconds.

An example of XML output is this:

<?xml version="1.0" encoding="UTF-8"?>
<detected>
	<details domain="google.com" last_scan="1344104440" detected="0" lists_detected="" />
	<details domain="xxxtoolbar.com" last_scan="1344524302" detected="10" lists_detected="MyWOT,SCUMWARE,MalwareBlacklist,hpHosts,BrowserDefender,Malware Patrol ,DNS-BH,GoogleSafeBrowsing,SURBL,WebSecurityGuard" />
	<details domain="ysweb.com" last_scan="1343484791" detected="0" lists_detected="" />
</detected>

As you can see, you receive useful info:

domain="xxxtoolbar.com"

The name of the domain submitted.

last_scan="1344524302"

The date of the last available report.

detected="10"

The number of blacklist engines that have detected the domain.

lists_detected="MyWOT,SCUMWARE,MalwareBlacklist,hpHosts,BrowserDefender,Malware Patrol ,DNS-BH,GoogleSafeBrowsing,SURBL,WebSecurityGuard"

The name of each blacklist engines that have detected the domain.

How can I obtain an API key ?

The service needs a special key to being used and you can request your own API key by contacting us at info (at) novirusthanks (dot) org with the subject Request for URLVoid API Key, please include the following details:

1) Your Name
2) Your Email
3) Your Company
4) Your Website URL
5) Small description on how you are going to use URLVoid API

All your details will not be shared in any way and will be strictly private and used only to assign the API key to your email, nickname and website. After we have received your email, we will send in few days your API key to your email. Please note that you need to respect the following terms to use correctly our free API:

1) Not include/use the API in commercial products or services
2) Not use the API as substitute for Security products
3) Not use the API in unethical services
4) Include a backlink to our website (urlvoid.com)
5) Not abuse the service usage
6) Not use the API in services where you have no control

Non-compliance with these rules will result in the termination of your account/API key without prior notification and you will not be able to use the service.

For any other questions just send us an email. We recommend to follow our blog or our Twitter account to stay always updated with news and changes about this service.

Amazon.com Order Confirmation leads to Blackhole Exploit Kit

We received few emails with subject:

Amazon.com Order Confirmation

Inside the email message there is a HREF link that redirects users to a malicious web page containing malicious javascript code used to redirect users to the main URL of Blackhole exploit kit:

Amazon.com fake order page

The Blackhole exploit kit URL is:

GET /main.php?page=017f3bb5c2be6a41 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adnroidsoft .net

Fortunately the domain is not anymore active.

New Malicious Injected Code: Injection_head and Injection_tail

We have logged few websites infected with a new injected javascript code that seems to target mainly the websites powered with WordPress and Joomla. Below there is a screenshot of the malicious script:

Image

As we can see from the image above, the injected code starts with:

<!--Injection_head[SessionID=...]-->

And it ends with:

<!--Injection_tail[SessionID=...]-->