Euro 2020 - Part 3: domains (revisited) and other channels

In this final article in our series of studies looking at Euro-2020-related infringements, we revisit domain name infringements and consider activity across other online channels, with a focus on social media and mobile apps.

Following the original study, which looked at domains registered before May 2020 with names containing 'euro2020' or 'euro2021'^[1], we analysed daily activity levels in the period immediately preceding and during the competition. As with the previous research, CSC made use of information from domain registry zone files to identify any newly registered and de-registered / lapsed domains with names containing variants of the competition name.

During the monitoring period, we identified 203 new domain registrations, plus 25 pre-existing registrations that had lapsed. The daily numbers of new domains are shown in Figure 1.

Figure 1: Daily numbers of registered domains with names containing 'euro2020' or 'euro2021' (or variants). The red dashed line shows the seven-day centred rolling average.

The analysis showed variable but continuing levels of activity throughout the period, but with average daily numbers of registrations somewhat higher prior to the competition than during it. This suggests that the registrants may have set up their sites early to maximise the length of time they could make use of them.

In terms of website content, many of the same types of sites identified in the first study continued to appear. At least 10% of the total of the newly-identified examples again included the promotion of betting or gambling services, together with others featuring content relating to match streaming, ticket sales, or competition or prediction websites.

However, among the websites hosted on the domains registered after May 21, we observed a new set of trends:

• Several sites (including some of those promoting gambling services) included references to cryptocurrency schemes (see Figure 2a). Such schemes are generally unregulated, and this type of site may be associated with fraudulent activity, raising the possibility for users to experience financial losses, theft of personal data, or exposure to malicious content.

• Domains with names featuring references to individual teams were increasingly identified. Particularly in the later stages of the competition, we observed a number of domains referencing England and Italy (or 'Italia') - the eventual finalists in the competition. Between July 1 and 11, we identified seven domain names including 'England' and two including 'Italy'. Six of these nine included the term 'winners' (registered pre-emptively). At the time of analysis, many of these sites resolved to low-relevance content (e.g. sites with pay-per-click links). They may have been registered as a means of generating click-through revenue, or to sell on the domains at an inflated price after the competition. However, some of the domains did resolve to content relevant to the team in question (see Figure 2b).

• A number of sites included log-in forms (see Figure 2c) or had been explicitly flagged as dangerous or fraudulent at a browser level. Some of these were already inactive by the time of analysis. Any such sites soliciting for personal details pose a potential risk if not legitimate or authorised.

(a)

(b)

(c)

Figure 2: Examples of site content identified on domains with names containing 'euro2020' or 'euro2021' and registered after May 21, 2021: (a) cryptocurrency-related content; (b) an e-commerce site selling England merchandise; (c) a branded site including a log-in form.

The threat landscape is not restricted just to standalone websites hosted on competition-specific domain names. We identified similar content on other channels, including social media and mobile apps. Figures 3 and 4 show examples of a range of content found in searches carried out in the final week of the competition. We also identified other types of potentially lower-threat content relating to Euro 2020 across the same channels, including:

• Large numbers of informational and fan pages on Facebook

• Profiles providing competition news and updates on Twitter

• Mobile apps comprising score update services, competition predictors, or games

(a)

(b)

(c)

(d)

Figure 3: Examples of content identified on social media profiles: (a) offering ticket sales; (b) promoting gambling services; (c) offering the sale of merchandise; (d) offering match streaming.

(a)

(b)

Figure 4: Examples of content identified in mobile apps: (a) a purportedly official app produced by a third-party developer; (b) an app offering match streaming.

While a subset of the findings in this study may be legitimate, much of the content we observed presents the potential for risk to customers and brand (trademark) owners, especially in cases where the material is not official or authorised. These include financial losses and reputation damage, and can be associated with phishing activity, the sale of counterfeit products, non-legitimate cryptocurrency schemes, fake gambling sites, distribution of malicious content, illegal distribution of copyrighted content, traffic misdirection, and the unauthorised use of brand terms or official imagery.

The range of online channels on which this content appears also highlights the importance of a holistic brand-protection service - encompassing both monitoring and enforcement - covering as many of these channels as possible. This is important not just because the different areas of the Internet comprise different ecosystems in which the same types of issues can manifest, but also because there is so much overlap between these areas. Familiar examples might include mobile apps linking to e-commerce marketplaces, or social media profiles promoting standalone websites.

Even within a single online channel, it is important for the coverage to be as comprehensive as possible. Where mobile apps are the area of interest, for example, a brand-protection programme should cover not just the main app stores like iTunes, Google Play, etc., but also the myriad standalone APK sites where app files are available for download. This latter category of site can actually be a source of greater concern, since the apps offered here generally undergo less quality control, and are more prone to be unofficial, out-of-date, or associated with malicious content. Similarly for e-commerce, it is important to consider not just the common, well-known marketplace sites, but also to include an element of discovery within the monitoring, to identify previously unknown, standalone sites.

For some programmes, or for monitoring associated with particular events, it may be prudent to cover the areas of the Internet beyond those accessible using the standard techniques of search-engine meta-searching, link crawling, domain zone file analysis, and direct site searching. Where phishing is a concern, CSC advises augmenting these services with a dedicated phishing monitoring programme. CSC’s services use a combination of spam traps, honeypots, and other data feeds to find content that may not be identifiable through other routes^[2].

In the closing week of the Euro 2020 competition, a news story emerged in which an e-commerce site selling retro football shirts and merchandise was subject to a cyber attack where customer details were compromised. This led to a targeted e-mail phishing scam where recipients were offered a cashback bonus, to be claimed via a web form where they had to share their card details. The phishing e-mails used a typosquatted domain name - just one letter different from the official domain^[3]. This case highlights not only how the types of targets for criminal activity can be influenced by external events, but also the importance of holistic monitoring. Domain monitoring and phishing detection can provide early warning of this type of scam.

The identified infringements associated with Euro 2020, as presented across our three articles^[1,4], can have a number of victims. These include the owners of trademarks associated with the competition and teams, official partners and sponsors, and members of the public. They also highlight how a high-profile event can drive criminals to focus their attention towards content and channel types receiving - albeit temporarily - increased levels of attention and web traffic. However, the Euro 2020 name is just one ephemeral example among an almost limitless range of brand names and ongoing events. Overall, these findings highlight the importance of continuous monitoring and enforcement, using a programme approach that is flexible enough to change focus onto new areas of concern as they emerge and grow.

References

[1] https://www.cscdbs.com/blog/illustration-of-real-world-events-and-online/

[2] https://www.cscdbs.com/blog/phishing-scams-how-to-spot-them/

[3] https://www.bbc.co.uk/news/business-57766908

[4] https://www.cscdbs.com/blog/ecommerce-marketplace-activity/

This article was first published on 27 July 2021 at:

https://www.cscdbs.com/blog/euro-2020-part-3-domains-revisited-and-other-channels/

Also published at:

https://circleid.com/posts/20210816-euro-2020-part-three-domains-revisited-and-other-channels

Euro 2020 - Part 2: e-commerce marketplace activity

by David Barnett and Pascal Rodax

Following our previous article on the Euro 2020 football tournament, that looked retrospectively at domain name registrations relating to the competition, this article considers activity on e-commerce marketplaces.

For this study, CSC used its Discovery Engine technology to conduct a regular series of scans across key international online marketplaces. We monitored for listings (offers of sale) relating to Euro 2020 clothing and merchandise. The scans focused on the top-listed results^[1] (i.e. those most visible to potential buyers) that were returned from a series of competition-, product- and team-related search queries. We categorised results by marketplace and the team name mentioned in the listing. In the four weeks between May 25 and June 21, 2021, we identified and analysed more than 35,000 listings. We first looked at listings identified during the two weeks immediately preceding the competition, where the data had not been affected by any match results. Unsurprisingly, one key finding was that the greatest numbers of listings were identified for the higher-ranked teams in the competition^[2] (Figure 1) - potentially those with a larger fan base, and therefore a greater demand for associated merchandise. However other factors, such as the target markets of the marketplaces themselves may also have an impact on the number of listings for each team. It is also interesting to note that comparatively, the number of listings do not drop off as steeply as might be expected for the lower-ranked teams. This is because the scans incorporated explicit searches for all team names, thereby returning disproportionately more results for the lower-ranked teams than would be expected purely based on the raw total numbers of listings on the marketplaces.

Figure 1: Numbers of highly ranked e-commerce listings for each Euro 2020 team, over a two-week period prior to the competition, compared with their FIFA world rankings^[3].

Table 1 shows the total value of the top-listed items identified across the whole analysis period. The calculation accounts for the total number of items offered in each individual listing and the unit price per item - fields which Discovery Engine can automatically scrape from the sites, because the format of the listing pages is known in advance.

The calculation also makes use of a data cap, applied in cases where a seller is offering an unrealistically high quantity of items (see e.g. Figure 2), to avoid the calculated values being artificially high^[4]. This can make a large difference to the overall numbers, particularly on marketplaces were high quantities per listing are typically seen (e.g. Alibaba, DHgate and Shopee in this study), and may result in estimates that are more realistic in terms of the value of items actually held in inventory.

This type of analysis forms the basis of a return-on-investment (ROI) calculation that can be carried out as part of a monitoring and enforcement program. In reality, only a certain proportion of the items offered on each site will actually be infringing (e.g. counterfeit), and this value varies between sites. Therefore, any enforcement program needs to incorporate an analysis component to determine which listings are for potentially legitimate items and which are infringing and can be removed. In practice, ROI calculations can be carried out at regular points during the brand protection service to determine the actual value of goods removed. Using suitable assumptions, this can be extended to estimate the proportion of this revenue that may be reclaimable (by virtue of consumers purchasing legitimate items through official channels once the infringing items become unavailable).

Table 1: Total value of items (converted to USD^[5]) identified across the top listings on each marketplace during the four-week analysis period. Marketplace names marked with an asterisk denote that multiple different country versions of the site in question were included in the calculation.

Figure 2: Example of a marketplace listing for football jerseys, offering a very high quantity of items, with 5,998,851 in stock.

CSC’s Discovery Engine also makes it possible to generate clustered visualisations of data relating to the identified results. This can help identify top entities for further investigation or as priority takedown targets, or identify links between infringers. Figure 3 shows a cluster of sellers offering items relating to the French national team, showing entities that are active across multiple country versions of the Lazada site, as a way of maximising their exposure to potential buyers.

Figure 3: Example of a clustered visualisation of sellers offering items referencing the French national team (individual seller names obfuscated for privacy reasons).

Within the overall set of individual listings identified in this study, there are a number of interesting trends and observations. Many offers of sale incorporate a variety of keywords - frequently the names of popular players from the teams (see e.g. Figure 2) - as a means of attracting search traffic. Often the items are customisable upon request from the buyer (Figure 4), a trend that CSC also sees more generally for football clubs outside the Euro 2020 competition.

(a)

(b)

Figure 4: Examples of marketplace listings for customisable items: a) football jerseys; and b) face masks with options for various event- and team-related logos.

In many cases, the sellers use product images featuring just the back of the item or a generic product view, presumably to avoid showing any event or sponsor logos (see e.g. Figure 5). Sellers probably do this to make the listings harder to identify by brand protection service providers making use of logo recognition, or to reduce the degree of trademark infringement in the listings, making them more difficult to enforce upon.

Figure 5: Example of a marketplace listing featuring no official logos or brands in the product images.

Recommendations for brand owners

CSC’s top five tips for brand owners to combat counterfeits^[6] forms the framework of good practices that should be incorporated into any comprehensive brand protection programme. In the context of this study, these recommendations may be applicable to the owners of the trademarks relating to the competition, organisers or teams, to any official sponsors, and to the manufacturers of legitimate products.

1. Ensure your IP portfolio is in good shape

Having all relevant brand terms suitably protected - such as having appropriate trademarks registered in all relevant product classes and jurisdictions - is an essential pre-requisite for an effective enforcement program, and greatly increases the takedown options available.

2. Employ an automated monitoring solution

CSC’s Discovery Engine automatically monitors a range of marketplaces and other relevant online channels, pulls out rich datasets for each result (seller name, price, quantity, etc.), and aggregates information to identify top targets. The system also uses a customisable rules language, allowing the searches to be configured for brand variants, misspellings and other relevant keywords, and in multiple international character sets.

3. Perform test purchases

A key part of the enforcement process is analysing individual listings to identify which are infringing and therefore actionable. While a number of factors, such as features in product images, price point, quantity, item location, etc. can provide indications that an item may be counterfeit, it is never possible to prove this definitively based solely on information in the listing itself. Carrying out a test purchase, and thereby obtaining a sample of the item actually shipped, is the only way to determine its legitimacy.

4. Educate your customer base

Customer education is an essential way to bring the quality and safety implications of non-legitimate goods to the attention of potential buyers. Brand owners should also employ initiatives to promote their official suppliers and sales channels, so customers are aware of the sources of legitimate goods. Brand owners may also want to consider rolling out the use of product verification tools (e.g. QR codes and unique serial codes in individual listings) that can be checked by prospective buyers against official databases.

5. Choose the right partner

Collaborating with a brand protection service provider that offers a holistic suite of products and services is vital. It enables brand owners to monitor across all relevant online channels, allows for efficiency in monitoring and enforcement processes, and can provide analyst support across all of these areas, in addition to keeping the brand owner informed of service and industry developments.

References

[1] The exact depth of the searches varies between marketplaces; typically the scans analyse the top 10 pages of search results

[2] Correlation coefficient = (-)0.68

[3] https://www.fifa.com/fifa-world-ranking/ranking-table/men/ (data correct as of 27 May 2021)

[4] https://www.worldtrademarkreview.com/anti-counterfeiting/return-investment-proving-protection-pays

[5] Exchange rates taken from https://www.xe.com/currencyconverter/ (data correct as of 21 June 2021)

[6] https://www.linkedin.com/posts/csc-digital-brand-services_five-recommendations-to-protect-your-brand-activity-6808054870612942848-9SM2/

This article was first published on 1 July 2021 at:

https://www.cscdbs.com/blog/ecommerce-marketplace-activity/

Also published at:

https://www.circleid.com/posts/20210708-euro-2020-part-two-ecommerce-marketplace-activity/