Coronavirus: Online Threats Going Viral - Part 2: Marketplaces

In this second article about the online risks of coronavirus, we take a look at online marketplaces.

In the midst of the coronavirus crisis and the partial or total quarantines happening around the world, more people are turning to e-commerce for their purchases. This, combined with the increased demand for healthcare and healthcare-related products, is causing surges of activity on online marketplaces.

Perhaps least surprising is the growth in the number of listings for cleaning and hygiene products (e.g. hand sanitiser), as well as face masks, to the point that Amazon.com has reportedly banned new listings of certain classes of product to cope with demand^[1]. Many of the identified listings explicitly reference 'coronavirus' or 'COVID-19' in product titles or descriptions to attract web traffic.

Marketplace sales always carry inherent risks: items may not be as described, may be low quality or ineffectual, or in cases where the offers of sale purport to be for branded products, counterfeit. Therefore, it is important for consumers to carefully consider the sources they use, bearing in mind factors like seller identity and location, item price, product images, buyer reviews, and so on. Similarly, brand owners must implement programs to track activity on e-commerce marketplaces to identify branded listings that may offer counterfeits, use established brand names to drive traffic to third-party products, or sell legitimate items sourced through unauthorised routes in the supply chain.

Of particular concern during the current climate are listings offering coronavirus tests or cures. While tests for the virus do exist, there is no guarantee that those sold on marketplaces are either legitimate or effective and, given the medical nature of such products, counterfeits could have significant negative health implications. Listings for cures are perhaps more concerning still, particularly in view of the fact that (at the time of writing) no cure currently exists, and medical treatments simply aim to relieve the symptoms while giving the body an opportunity to fight the illness^[2]. In one case reported on March 21, a man was charged with manufacturing fake treatment kits containing harmful chemicals^[3]. Fake cures also raise the dangerous possibility of making consumers believe that they are in recovery, making them abandon the efforts to isolate to prevent the spread of the disease.

Figure 1: Example of a marketplace listing for a coronavirus test kit, stating a minimum order of 100,000 pieces with customised packaging options, making it likely to be associated with the supply chain for counterfeit tests

Figure 2: Example of a marketplace listing for an 'anti-coronavirus' essential oil product

As with coronavirus-related phishing attacks (discussed in detail later in this blog series), some listings may also refer to trusted organisations such as the Centers for Disease Control and Prevention or the World Health Organization in an attempt to claim endorsement or provide the appearance of legitimacy. This is not only an IP infringement but, more importantly, could be a danger to consumers.

How can CSC help?

CSC's technology for monitoring known marketplaces uses the sites' own built-in search functions to identify listings containing brand terms or relevant keywords. It then uses scraping and information drawn from APIs to pull information from the listing, such as the seller name, quantity of items, price, etc. Brand owners can make use of CSC's marketplace monitoring services to identify listings in which their brand terms are used. We can also aggregate the information obtained to calculate the total number of items offered by a particular seller, the total value of goods offered, and so on, to identify top sites and sellers.

When infringing listings have been identified, we make use of the various IP-protection programmes operated by marketplaces to have them removed - provided the brand owner has sufficient IP protection, e.g. registered trademarks. Infringing sellers can be suspended from the marketplace altogether or, following a successful takedown, brands can request a seller's contact details for further investigation.

References

[1] https://markets.businessinsider.com/news/stocks/amazon-marketplace-tips-for-sellers-following-coronavirus-uncertainty-2020-3-1029014647
[2] https://www.nhs.uk/conditions/coronavirus-covid-19/#treatments-summary
[3] https://www.bbc.co.uk/news/uk-england-london-51991245

This article was first published on 2 April 2020 at:
https://www.cscdigitalbrand.services/blog/coronavirus-online-threats-part-2/

Also published at:
http://www.circleid.com/posts/20200416-coronavirus-online-threats-going-viral-part-2-marketplaces/

Coronavirus: Online Threats Going Viral - Part 1: Domain Names

As news of the spread of the coronavirus (COVID-19) continues to emerge, CSC has undertaken the first in a series of studies looking at how the development of the crisis has affected online content. This first article looks at the numbers of registered domains with names containing coronavirus-related strings - 'coronavirus' or 'covid(-)19' (with an optional hyphen) - and analyses the types of content present on the associated websites.

In our investigation, we found 6,341 domains containing the string 'covid(-)19', and 11,552 domains containing 'coronavirus'^[1]. Many of these registered domain names include other terms implying that the associated websites feature neutral or informational content. However, significant numbers incorporate particular keywords suggesting that they could have been registered to take advantage of people’s fears surrounding coronavirus to attract web traffic. These domains may be used to create websites associated with scams, or with the intention of generating revenue.

Table 1: Total number of coronavirus-related domains containing keywords of particular interest

We further analysed this set of domains to determine^[2] when the domains were registered. This analysis shows that of the 2,000-plus domains for which creation dates were identifiable, only 17 domains (0.8%) were registered before 2020, and 68% (1,400+ domains) were registered since the start of March - i.e. just two weeks prior to the date of analysis.

Figure 1: Daily numbers of registrations of coronavirus-related domains featuring keywords of relevance

N.B. We truncated the graph at three days prior to the date of analysis, as there can typically be a delay of around two to three days between the date of domain registration and its inclusion and detection in the published zone file. Accordingly, the numbers of registrations shown for (at least) the two or three days prior to analysis are likely to be underestimates.

These figures provide a striking illustration of how escalating real-world issues can produce a flurry of corresponding activity online, with an enormous increase in registrations as countries began to announce lockdown measures throughout March. We can also see spikes in the domain-registration graph associated with specific events:

• The first announcements of the emergence of coronavirus outside China in late January
• The WHO announcement of COVID-19 as the specific strain on February 11
• The start of Italy's lockdown in late February^[3]

What's in a domain name?

Nearly 75% of the 2,646 domains with keywords of interest produced a live webpage response^[4]. Around three-quarters of these currently do not point to an active site, i.e. no page title, or a title suggesting that only a holding page is present. That said, even these may have been registered with a goal of monetising the domain name, either through pay-per-click links on the site or explicitly offering the domain name for sale.

Setting aside inactive domains still leaves around 500 coronavirus-related domains featuring relevant keywords and appearing to host active websites. Thirty-two of those 500 achieve significant web traffic, attracting over 8,000 Internet users per day between them. The websites resolve to a range of content, although just over a third resolve to active e-commerce sites offering face masks for sale. Others include: e-commerce sites selling coronavirus testing kits or other healthcare products; sites linking to online pharmacies; sites offering global coronavirus tracking functions; and a range of other informational sites.

Table 2: Description of content for coronavirus-related domains featuring keywords of relevance and attracting significant levels of web traffic

N.B. (i) Sites that do not currently include active website content are shown in italics.
(ii) Domain names are not shown, and any company names have been redacted.

Figure 2: Example screenshots of (top to bottom) high-traffic e-commerce sites offering the sale of face masks, or coronavirus testing kits; a coronavirus tracking site; and a site promoting an online pharmacy

Why does it matter to brands?

Registering a domain and creating an associated website is quick, simple, and essentially unregulated. This provides a range of opportunities for any would-be infringer and, as our findings have shown, can pose a variety of risks for internet users. Where physical products are being sold, the items could be manufactured using sub-standard materials, or without rigorous quality checks. Consumers run the risk that products may not just be ineffective, but actually harmful. Many of the identified e-commerce sites offered products using known and trusted brand names. The risk of these being counterfeit is one reason why brand owners should pay close attention to the developing landscape, and take appropriate enforcement action to protect their customers and their reputation.

The social risks of misinformation

Where unofficial sites use the name or branding of a legitimate health organisation (e.g. CDC or WHO) to appear official or lend credibility to its content, the public is at risk of incorrect safety information or a phishing attack. 

Figure 3: An example of a site infringing on CDC and WHO branding. The domain has been registered using a privacy-protection service to hide the contact details of the owner

Other identified websites offer coronavirus tracking mobile apps - a risk to the public in light of reports that some coronavirus tracking apps actually host malicious content or ransomware.

Recommendations for brand owners

As the coronavirus story continues to develop, it is advisable to monitor for third-party domain names - and material in other online areas - that may be using a brand name to lend credibility to site content or offer the sale of counterfeits. CSC's monitoring technology is able to search for brand-related appearances across a range of internet content types, and prioritise findings by the number and prominence of brand mentions, and their proximity to keywords or key phrases of particular relevance or concern. Following identification of infringing content, a rapid process of enforcement for the removal of damaging content can help to protect customers, company reputation, and revenue. Above all, throughout this developing crisis, it's most important to take all necessary precautions - both online and offline - to be safe and stay well!

References

[1] Numbers correct as of 18/03/2020
[2] Wherever this information is available via an automated look-up
[3] https://edition.cnn.com/2020/02/06/health/wuhan-coronavirus-timeline-fast-facts/index.html
[4] Excluding those that return no HTTP response, or generate an error code

This article was first published on 26 March 2020 at:
https://www.cscdigitalbrand.services/blog/coronavirus-online-threats-part-1/

Also published at:
http://www.circleid.com/posts/20200409-coronavirus-online-threats-going-viral-part-1-domain-names/

One Weird Trick To Steal Your Money

The online healthcare scam – whereby sufferers of a particular illness are convinced to click through to bogus content via the promise of a cure for their condition – is unfortunately nothing new. Not only can these scams end up resulting in a financial cost to the victims, but they also divert patients away from providers of legitimate treatments – which, of course, also translates into lost revenue for these suppliers of genuine products and services.  

A related issue, the online sale of counterfeit pharmaceuticals, is also an enormous business for criminals; prescription drugs represent the largest market for counterfeit goods of any class of products, worth $200 billion annually^[1]. Estimates suggest that between 10 and 30% of pharmaceuticals in circulation globally are counterfeit, resulting in up to one million deaths annually^[2,3,4]. These figures highlight the importance to pharmaceutical brand owners of carrying out programmes of online monitoring for, and enforcement against, pharmacy websites using their brand names to sell products which, in reality, may have been produced using low-quality or inactive ingredients (issues which may affect at least 30% of counterfeit pharmaceuticals^[5]).

One example of a medical condition which is commonly used as a 'hook' to attract the attention of Internet users is diabetes. Given the number of people affected by the condition, it is perhaps unsurprising that so many scams make use of content related to the illness; Public Health England recently released a forecast stating that the number of people with the disease could top 5 million if obesity rates continue to increase, with 1 in 10 adults in the UK being at risk of developing diabetes by 2035. This would mean that £1 of every £6 spent by the NHS would be allocated to providing care for diabetes patients^[6]. 

In response to these numbers, there has emerged a very high volume of websites, social-media postings and spam e-mails which purport to provide information on supposed treatments for the disease. (A simple search using NetNames' Domain Monitor product, for example, shows that there are over 400 registered gTLD domains with names containing 'cure' and 'diabetes'.) Many of these offer pharmaceuticals or other products, or e-books giving guidance on lifestyle changes, which are stated as having the capability to 'cure' the condition. Of course, a significant proportion of these claims are bogus, and simply comprise attempts to extract payments from vulnerable sufferers. Other similar types of scam might claim to provide links to articles giving information on cures or research (such as the familiar "here’s the secret that Big Pharma doesn’t want you to know" postings), but are simply acting as 'click-bait', encouraging users to navigate to websites featuring malicious or otherwise unsavoury content.

A 2015 blog posting^[7] presents a case study of a typical scam. The start point in this case is a spam e-mail encouraging readers to "discover the diabetes miracle for yourself", by clicking on a link to "watch a short video [to] change your life". The mail links to a website showing a 40-minute video presented by a purported medical doctor, offering the sale (for $37) of a 'training course' which can supposedly 'cure' diabetes by "following simple instructions for four to six minutes a day". The individual(s) behind the scam have also made good use of other promotional techniques, including the online posting of fake reviews in support of the treatment, and the application of search-engine optimisation to ensure high search-engine rankings for the website. A second review of the same case, published by the San Diego Consumers Action Network^[8], notes a number of additional factors about the scam, including the facts that: (i) the 'doctor' featured in the video is actually a fake individual; (ii) the pseudo-science presented in the video is (of course) bogus; and (iii) the payment for the product on offer is made through a payment gateway which is unregulated and "has generated a number of complaints about difficulties in securing refunds and getting responses".  This type of scam is nothing new; a blog posting from 10 years ago^[9] reports a similar scam, offering a fake product called Glucobate, at a time when the Federal Trade Commission (FTC) and Food and Drug Administration (FDA) in the USA launched a campaign to crack down on such schemes, sending 180 warning letters to entities involved in the distribution of deceptive advertisements^[10].

An article by economist Alex Kaufman^[11] presents a study of the psychology behind the types of videos produced by the purveyors of the "one weird trick to cure diabetes" type of campaign. Kaufman notes that common themes include: (i) the claim that the idea being presented is 'secret', using the knowledge that people will "give greater credence to information if [they've] been told it was once 'classified'"; (ii) the use of extended-length videos, under the assumption that "the more arguments you list in favor of something, regardless of the quality of those arguments, the more that people tend to believe it" and also as a way of qualifying sales prospects, by determining that "once you've established this is a person who'll sit through anything, you can contact them by e-mail later and sell them other products"; and (iii) the use of advertisements with quirky language ("one weird trick") and poor-quality graphics, so as to generate a 'hook' which is intriguing, distinctive and accessible, and provide "the illusion that it's one man against the system". Many of these ideas are also used – or built on – on the many websites which can be found via simple Internet searches for phrases such as "diabetes cure"; some of these will employ a kind of double-bluff, by rubbishing other similar sites, whilst simultaneously providing testimonials for their own products and services.

Given the familiarity of this type of scam, it may be surprising that people will still pay money for fake treatments. However, there still seems to be a willingness by sufferers to believe bogus claims, borne out of a hope that claims of cures for their disease might be based in reality. A posting in a forum on the Diabetes.co.uk website, for example, talks about a Facebook post advertising a diabetes 'cure', stating that the reader had "clicked on the link and it doesn't give much away about what it is or how it works but I was reading through the comments and apparently only a select few seemed to have had prior knowledge about it".  As with many things on the Internet – and in life – it is often advisable to apply the old mantra that "if it seems too good to be true, it probably is".  

References 

[1] http://www.havocscope.com/products/ 
[2] http://sophiccapital.com/wp-content/uploads/2014/10/Download-Full-Counterfeiting-Report-Here.pdf 
[3] http://www.eltiempo.com/archivo/documento/CMS-13140064 
[4] http://europe.newsweek.com/fake-drug-industry-exploding-and-we-cant-do-anything-about-it-333176 
[5] http://www.medicaldaily.com/global-problem-counterfeit-drugs-affects-even-legitimate-sources-such-hospitals-and-329914 
[6] http://www.bbc.co.uk/news/health-37720610 
[7] https://blog.cloudmark.com/2015/04/15/medical-scams-dr-pearsons-diabetes-cure-and-quantum-vision-system/ 
[8] http://www.sandiegocan.org/2015/03/15/scam-alert-stay-free-of-diabetes-free-miracle-shake-scam/ 
[9] http://www.mendosa.com/blog/?p=114 
[10] https://www.ftc.gov/news-events/press-releases/2006/10/ftc-and-fda-act-against-internet-vendors-fraudulent-diabetes 
[11] http://www.slate.com/articles/business/moneybox/2013/07/how_one_weird_trick_conquered_the_internet_what_happens_when_you_click_on.html

This article was first published on 14 November 2016 at:
https://www.netnames.com/insights/blog/2016/11/one-weird-trick-to-steal-your-money/ 

An updated version was published on 2 December 2016 at: 
https://www.koganpage.com/article/the-cost-of-online-scams