Tracking how cybercriminals compromise websites to sell counterfeit goods

This thesis sheds light on how cybercriminals compromise websites to sell counterfeit goods using three related projects. The first project examines the prevalence of counterfeit stores found in the Google search results for 25 different luxury goods. Every URL returned by Google was visited by an automated browser which extracted features thought to be indicative of counterfeit stores. Nearly 1/3 of the search results analyzed took shoppers to a counterfeit store, even if the shopper appeared to be seeking legitimate goods. It was also found that brands aggressively filing Digital Millennial Copyright Act (DMCA) reports experienced a lower prevalence of fake stores in their search results, and that brands whose counterfeits sold for more were more likely have a higher prevalence of fake stores. Because many websites selling counterfeit goods have been hacked, techniques were developed to identify common methods of compromise. The second project describes a method used to detect the presence of plugins in WordPress and Joomla installations. Plugins present a common method of exploiting websites utilizing content management systems. Identifying which plugins are on a page can suggest ways in which the page was compromised. Lastly, the technique for identifying plugins is applied to counterfeit stores to present evidence of compromise. To achieve this, a plugin was written to programmatically record redirects within an instrumented Firefox web browser. By observing the plugins present on the Fully Qualified Domain Name (FQDN) level of these redirecting pages, conclusions are drawn about how they were hacked. Search results which were set up using Content Management Systems (CMS) were roughly two times more likely to be compromised to redirect to counterfeit stores. Additionally, certain plugins were seen to positively influence the odds of a website being compromised.