Counterfighting Counterfeit: Detecting and Taking down Fraudulent Webshops at a ccTLD

  • Thymen WabekeEmail author
  • Giovane C. M. Moura
  • Nanneke Franken
  • Cristian Hesselman
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12048)


Luxury goods such as sneakers and bags are in high demand. Many websites offer them at high discounts, which, in many cases, are simply cheap counterfeit versions of the original product. Online shoppers, however, may be unaware they are buying a counterfeit product and end up being scammed and having to deal with financial losses, as has been widely reported by various news outlets. This work presents a multiyear effort of The Netherlands’ .nl country-code top-level domain (ccTLD) in detecting and removing counterfeit online shops from the .nl DNS zone. We have developed two detection systems and partnered with registrars and a large credit card issuer, which ultimately led to more than 4,400 counterfeit online shops being taken down.



We thank very much the collaboration involved in this study: the (anonymized) registrars that collaborated in removing counterfeit webshops, as well as ICS and their analysts for manually validating our results.

We also would like to thank Geoff Voelker, Moritz Müller, Damon McCoy, Elmer Lastdrager for reviewing on various paper drafts, as well as the anonymous reviewers of PAM2020, and our shepherd, Dave Levin.

SIDN and the University of Twente received funding from the European Union’s Horizon 2020 Research and Innovation program under Grant Agreement No 830927. Project website:


  1. 1.
    Ahi, K., Asadizanjani, N., Shahbazmohamadi, S., Tehranipoor, M., Anwar, M.: Terahertz characterization of electronic components and comparison of terahertz imaging with x-ray imaging techniques, vol. 9483, April 2015.
  2. 2.
    Bergstra, J., Bengio, Y.: Random search for hyper-parameter optimization. J. Mach. Learn. Res. 13(Feb), 281–305 (2012)MathSciNetzbMATHGoogle Scholar
  3. 3.
    Hesselman, C., Jansen, J., Wullink, M., Vink, K., Simon, M.: A privacy framework for DNS big data applications. Technical report (2014).
  4. 4.
    Drucker, H., Wu, D., Vapnik, V.: Support vector machines for spam categorization. IEEE Trans. Neural Netw. 10(5), 1048–1054 (1999). Scholar
  5. 5.
    Moura, G.C.M., Muller, M., Wullink, M., Hesselman, C.: nDEWS: a new domains early warning system for TLDs. In: IEEE/IFIP International Workshop on Analytics for Network and Service Management (AnNet 2016), Co-Located with IEEE/IFIP Network Operations and Management Symposium (NOMS 2016), April 2016Google Scholar
  6. 6.
    Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: PREDATOR: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1568–1579. ACM, New York (2016).
  7. 7.
    Hao, S., et al.: Understanding the domain registration behavior of spammers. In: Proceedings of the 2013 Conference on Internet Measurement Conference, IMC 2013, pp. 63–76. ACM, New York (2013).
  8. 8.
    Hastie, T., Tibshirani, R., Friedman, J.: The Elements of Statistical Learning. Springer, New York (2009). Scholar
  9. 9.
    Hesselman, C., Moura, G.C.M., Schmidt, R.O., Toet, C.: Increasing DNS security and stability through a control plane for top-level domain operators. IEEE Commun. Mag. 55(1), 197–203 (2017). Scholar
  10. 10.
    Hoffman, P., Sullivan, A., Fujiwara, K.: DNS terminology. RFC 8499, IETF, November 2018.
  11. 11.
    ICS: International Credit Card Services (2020).
  12. 12.
    Kazemian, H., Ahmed, S.: Comparisons of machine learning techniques for detecting malicious webpages. Expert Syst. Appl. 42(3), 1166–1177 (2015). Scholar
  13. 13.
    Kruczkowski, M., Szynkiewicz, E.N.: Support vector machine for malware analysis and classification. In: 2014 IEEE/WIC/ACM International Joint Conferences on Web Intelligence (WI) and Intelligent Agent Technologies (IAT). IEEE, August 2014.
  14. 14.
    Lever, C., Walls, R., Nadji, Y., Dagon, D., McDaniel, P., Antonakakis, M.: Domain-Z: 28 registrations later measuring the exploitation of residual trust in domains. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 691–706, May 2016.
  15. 15.
    Netcraft Ltd.: Netcraft, 10 October 2019.
  16. 16.
    McCoy, D., Dharmdasani, H., Kreibich, C., Voelker, G.M., Savage, S.: Priceless: the role of payments in abuse-advertised goods. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 845–856. ACM, New York (2012).
  17. 17.
    McCoy, D., et al.: PharmaLeaks: understanding the business of online pharmaceutical affiliate programs. In: Proceedings of the 21st USENIX Security Symposium. USENIX Association, Bellevue, August 2012Google Scholar
  18. 18.
    Mockapetris, P.: Domain names - concepts and facilities. RFC 1034, IETF, November1987.
  19. 19.
    Moura, G.C.M., Heidemann, J., Schmidt, R.O., Hardaker, W.: Cache me if you can: effects of DNS time-to-live. In: Proceedings of the 2019 ACM Internet Measurement Conference, October 2019.
  20. 20.
    Moura, G.C.M., Heidemann, J., Müller, M., Schmidt, R.O., Davids, M.: When the dike breaks: dissecting DNS defenses during DDoS. In: Proceedings of the ACM Internet Measurement Conference, October 2018.
  21. 21.
    Nieuws, R.: Dit jaar al 307 nep-webwinkels offline gehaald door politie (in Dutch), 12 December 2018.
  22. 22.
    NOS: Consumenten voor 5 miljoen euro opgelicht via nepwinkels op sociale media (in Dutch), 12 December 2018.
  23. 23.
    NOS: Waar komen al die nep-webshops toch vandaan? (in Dutch), 5 May 2018.
  24. 24.
    Peter, H.: Gefälschte Sneaker von der FDP? (In German) (2019).
  25. 25.
    Quan, L., Heidemann, J., Pradkin, Y.: When the internet sleeps: correlating diurnal networks with external factors. In: Proceedings of the 2014 Conference on Internet Measurement Conference, IMC 2014, pp. 87–100. ACM, New York (2014).
  26. 26.
    van Rijswijk-Deij, R., Jonker, M., Sperotto, A., Pras, A.: A high-performance, scalable infrastructure for large-scale active DNS measurements. IEEE J. Sel. Areas Commun. 34(6), 1877–1888 (2016)CrossRefGoogle Scholar
  27. 27.
    Roberts, R., Goldschlag, Y., Walter, R., Chung, T., Mislove, A., Levin, D.: You are who you appear to be: a longitudinal study of domain impersonation in TLS certificates. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, pp. 2489–2504 (2019).
  28. 28.
    Schmidle, N.: Inside the Knockoff-Tennis-Shoe factory. The New York Times (2010).
  29. 29.
  30. 30.
    SIDN: Stichting internet domein nederland, 30 Ago 2019.
  31. 31.
    Streitfeld, D.: What happens after Amazon’s domination is complete? Its bookstore offers clues. New York Times, 23 June 2019.
  32. 32.
    Suykens, J.A., Vandewalle, J.: Least squares support vector machine classifiers. Neural Process. Lett. 9(3), 293–300 (1999). Scholar
  33. 33.
    Taxation and Customs Union: Customs Union: EU customs seized over 41 million fake goods at EU borders last year (2016).
  34. 34.
    Tian, H., Gaffigan, S.M., West, D.S., McCoy, D.: Bullet-proof payment processors. In: 2018 APWG Symposium on Electronic Crime Research (eCrime), pp. 1–11, May 2018.
  35. 35.
    Turner, K.: That Chanel bag on your Instagram feed may not be a Chanel bag (2016).
  36. 36.
    U.S. Customs and Border Protection Office of Trade: Intellectual Property Rights - Fiscal Year 2017 Seizure Statistics (2017).
  37. 37.
    Wall, D.S., Large, J.: Jailhouse frocks: locating the public interest in policing counterfeit luxury fashion goods. Br. J. Criminol. 50(6), 1094–1116 (2010). Scholar
  38. 38.
    Wang, D.Y., et al.: Search + Seizure: the effectiveness of interventions on SEO campaigns. In: Proceedings of the 2014 Conference on Internet Measurement Conference, IMC 2014, pp. 359–372. ACM, New York (2014).
  39. 39.
    Wappalyzer: Identify technology on websites, 19 October 2019.
  40. 40.
    Wullink, M., Moura, G.C., Hesselman, C.: Dmap: automating domain name ecosystem measurements and applications. In: 2018 Network Traffic Measurement and Analysis Conference (TMA), pp. 1–8. IEEE, June 2018Google Scholar
  41. 41.
    Wullink, M., Moura, G.C., Müller, M., Hesselman, C.: ENTRADA: a high-performance network traffic data streaming warehouse. In: 2016 IEEE/IFIP Network Operations and Management Symposium (NOMS), pp. 913–918. IEEE, April 2016Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Thymen Wabeke
    • 1
    Email author
  • Giovane C. M. Moura
    • 1
    • 3
  • Nanneke Franken
    • 2
  • Cristian Hesselman
    • 1
    • 4
  1. 1.SIDN LabsArnhemThe Netherlands
  2. 2.SIDNArnhemThe Netherlands
  3. 3.TU DelftDelftThe Netherlands
  4. 4.University of TwenteEnschedeThe Netherlands

Personalised recommendations