US RUNNING SHOES FAKE SITE NO 2 IN GOOGLE SEARCH

12/2/2024

This site was reported to Brooks EU as fake on 17 Jan 2024. It is still active today (12/2/2024).

Background

When searching for Brooks running shoes (search term “brooks nl”), the second entry on the google page is a fake phishing site.

This site is extremely well done to look like it mimics the real brooks site (real site is https://www.brooksrunning.com/en_nl). Fake site is www.brooks-netherland.com.

This site is unique in that it extends normal phishing schemes by:

Grabbing user credentials.
Doing a credit card transaction for non-existent running shoes.
It never creates a user account on the site.
It does very little input validation on the shopping basking and payment details.
1. No postcode check
2. No credit card number check
It does support 3D security to successfully take money from the user account.
It also sends shipping emails for the fake goods sent.
It then also actually ships a very low value item (sunglasses) from China for which the user then have to pay import duty.
There are no DMARC, SPF, DKIM records associated with the domain and email is quite unhealthy.

The comments in the code shows that at least some of the code was written in China.
The site forms part of a network of sites that share payment processing capabilities.
The fact that the site does ship something on order complicates the fraud detection process as it can argue that it did provide a product.
Brooks confirmed that this is not an authorized reseller but has failed to take any action against this site.
1. The DNS name for the site was registered 6/11/2023 so once can expect that site has operated undisturbed for nearly 3 months now.
The site is hosted by a South African ISP (Fibergrid) with international co-location capabilities. The actual site is located in Canada.
The DNS was registered via Alibaba in China.
The site has not been blacklisted by any reputation scoring tools and currently is listed second (after a paid ad by the real Brooks company) in the Google index.

This site is most likely damaging the Brooks reputation immensely as a large number of Brooks clients will never receive their products ordered from this site.
It seems that Brooks is not in a position to take this site down.
To following steps will take down the site:
1. Contacting the DNS provider on link to report abuse and have the URL revoked (brooks-netherland.com)
2. Contact the Hosting provider on link and have the host removed (196.247.55.101)
3. Contact the Cloudflare link and have the payment provider (topstorefsale.com) DNS link removed.
Going forward the company should do the following:
1. Engage in a dark web monitoring service to monitor for the re-emergence of these types of domains.
2. Upgrade their internal security and RM processes to respond much faster to public disclosure events.
3. Engage with the market to make their concern and strategy known to their clients and that they are protecting their brand by removing these attacks as soon as they become aware of them