Home / Blogs

Do You See What I See? Geotargeting in Brand Infringements

Co-authored by David Barnett and Lan Huang.

Geotargeting is a well-established online technique for delivering tailored web content based on a user’s geographic location. From an internet technology point of view, this is usually based on the user’s IP address, which is converted to a physical location through a standard look-up process performed by network infrastructure.

Geotargeting is commonly used by websites for several legitimate reasons, including providing users with relevant advertising and other content, or restricting the distribution of content to particular countries or regions in compliance with IP rights restrictions. However, geotargeting (or geoblocking) is increasingly being used by bad actors with their infringing websites. The sites may be configured, so the infringing content (e.g., counterfeit goods sales) is only accessible in certain countries, at certain times, on certain days, or can vary dependent on the web browser used.

Outside of those locations, sites may resolve to unrelated content, like gambling-related or adult material, or websites for third-party companies. In some cases, affiliate links on these pages can be sources of additional revenue for their owners beyond their core purpose, i.e., the distribution of the infringing content. Generally, the main purpose of the geotargeting technique is to circumvent detection by the real brand owner, their brand protection service provider, or to frustrate enforcement efforts.

Common geotargeting implementation methods

There are several ways to implement geotargeting, the most common of which include:

  • Use of a .HTACCESS configuration file on the webserver of the site in question to restrict access to the content by certain IP addresses.
  • Use of Javascript in the website source code specifying that access from certain countries should be restricted. (In this case, the geoblocking takes place on the client side in the web browser; this type of blocking can be implemented using a suitable plug-in when the site is constructed without requiring any specific technical knowledge)

Most often these tools are used for legitimate purposes, including security (e.g., blocking traffic from suspected automated bots), search-engine optimization (e.g., customization of site content by location), or compliance (e.g., where content may be illegal in certain jurisdictions). However, as discussed previously, use of these techniques has become increasingly popular with fraudsters who use them to avoid detection and thereby increase the uptime for their infringing content.

Enforcement implications

Enforcement action against geotargeted content can be difficult because the internet service providers (ISPs) through which the takedowns are made may not be able to see the offending content. A successful takedown is generally reliant on the brand owner being able to provide the ISP with information relating to the IP address(es) or geographic regions from which the infringing content is accessible and the screenshot of the said content.

At times, it may not be possible for users who first accessed the infringing content to provide the required information—such as the IP address(es) mentioned above or the screenshot of the infringing site. This is not uncommon, and there are investigation tools that can be used to support evidence preservation for takedown, as described below.

Investigation of geotargeted content: A case study of an infringing website

Investigating a site using geotargeted content requires the investigator to bypass the geoblocking, which is generally most easily achieved using tools to mask their location (i.e., their IP address or the location from where their web queries are originating). This can be done by using a virtual private network (VPN), a proxy server, or SmartDNS (domain name system).

However, if it’s possible to establish that the geoblocking or content redirection has been implemented using Javascript—which can be confirmed using any of a range of free, third-party tools—the geoblocking can usually at least partially be circumvented by disabling Javascript in the browser.

To illustrate, the following example shows a geotargeted counterfeit site identified by CSC as infringing against a luxury goods brand. The website—“[brand]-store.org”—appears to be tailored to the Japanese market, and the Google® abstract for the site shows what appears to be the intended content, with Japanese text translated as “Fall / Winter New Down Women’s / Men’s Cheap Mail Order” (Figure 1).

Figure 1: Google abstract for the geotargeted counterfeit site.

On the other hand, when the site is viewed from the U.K., the user is instead redirected to a restricted access page on a third-party domain (Figure 2).

Figure 2: Redirection destination page for the geotargeted counterfeit site when viewed from the U.K.

However, if Javascript is disabled in the browser, the redirection no longer takes effect. In this case, the blocking of Javascript meant that the website content didn’t display properly; however, by viewing the webpage source code, we were able to verify the presence of the counterfeit site content. An extract is shown in Figure 3, where the Japanese page title translates as ‘[Brand] Outlet Store Official Site—2021 New Fall / Winter Down Women’s / Men’s Cheap Online Store—[Brand] Outlet Store Official Site’.

Figure 3: Extract of the HTML source code of the geotargeted counterfeit site.

Completing the investigation, the content of the site can be viewed by modifying the HTML to remove the Javascript command causing the redirect and opening the resulting document in a browser (Figure 4).

Figure 4: Content of the geotargeted counterfeit site shown by rendering the edited HTML source code directly in a browser.
NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By David Barnett, Brand Protection Strategist at Stobbs

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com