|
Co-authored by David Barnett and Lan Huang.
Geotargeting is a well-established online technique for delivering tailored web content based on a user’s geographic location. From an internet technology point of view, this is usually based on the user’s IP address, which is converted to a physical location through a standard look-up process performed by network infrastructure.
Geotargeting is commonly used by websites for several legitimate reasons, including providing users with relevant advertising and other content, or restricting the distribution of content to particular countries or regions in compliance with IP rights restrictions. However, geotargeting (or geoblocking) is increasingly being used by bad actors with their infringing websites. The sites may be configured, so the infringing content (e.g., counterfeit goods sales) is only accessible in certain countries, at certain times, on certain days, or can vary dependent on the web browser used.
Outside of those locations, sites may resolve to unrelated content, like gambling-related or adult material, or websites for third-party companies. In some cases, affiliate links on these pages can be sources of additional revenue for their owners beyond their core purpose, i.e., the distribution of the infringing content. Generally, the main purpose of the geotargeting technique is to circumvent detection by the real brand owner, their brand protection service provider, or to frustrate enforcement efforts.
There are several ways to implement geotargeting, the most common of which include:
Most often these tools are used for legitimate purposes, including security (e.g., blocking traffic from suspected automated bots), search-engine optimization (e.g., customization of site content by location), or compliance (e.g., where content may be illegal in certain jurisdictions). However, as discussed previously, use of these techniques has become increasingly popular with fraudsters who use them to avoid detection and thereby increase the uptime for their infringing content.
Enforcement action against geotargeted content can be difficult because the internet service providers (ISPs) through which the takedowns are made may not be able to see the offending content. A successful takedown is generally reliant on the brand owner being able to provide the ISP with information relating to the IP address(es) or geographic regions from which the infringing content is accessible and the screenshot of the said content.
At times, it may not be possible for users who first accessed the infringing content to provide the required information—such as the IP address(es) mentioned above or the screenshot of the infringing site. This is not uncommon, and there are investigation tools that can be used to support evidence preservation for takedown, as described below.
Investigating a site using geotargeted content requires the investigator to bypass the geoblocking, which is generally most easily achieved using tools to mask their location (i.e., their IP address or the location from where their web queries are originating). This can be done by using a virtual private network (VPN), a proxy server, or SmartDNS (domain name system).
However, if it’s possible to establish that the geoblocking or content redirection has been implemented using Javascript—which can be confirmed using any of a range of free, third-party tools—the geoblocking can usually at least partially be circumvented by disabling Javascript in the browser.
To illustrate, the following example shows a geotargeted counterfeit site identified by CSC as infringing against a luxury goods brand. The website—“[brand]-store.org”—appears to be tailored to the Japanese market, and the Google® abstract for the site shows what appears to be the intended content, with Japanese text translated as “Fall / Winter New Down Women’s / Men’s Cheap Mail Order” (Figure 1).
On the other hand, when the site is viewed from the U.K., the user is instead redirected to a restricted access page on a third-party domain (Figure 2).
However, if Javascript is disabled in the browser, the redirection no longer takes effect. In this case, the blocking of Javascript meant that the website content didn’t display properly; however, by viewing the webpage source code, we were able to verify the presence of the counterfeit site content. An extract is shown in Figure 3, where the Japanese page title translates as ‘[Brand] Outlet Store Official Site—2021 New Fall / Winter Down Women’s / Men’s Cheap Online Store—[Brand] Outlet Store Official Site’.
Completing the investigation, the content of the site can be viewed by modifying the HTML to remove the Javascript command causing the redirect and opening the resulting document in a browser (Figure 4).
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign
Sponsored byDNIB.com