Fake webshops taken off line much sooner

Faster detection and take-down procedure means less fraud

For the last year, we've been proactively tracking down fake webshops. And we're now making real progress in the fight against fraudulent retailers. New tools and strategies enable us to take fake webshops off line weeks earlier than before. Our Registration and Service specialist Chiel van Spaandonk and SIDN Labs Research Engineer Moritz Müller explain.

More than one webshop in five is untrustworthy

Out of about 90,000 webshops that focus on the Dutch market, the Dutch Consumers' Association estimates that between 25,000 and 35,000 are untrustworthy. Many of the shops offer branded goods at very low prices. However, consumers who are tempted to buy are typically fobbed off with inferior or substitute products, if they get anything at all. SIDN was getting more and more complaints about such malpractices, recalls Chiel van Spaandonk. "A lot of time and effort was going into responding to complaints. So we asked SIDN Labs to come up with a way of detecting fake webshops much sooner."

How to uncover a fake webshop

"In 2017, SIDN Labs developed a tool that automatically checks all .nl domain name registrations," explains Moritz Müller. "It looks at things such as whether a domain name was registered at the same time as a batch of others, whether it's been registered before, and whether certain keywords are used. In other words, it looks out for typical scammer behaviour. Scammers like to reregister recently cancelled domain names, for example, because they score better with search engines. As a result, fake webshops often have domain names that don't match what they're selling. So you might get designer shoes sold on a site whose domain name relates to a chess club. Another tell-tale sign is hundreds of similar names all being registered within a few minutes. It suggests that something fishy's going on." A list of suspect domain names is generated and sent to the Registration and Service Department. Van Spaandonk takes up the story. "First, we weed out the 'false positives' -- websites flagged up as suspicious, which are in fact legit. Next, we contact the registrars of the remaining domain names. They do their own checks and have the power to take down fraudulent sites. They usually do this very quickly. However, if a registrar isn't willing to help, we switch to Plan B: we check the registration data to see whether it's all in order. The data linked to a fake webshop is nearly always false. And, if the data is false, we can cancel the registration. Until recently, though, that whole procedure took thirty-five days."

Successful approach

The approach described above has proved a big success. It helped to ensure that more than five thousand fake webshops were taken down in 2018. Van Spaandonk isn't satisfied yet, however. "As long as domain names are being registered for fake webshops, we still have work to do. Our aim is to uncover fraudulent sites as soon as possible, so that scammers conclude that the .nl TLD isn't a lucrative or viable environment in which to operate." Müller clarifies, "In order to do that, we want to detect the sites before they go live." Over the last six months, Thijs Brands, a final year student from Delft University of Technology working at SIDN Labs, has developed software that looks at new registrations and aims to predict whether a domain name is going to be used for a fake webshop. It does that by analysing the registration data before there's a website or content available.

Machine learning

It's an innovative approach, Müller continues. "We're using machine learning technology," he explains. "First, we developed a prediction model, then we trained it to spot suspicious registrations. The program learns from the outcome of each prediction it makes -- whether it turns out to be correct or not. At the moment, the program gets 85 per cent of predictions right. Of course, fraudsters don't keep doing exactly the same thing indefinitely. From time to time, they change their registrant profiles and infrastructure preferences. So the model is continually retrained using the latest data." The same philosophy -- analysing registration data rather than relying exclusively on site content for issue detection -- could ultimately be used to identify other forms of internet abuse, such as phishing and malware propagation. We already have a number of projects in progress based on that principle.

Faster procedure

The new detection method isn't the only strategy we're using to accelerate the fight against fake webshops, says Van Spaandonk. "A special procedure has been adopted as well. Where we suspect that a domain name is being abused for a fake webshop, we can delink the name servers if the registrant's identity isn't confirmed within five days. Previously, it took thirty-five days to reach the point where we could intervene. Delinking has the effect of making the domain name and its website unreachable. Early detection coupled with rapid response will mean that a fake webshop can be taken down within a week of its domain name being registered. That should save consumers a lot of grief."


Chiel van Spaandonk

Chiel van Spaandonk

Specialist Registration & Services

+31 26 352 55 00


  • Monday 6 May 2019

    About SIDN

    ALLAI makes responsible artificial intelligence the norm


    Business community, policy-makers

    Read more
  • Wednesday 22 January 2020

    SIDN Labs

    SIDN Labs' experimental DoH server


    New system helps us keep abreast of how the DoH standard is developing. Give it a try!

    Read more
  • Thursday 5 September 2019


    Evaluation of validating resolvers on Linux: Unbound and Knot Resolver recommended


    "Systemd-resolved and Dnsmasq have serious bugs"

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.