Spyware Sucks

ALERT: Please treat “Wibe Networks” with extreme caution

Wibe Networks have been caught supplying "7 Days Media", "Golden Bird Network" and "Zamma Media" as credit references – all of those domains have been featured on this blog in recent days.

wibenetworks.com
ICANN Registrar: BIZCN
Created 23 August 2010

IP: 72.9.236.188 - Global Net

Registrant: Domain Admin, info@wibenetworks.com

Shares IP with coastia.com and hubbon.com

*****

coastia.com
ICANN Registrar: BIZCN
Created 19 July 2010

Registrant: Coastia, Dorothy Oldson, domains@coastia.com

*****

hubbon.com
ICAN Registrar: BIZCN
Created 15 July 2010

Registrant: Hubbon, David Lambert, it@hubbon.com

ALERT: Please treat content from facilitatedigital.net and trueffects.net with extreme caution

Malvertizing featuring “Gilt Man” has been seen coming from facilitatedigital.net – note that facilitatedigital.net was mentioned in my earlier blog post.

facilitatedigital.net
ICANN Registrar: TODAYNIC.COM, Inc
Created 29 July 2010

IP: 72.9.236.172 - Global Net Access Llc

Shares IP with trueffects.net

Registrant: Harold A Mcconville (haroldamcconville@gmail.com)

*****

trueffects.net
ICANN Registrar: TODAYNIC.COM, Inc
Created 29 July 2010

Registrant: Edward L Hill (edwardlhill@gmail.com)

ALERT: Starcom Mediavest Group are being impersonated

The real Mediavest domain is mediavestww.com (note the ww).  The impersonators are using mediavestw.com (note, just one w)

mediavestw.com
ICANN Registrar: Melbourne IT, Ltd D/B/A Internet Names Worldwide
Created 6 August 2010

IP: 69.195.140.33 - Yahoo! Inc

Registrant: hidden behind myprivateregistration.com

Tepuro Advertising leads us to some more bad names – please treat all domains with extreme caution

Thanks to industrypace.com for the info (the only thing I would point out is that just because they use a Chinese registrar, doesn’t make the bad guys themselves Chinese…).  There is link to a youtube video in the industrypace.com article which allows you to listen to the voicemail potential victims are directed to when they try to contact various credit references.

Zamma Media (zammamedia.com)
ICANN Registrar: BIZCN.COM, INC
Created 26 July 2010

IP: 72.9.236.181 - Global Net Access Llc

Registrant: Zammamedia Contractors, Paula Contractors (it@zammamedia.com)

*****

Gold Bird Network (goldbirdnetwork.com)
ICANN Registrar: BIZCN.COM, INC
Created 28 July 2010

IP: 72.9.236.168 - Global Net Access Llc

Registrant: Goldbirdnetwork.com (dns@goldbirdnetwork.com)

*****

7 Days Media (7daysmedia.com)
ICANN Registrar: BIZCN.COM, INC
Created 26 July 2010

IP: 72.9.236.178 - Global Net Access Llc

Registrant: Registrar Services, Norman Money (registar@7daysmedia.com)

*****

Some extra names that are in the same IP range and worth treating with caution are:

ad-kemation.com
ICANN Registrar: TODAYNIC.COM, Inc
Created 13 July 2010

IP: 72.9.236.163

Registrant: Frank K Robichaud (frankkrobichaud@gmail.com) (I'm sure I've seen that pseudonym before...)

*****

interceptinteractive.net
ICANN Registrar: TODAYNIC.COM, Inc
Created 29 July 2010

IP: 72.9.236.174

Registrant: Harold A Mcconville (haroldamcconville@gmail.com) (also used to register facilitatedigital.net and netmining.org)

*****

netmining.org
ICANN Registrar: TODAYNIC.COM
Created 29 July 2010

IP: 72.9.236.174

Registrant: Harold A Mcconville

*****

facilitatedigital.net
ICANN Registrar: TODAYNIC.COM, Inc
Created 29 July 2010

IP: 72.9.236.172 - Global Net Access Llc

Shares IP with trueffects.net

Registrant: Harold A Mcconville

ALERT: phg-media.com has nothing to do with Zedo

phg-media.com were caught laying the groundwork for an attempt to impersonate Zedo (see the screenshot below captured before the site disappeared).  Please be aware that phg-media.com have nothing to do with Zedo.

Safe Browsing Report – 63 scripting exploits and one trojan:
http://www.google.com/safebrowsing/diagnostic?site=phg-media.com 

phg-media.com
ICANN Registrar: EVOPLUS LTD
Created 21 June 2010

IP: 206.217.208.36

Registrant hidden behind Proxy Private Registration

Other domains in the same IP range that should be treated with caution are t10-media.com, s5-media.com, rst-media.com, phg-media.com, ads-fc.com, wta-media.com, fcs-media.com

ALERT: Please treat content from Tepuro Advertising with extreme caution

The source of the “Curves” Creative pictured is Tepuro Advertising.  Their domain, tepuro.com has only been registered since 26 July 2010, and was registered via BIZCN.COM.

tepuro.com
ICANN Registrar: BIZCN.COM
Created 26 July 2010

IP: 63.247.93.29 - Global Net Access Llc

Registrant: Tepuro Registrar, Domain Admin, domains@tepuro.com

ALERT: Watch out for Bellas Interactive….

Bellas Interactive have been highlighted as attempting to sell malvertizing to Casala Media in two of the most well written articles I have seen about malvertizing in a long time.

Suspected Malvertiser Posting As Legitimate Ad Agency

Anatomy Of An Attempted Malware Scam

bellasinteractive.com has not appeared on this blog before, but all of the other domains mentioned in the article and comments, as well as the “trade references” have been mentioned here.

bellasinteractive.com
ICANN Registrar: TODAYNIC.COM, INC
Created 6 April 2010

IP: 89.248.162.179 - Ecatel Ltd

Registrant: Jonathan J Kerr (jonathanjkerr@gmail.com)

Shares IP with implantschool.com

*****

implantschool.com
ICANN Registrar: TODAYNIC.COM, INC
Created 29 May 208

Registrant: J.W. Vaartjes (vaartjes@tandarts.nl)

*****

Domains seen in the comments:

ad-amazing.com
ICANN Registrar: BIZCN.COM, INC
Created 3 June 2010

IP: 93.174.92.188

Registrant: Sparkle Coleman (dns@ad-amazing.com)

Reverse DNS for 93.174.92.188 = mail.ptsupport.info

*****

innovyxinc.com
ICANN Registrar: TODAYNIC.COM, INC
Created 13 July 2010

IP: 94.102.55.100 - Ecatel Ltd

Registrant: Mary J Ferree (maryjferree@gmail.com)

*****

Domains of the "Trade References" supplied for bellasinteractive.com:

flamingonetwork.com
ICANN Registrar: BIZCN.COM
Created 12 July 2010

IP: 94.102.55.105 - Ecatel Ltd

Registrant: Registar Services, Harold Pinner (registar@flamingonetwork.com)

*****

mindadsint.com
ICANN Registrar: BIZCN.COM
Created 11 July 2010

IP: 94.102.55.107

Registrant: Registar Services, Sarah Avallone (registar@mindadsint.com)

*****

4revenuegroup.com
ICANN Registrar: BIZCN.COM, INC
Created 11 July 2010

IP: 94.102.55.102

Registrant: 4revenuegroup Contractors, Gerardo Young (it@4revenuegroup.com)

*****

To repeat my earlier advice, please treat domains in the 93.174.92.* and 94.102.55.* IP ranges with extreme caution (especially if they are used to sell advertising).  We should now include domains in the range 89.248.162.* range as well.  Domains in that IP range include the following:

Dealcomltd.com, Idealogisticservices.com, Todaylogisticservices.com, Eu-realestate.com, Kunglconsulting.eu, Clubpenguincoincodes.com, Clubpenguintoolbar.com, Dreggle.com, Iatw.info, Icpwiki.com, Pengcred.com, Alexasn.com, Beline.me, Candykitties.com, Candyloli.com, Clit9.com, Flawless18.com, Yng.me, Travel-key.de, Findperfectdate.com, Findlatinlove.com, Stffrs.com, Usamail4warding.com, 1001freedownloads.eu, 112lesidee.nl, Alex-domein.nl, Badgasten.net, Blackwolfart.eu, Blueprinz.nl, Bluesox.nl, Bottesteyn.nl, Browserupdate.nl, Browserupgrade.nl, Bshosting.eu, Bshosting.nl, Bslroadshow.nl, Budokai-tilburg.nl, Calabro.nl, Chintzhomedesign.com, Colorflame.eu, Compufaq.nl, Comserve.eu, Comserve.nl, Dabbs.nl, Defeber.nl, Designair.nl, Dikkemannen.nl, Disney-world.nl, Download-kazaa.nl, Downloadpunt.nl, Dsrm.info, Dutchflakforce.nl, Evaly.be, Examenstunt.com, Faithfactor.nl, Fijnlijf.com, Fijnlijf.nl, Flevofonds.nl, Flevoplace.com, Frankvanalphen.nl, Fruitmood.com, Frutopedia.com, Gelukslampion.nl, Getfreemusic.nl, Getlivesets.nl, Goedkoopste-epa.nl, Gomeztrading.eu, Goud-inkoop.nl, Grotemannen.nl, Hackersforum.nl, Hosting4every1.nl, Houseofsizes.com, Ilnido.nl, Itassetmanagement.nl, Langemannen.nl, Leer-spaans.nl, Leningstunter.com, Levee.nl, Linewash.com, Luigibruins.nl, M2create.nl, Mad-com.nl, Marenko.com, Marenko.nl, Mikeo.eu, Mobilering.nl, Moendia.nl, Msnweirdmaker.nl, Museumbrouwerij.nl, Muziekschoolheeten.nl, Muziekschoolurk.nl, Ncblog.nl, Nicorp.nl, Nicorpweb.com, Nicorpweb.nl, Onlinestart.be, Pc-xs.nl, Pcflex.nl, Pinglin.nl, Plopke.nl, Porteos.com, Prevanovi.nl, Protwin.nl, Pvmultimedia.nl, Receptenstad.nl, Remember-me.nl, Renltechniek.nl, Rickvm.net, Rings4u.nl, Rings4you.nl, Ronnyvee.nl, Rsg-ivy.nl, Rsgbetafestival.nl, Rsglevant-ivy.nl, Rubenlubben.nl, Sambeekadvies.nl, Sandocms.com, Sandocms.nl, Serverdeals.nl, Shoarmastar.nl, Snetch.net, Sticky-notes.nl, Taalcursusinfo.nl, Tallpersons.nl, Torremandiaz.com, Totaalsupport.com, Twanscare4cars.nl, Vaim.nl, Vakantie-koopje.nl, Verkouwconsultancy.nl, Verschiet.be, Volsmaak.nl, Wanneerhebikvakantie.nl, Webcambabez.eu, Zwollyhud.nl, Ltdcc.com, Oilhost.eu, Oilhost.net, Ugg-outlets.com, Abrahamjohnsex.biz, Cg-models.net, Dreamcaster.info, Elitennsets.com, Fashion-club.net, Finelady.biz, Freennpic.com, Girls-nn.net, Ice-pie.net, Lawrencevillesexchat.info, Little-agency.info, Littlenncuties.com, Lodraw.ru, Magazine-fashion.biz, Mirroroom.info, Natashachatvideo.biz, Nn-artmodels.com, Nn-pics.info, Nn-sites.com, Nndesire.com, Nndream.com, Nnelis.com, Nnjuniormodels.com, No-nude.us, Nonude-models.com, Nonude-pictures.com, Nonude-tgp.com, Nsleep.net, Nudeb.net, Paradise-4u.info, Placenudes.cn, Placesnude.cn, Portaladultchat.biz, Preteenposing.com, Ptl-models.com, Purenudismdata.cn, Purenudismdata.com, School-models.net, Schoolgirl-princess.biz, Schow-star.biz, Sexroomabdelking.info, Supernnpic.com, Terrrosenberg.cn, Tiny-angels.info, Tiny-jewels.com, Web-nymphs.com, Webegirls.biz, Yamodamo.me, Yamodamo.ws, Yomodelsfresh.com, Your-models.net, Your-nn.com, Yourmodel.net, Yournnpic.com, Martinandwilliams.com, Erelias.nl, Bellasinteractive.com, Implantschool.com, Bestdrugsonline.net, Lintasinteractive.com, Doborow.net, Megoko.com, Miacomp.com, Rmf23.org, Vebtrener.net, Vektop.com, Teenochka.com, Fietstracks.nl, Pulsefm.nl, Aquakoktebel.com.ua, Bscmayak.com, Burnlegion.com, Comixplaza.com, Kumuki.com, Magiasna.ru, Maximpolsky.com, Megacomix.ru, Mircomixoff.com, Napaneli.com, Napaneli.com.ua, Rojo.ru, Uamodel.nl, Uamodels.nl, Vn7.ru, Xdosug.com.ua, Xdosug.nl, Xmodel.com.ua, Xmodel.me, Xmodel.mobi, Xmodels.com.ua, Mejac.com, Mesurveyteam.com, Bigeasymovies.com, Ichtrinkepisse.com, Idrinkpiss.com, 3mlive.com, Bathindacity.com, Cybercricket.net, Cyberviewmovies.com, Cyberviewtv.com, Cyberviewtv.org, Hindi-movies.tv, Hotdnsplus.com, Liquidwebhost.net, Livetvbox.tv, Moviesntv.com, Addienstverlening.nl, Adq-design.nl, Adreslabel.nl, Alicesommer.nl, Arnoudvenema.nl, Arriva-noordoostbrabant.nl, Assetsandinvestments.nl, Besthost.nl, Bmdb.nl, Bramvanmensvoort.nl, Byjvo.nl, Cb-ict.nl, Clairo.nl, Cormelis.nl, Country-club.nl, Danspassie.nl, Daros.nl, Debianforum.nl, Degoudenui.nl, Designingmiracles.nl, Dietshop.nl, Diniz.nl, Diptv.nl, Djjumbo.nl, Dreamelements.nl, Edwinjansen.net, Edwinyuen.nl, Fanfare-tog.nl, Flyingstevie.nl, Fraggersforfun.nl, Garagebedrijfrutten.nl, H-1.nl, Hasweb.nl, Jozef-rozenburg.nl, K-group.nl, Kareleneunice.nl, Kljsml.be, Lapergola.nl, Mariakerk-hoogvliet.nl, Mickvandewiel.nl, Mind-x.nl, Modellenbureau-modee.nl, Motortoerclubvlijmen.nl, Nachtjagd.nl, Naturesheaven.nl, Nder.org, Nogzogekniet.nl, Oranjebud.nl, Parochiebredanoord.nl, Pasal.nl, Pinspot.nl, Powerdedi.nl, Rvduivenbode.nl, Schafttijd.nl, Smashradio.nl, Snekjies.nl, Soulfriends.nl, Spacecho.nl, Spartak.nl, Sportreal.nl, Suicide-bunnies.nl, Sursumcorda-aalsmeer.nl, Techno-planet.nl, Theodeveer.nl, Trevorbell.nl, Urbangfx.nl, Vvdekwakkert-heytse.nl, Vvdweststellingwerf.nl, Willibrordus-rhoon.nl, Xbox360team.nl, Yoga-lakshmi.nl, Yotv.nl, Yvettemoshage.nl, Zombio.nl, Zon-it.nl, Zor.in, Zyex.nl

ALERT: Out of band security update to be released on August 2

Details here:
http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx

“This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on August 2, 2010. The bulletin addresses a security vulnerability in all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, that is currently being exploited in malware attacks.”

Please install this patch as soon as you can once it is released.

If you used the workaround to mitigate the vulnerability (that is, if your shortcuts look like this or this , then you will need to undo that workaround before installing the security update.

Microsoft released a “fixit” to automatically apply, or remove, the workaround that broke *.LNK files – you can find the “fixit” here:
http://support.microsoft.com/kb/2286198

ALERT: Please treat content from aegadvancedmedia.com with extreme caution

Nokia Theatre L.A. Live (nokiatheatrelalive.com) is serving exploits via aegadvancedmedia.com

Historical badness at aegadvancedmedia.com (btw, homedepotcenter.com is still serving exploits – stay away from there too):
http://www.google.com/safebrowsing/diagnostic?site=aegadvancedmedia.com

Malicious content (note the 1x1 iframe):

Analysis of content from the IP address 85.234.190.13:
http://wepawet.cs.ucsb.edu/view.php?hash=63e7a8a467205c6c2d6c078de506b30c&t=1280392935&type=js

Historical badness at 85.234.190.13:
http://www.google.com/safebrowsing/diagnostic?site=85.234.190.13

Other bad stuff in the IP range:
http://www.malwaredomainlist.com/mdl.php?search=85.234.190&colsearch=All&quantity=50

85.234.190.13 is in Latvia - Latvia Riga Docsis Ip Pool For Cable Customers

Other bad stuff is seen coming from 194.8.250.227 (Paraguay Donstroy Ltd) – historical badness there too:
http://www.google.com/safebrowsing/diagnostic?site=194.8.250.227

Interestingly, an analysis of the content loaded from 194.8.250.227 points to fake AV:
http://www.virustotal.com/analisis/b0becacf524a1d04943007da7284bc419245bf26a411a1667df06e647eabadc6-1280394361

Not surprising considering the IP range history:
http://www.malwaredomainlist.com/mdl.php?search=194.8.250&colsearch=All&quantity=50

There is also an attempt to infect systems using a vulnerability in Adobe Reader and Acrobat 8.0 through 9.2 (Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009)

ALERT: Please treat content from Ad-Amazing.com and associated domains with extreme caution

We already know about the comment posted to my blog about adamazing.com – now we can add ad-amazing.com (notice the added hypen) to the list.

ad-amazing.com have been caught distributing tags that spoof legitimate companies in a way similar to that described in this article about subdomains.

The ad-amazing.com representative supplied the following references to various parties - these pseudonyms should also be treated with extreme caution.

Kerb Consulting (shares IP range with ad-amazing.com, newtonad.com and kolosolutions.com)
1061 Mill Park Dr. Bldg 2, Lancaster, OH 43130 Ray Kerbson
Ray@kerbconsult.com
(740) 205-6909

Newton Advertising LLC
12 Langley Road, office #3, Newton, MA 02459 James Franco
franco@newtonad.com
(617)340-2126

KOLO Solutions
5267 Commerce Rd, Flint, MI 48507
Mark Hamilton
Hamilton@kolosolutions.com
(810) 250-7321

Mind Ads International (mindadsint.com) (shares IP range with flamingonetwork.com and red-ads.com)

Flamingo Network (flamingonetwork.com)

Red-Ads.com (snap quiz: what’s wrong with this paragraph, copied from the red-ads.com website?)

*****

ad-amazing.com
ICANN Registrar: BIZCN.COM (people, seriously, avoid any domain name registered via BIZCN.COM like the plague, please???)

Created 3 June 2010

IP: 93.174.92.188 - Amsterdam, As29073 Ecatel Ltd

Registrant:  Sparkle Coleman (dns@ad-amazing.com)

Reverse DNS for 93.174.92.188 = mail.ptsupport.info

*****

ptsupport.info - currently inactive but previously at IP 93.174.92.187 - shared IP with kerbconsult.com (which, of course, was put forward as a "referee" for ad-amazing.com) and vipps-nabp.net

Previously registered to "aldo santini" (boldospaz@yahoo.com)

*****

kerbconsult.com
ICANN Registrar: BIZCN.COM

Created 26 May 2010

IP: 93.174.92.187 - Amsterdam, As29073 Ecatel Ltd

Registrant: IT Admin (it@kerbconsult.com)

*****

newtonad.com
ICANN Registrar: BIZCN.COM

Created 3 June 2010

IP: 93.174.92.198 - Amsterdam, As29073 Ecatel Ltd

Registrant: Claire Ferrell (newtonad@registar.com)

*****

kolosolutions.com
ICANN Registrar: BIZCN.COM

Created 3 June 2010

IP: 93.174.92.197

Registrant: IT Admin (it@kolosolutions.com)

*****

red-ads.com
ICANN Registrar: BIZCN.COM
Created 12 July 2010

IP: 94.102.55.110 - Amsterdam, Ecatel Ltd

Registrant: Red Ads Contractors, Charles Mclaughlin (domains@red-ads.com)

*****

flamingonetwork.com
ICANN Registrar: BIZCN.COM
Created 12 July 2010

IP: 94.102.55.105 - Amsterdam, Ecatel Ltd

Registrant: Registar Services, Harold Pinner (registar@flamingonetwork.com)

*****

mindadsint.com
ICANN Registrar: BIZCN.COM
Created 11 July 2010

IP: 94.102.55.107

Registrant: Registar Services, Sarah Avallone (registar@mindadsint.com)

*****

Domains in the IP range 93.174.92.% , that should be treated with extreme caution (especially if selling advertising) include the following:

Blueglad.com, Greenhad.com, Hadsplash.com, Lackstack.com, Ladwhite.com, Mashslack.com, Thehyipzone.com, Highyieldpros.com, Danafund.com, Web-wizard-solution.com, Opprutinv.com, Drunkbots.com, Hacklabonline.com, Indeshawadenaw.com, Indeshawadenaw.net, Onlineaddons.com, Outsistem.net, Rapiddownloads.eu, Steamcomnnity.com, Steamstuff.info, Nettoolz.info, Edskahn.com, Hourluck.com, Deliver2.net, Runelive.org, Vkasse.com, Fap247.com, Fckn.tv, Coraladnetwork.com, Welconetwork.com, Vipps-nabp.net, Kerbconsult.com, Ad-amazing.com, Hyipjurists.com, Imperialex.com, Kolosolutions.com, Newtonad.com, Livebroad.com, Maskbrown.com, Labteh-td.com, Labteh-td.ru, Scriptmafia.org, Ulgsm.net, Vpnshield.net, Nlkoddos.com, Legion-x.com, Hababam.biz, Download--limewire.com, New-limewire-2010.com, Jaamerp.com, Hyip-status.net, Hyipcourt.com, Y-action.com, Yahooaction.com, Yahooaction.net, Yahooaction.org, Bahtimos.com, Hababam.org, Letsvisittrabzon.com, Gratt.net, Abpp.biz, Actpopcorn.com, Adle.info, Aint.biz, Cozzle.com, Fbpnet.com, Forexbotpro.com, Freehondakybs.com, Generationxinvestment.com, Genxclub.com, Hyipalert.com, Hyiptrainwreck.com, Iwwleads.com, Make200bucks.com, Make30bucks.com, Someguyslife.com, Stainlesstoaster.info, Unitedforexfund.com, Woodrefinishing.us, Worldroi.com, Stevehell.com, Childrenofchile.org, Media-beau.com, Intercomm2.com, Intercommweb.com, Intercomp2.com, Lciinternational.com, Mysteryshopnet.com, Veritybuilding.com, Veritybuildingco.com, Bstbuilding.com, Bstbuildingco.com, Netxs.sc, Silverblue.cc, W00h00.nl, Woohoo.nl, Cumhitz.com.

Domains in the IP range 94.102.55.%, that should be treated with extreme caution (especially if selling advertising) include the following:

Innovyxinc.com, 4revenuegroup.com, Lacekgroup.com, Flamingonetwork.com, Mindadsint.com, Sunnnysidemedia.com, Red-ads.com, Calinet.info, Casey-computing.com, Casey-consulting.com, Adrenalinepoker.com, Adrenalinepoker.net, Teamvisionz.com, Gamekeys.us, Pleasehack.me, Embedsports.com, Ichuj.be, Bassline-nation.info, Ultimate-shoutcasts.com, Iafst.ir, Mobilestanshop.net, Optical-digital-camera.info, Alasebook.com, Thehappywalrus.org, Nacoobags.com, Cheapgoogleshop.com, Cheapgooglestore.com, Nfljerseysky.com, Packyours01.com, Porn99.info, Transientattack.com, Proebook.net, Icctv.info, Hqsports.info, Cn-puma.com, Discount-puma.com, Picksheepskinboot.com, Sunglasseshats.com, Usapuma.com, A-puma.com, Productsfrominternet.com, Sell-replicawatch.com, Jerseyinus.com, Tigersupermall.com, Serverorigin.nl, Feelshock.com, Dexingzy.com, Chinahandbagssupplier.com, Cn-jersey.com, Webcheapshop.com, Edhardyretail.com, Replicachinese.com, Edhardyshipping.com, Discountrosetta-stone.com, Rosetstones.com, Edhardystock.com, Edhardysuppliers.com, Gemreplica.com, Gemswiss.com, Embedtv.in, Wsm.co.in, Youngnnmodels.biz, Mobilereplicas.com, Tec-cart.com, Watchandbag.com, Sale-ugg.co.uk, Madden-leagues.com, Pllug.com, Ftaboys.com, Softtorrents.net, 7buae.info, Alkhaja-style.com

ALERT: Please treat content from adamazing.com with extreme caution

Brought to light via a comment on this blog.

adamazing.com
ICANN Registrar: Nameking.com
Created 19 April 2010

Current IP: 208.73.210.28

Registrant: "Oversee Research and Development, LLC" (admin@overseedomainmanagement.com)

Domain is currently "parked", but previously was hosted at IP 69.64.155.14 (Enom Incorporated).

A cached copy of adamazing.com contains code that eventually leads us to this URL - proceed with caution:

dsnextgen.com/?domainname=adamazing.com&a_id=101687

Malvertizing at Tweetmeme (again)

You may recall that Wayne Small of SBSFAQ contacted me to warn that there was malvertizing at tweetmeme back in December 2009 – well, tweetmeme have a problem again.

This time I see no openx.  Instead, we bounce from ads.tweetmeme.com to y5-media.com, to 173.244.173.133 to www3. luckfind42td.in to www2. guardhere5.in (thanks to Kimberley for the heads up)

y5-media.com
ICANN Registrar: EVOPLUS LTD
Created 7 June 2010

IP: 178.162.133.226 - Netdirekt E.K

Registrant hidden behind evoprivacy.com

*****

173.244.173.133 - Enet Inc (85.ad.f4.static.xlhost.com)

*****

luckfind42td.in
ICANN Registrar: DIRECTI
Created 13 July 2010

Registrant: Kooken Garritt (gkook@checkjemail.nl) -- That email address is associated with 2,939 domains!

*****

guardhere5.in
ICANN Registrar: DIRECTI
Created 14 July 2010

Registrant: Kooken Garritt (gkook@checkjemail.nl)

*****

Also seen:

wareforyou10.in
ICANN Registrar: DIRECTI
Created 14 July 2010

Registrant: Kooken Garritt (gook@checkjemail.nl)

*****

206.217.206.111 - Providence Hosting Services - noptr.midphase.com

178.162.133.218 - Netdirekt E.k

Innovative Marketing - slowly the old domains fall away

I still keep an eye on known Innovative Marketing pseudonyms; information continues to trickle in about domains that they have registered in the past.

Old bad domains have been expiring, and sometimes the protection of services such as Moniker Privacy Services falls away.

For example, on 24 May 2010 the domains tolerli.com and vollende.com lost the protection of Moniker Privacy Services, exposing their Registrant as "Helen Nikolson", helen.nikolson@gmail.com.  A few days before that the registrant details for ausgebl.com were also exposed.

That being said, sometimes it goes the other way.  codeconline.com, for example, used to be registered to "noo" (aka the infamous Serg Moons).  That domain's registrant details are now hidden behind whoisservices.cn and it's current domain details are as follows:

codeconline.com
ICANN Registrar: BIZCN.COM, INC (previously tucows and enom)
Created: 8 June 2010

IP: 194.8.251.162 - Paraguay - Donstroy.Ltd

Sharing IP with codecmicrosoft.com, maremot.com, missing-codecs.com, missing-codecs.net, missing-codecs.org, moviemoto.org, video-files.org, vidscentral.net - I think that we can assume that all of those domains should be treated with extreme caution.

codecmicrosoft.com is registered to a "Sean", domains@theraged.org
maremot.com is registered to a "Cliffad", domains@theraged.org
missing-codecs.com is registered to a "David Roberts", hansaprom@live.co.uk
missing-codecs.net is registered to a "David Roberts", hansaprom@live.co.uk
missing-codecs.org is registered to a "David Roberts", hansaprom@live.co.uk
moviemoto.org is registered to "Sean Cruz", domains@theraged.org
video-files.org is registered to a "Ben Born", "born.ben28@yahoo.com"
vidscentral.net is hidden behind privacypost.com

A quick update regarding James Reno

In what I can only describe as a display of optimism, Reno has hired an attorney and entered a plea of "not guilty" to all counts of the indictment filed by the Special March 2010 Grand Jury which charged him, Bjorn Daniel Sundin and Shaileshkumar P Jain (aka Sam Jain) with one count of computer fraud and conspiracy to commit computer fraud.  Bond has been set in the amount of $10,000.

Details of the indictment are here:
http://msmvps.com/blogs/spywaresucks/archive/2010/05/31/1770693.aspx

The conditions of Reno's release, and his financial affidavit, have been sealed.

Oh, and while we’re on the topic of Reno’s woes, I’ll take the chance to let everybody know that a Consent Motion to stay proceedings for 60 days to allow the FTC to pursue settlement with Mark D'Souza and Maurice D'Souza was filed in the FTC versus Innovative Marketing action on 27 May 2010 and granted the same day.

Sam Jain's girlfriend, Kristy Ross, is not a party to the motion, but also does not object.

A settlement with Mark and Maurice D'Souza has been reached, in principle, but because the settlement requires the D'Souza's to get their hands on funds that "are not immediately available" (how much, I don't know) the D'Souza's and the FTC agreed to the 60 days stay.

Hopefully we'll know more by the end of this month...

Interpol photograph of Shaileshkumar Jain (aka Sam Jain)

Seen here:
http://www.interpol.int/public/Data/Wanted/Notices/Data/2009/45/2009_13445.asp

I’m not sure that I see a similarity to the Wikipedia picture:

Thanks to Sophos for the link to the Interpol entry.

Some quick notes re Jain and the charges of money laundering

The indictment filed against Sam Jain gives an indication of the sort of money Jain was making from his fake Symantec software.

The indictment lists the following international money transfers:

• approximately US$150,000 transferred on 15 March 2005 from a New York account into a Swiss account
• approximately US$561,000 transferred on 11 May 2005 from a New York account into a Swiss account
• approximately US$3,000,000 transferred on 23 May 2005 from a New York account into a Swiss account
• approximately US$50,000 transferred on 5 December 2005 from a New York account to a Swiss account

Total = US$3,761,000

Internal (within the USA) transfers included:

• US$5,658,761.15 transferred from an investment account to a New York account; and
• US$1,000,000 transferred from the New York account to another account.

U.S. v Bjorn Daniel Sundin, Shaileshkumar P Jain (aka Sam Jain) and James Reno

I am pleased to report that on 26 May 2010, in the United States District Court (Northern District of Illinois, Eastern Division) documents were filed by the Special March 2010 Grand Jury which charged Bjorn Daniel Sundin, Shaileshkumar P Jain (aka Sam Jain) and James Reno with one count of computer fraud and conspiracy to commit computer fraud.

In addition, Sundin and Jain have been charged with 24 counts of wire fraud.  Reno was charged with 12 counts of wire fraud.

According to Dan Goodin at The Register, each count of wire fraud carries a maximum sentence of 20 years in prison and a $250,000 fine, and the prosecutors are also seeking the forfeiture of $100 million held in a bank account in the Ukraine.

Also if, because of any act or omission by the defendants, the monies:

• cannot be located upon the exercise of due diligence
• has been transferred or sold to, or deposited with, a third party
• has been placed beyond the jurisdiction of the court
• has been substantially diminished in value or has been commingled with other property which cannot be divided without difficulty,

it is asked that the US be entitled to forfeiture of substitute property.

According to documents filed in the case so far, (Case 1:10-cr-00452-1) the Government will seek to have the defendants detained without bond pursuant to Title 18, United States Code, section 3142 (with a preliminary bail of $10,000 secured as to James Reno).

And that is not the last of Jain’s worries – Robert McMillan reports that the Department of Justice also filed international money laundering charges against Jain in the Federal Court in New York (Case 1:10-cr-00442-NRB-1)

Finally, here is an email that Reno sent to Bob McMillan back in September 2009.  While you are reading his email, and especially his claims that he didn’t know about about a lot of what Innovative were up to, don’t forget that Reno was also dragged into the Symantec lawsuit.  Back then, Jain was found to have committed trademark infringement, copyright infringement, false designation of origin, and unfair competition, and Reno, his company Bytehosting and Symantec came to a “confidential settlement” back then.

Also, let’s not forget the “thousands of pages” of chat transcript as supplied by James Reno to the FTC which included the following gems:

James: http: // 63.210.246.34/users/jreno/ksx12f2f-MalwareWarrior.png
James: :)
James: Right click -> exit on taskbar
James: brings up the window that wont disappear ;)
James: and i love the FALSE alerts, its lovely
James: thats on a VMWAre workstation running inside our LAN, behind a firewall, with nothing but other unix boxes ;) .. garunteed {sic} no worms spreading to that box.
James: interesting software ;)

And elsewhere:

James: the only entries in my passport
James: "ukraine"
James: :) about once a year
James: heh
James: maybe i need to go to some other nations, just to get their stamps
James: lol

Conversation attributed to the fugitive Sam Jain:

Sam: well thats why we have the slush fund
Sam: of extra $ from globaldat
Sam: just figure ot how much :)
Sam: no worries

And later, the two of them being sneaky:

Sam: ya, i just put b.s. names
Sam: and address on the customs form
Sam: no 1 looks
James: im not worried about entry to ukraine
James: just re-entry to the us
James: dont feel like being hassled by customs again
James: stupid govt :(
James: us is so screwed anymore
James: if you miss me, its good actully :)
James: cuz then they cant say, i came to "meet with you"
James: even if they found out you were there
James: heh
James: but id love to meet sometime, just sucks
Sam: ya, if u get stopped coming back and after basic questions
Sam: u'd have to sayi {sic} want my lawyer
Sam: heh
James: i dont know if your using 'your' passport or not {Sandi comment: if not ‘his’ passport, then whose? Note Reno’s emphasis on ‘your’}
James: but afaik, interpool {sic} is watching yours
James: but if they seen you leave
Sam: yep i use mine
Sam: freely heh
Sam: screw them
James: im just saying
James you 100% are not there :)
Sam: its cuz of that swiss *** {Sandi comment: now that's interesting...}
James: so how was i meeting you :)
Sam: ya, so i guess from that standpoint
Sam: works out well

ALERT: Please treat “Tuned ads” (tunedads.com), "Barkley & Davis Advertising" (barkleydavis.com), “AweMedia” (awemedia.net) and “Moksly Digital Advertising” (moksly.com) with extreme caution

Domains in this report:

tunedads.com - 95.143.193.252
rogloard.com - 95.143.193.246
roxantb.com - 188.72.192.52
moksly.com - 95.143.193.254
barkleydavis.com - 95.143.193.251
awemedia.net - 95.143.193.253
togueno.com - 95.143.193.244
smtpst.com - 95.143.193.228
nmtsm.com - 95.143.193.228

The important points to take away from this article about malvertizing and the miscreants behind malvertizing are:

1. They plagiarize content from legitimate websites
2. Their credit references are worthless, invariably being nothing more than the same people using a different pseudonym
3. Do not trust the names or phone numbers supplied for things like "account managers" at legitimate banks
4. It is extremely important to conduct research into the domains used by advertisers who approach you AND into the domains of any credit references supplied
5. They have become very professional over time; their grasp of the English language is vastly improved, and they have a detailed understanding of how the online advertising world works, and the terminology used
6. Don't trust voicemail.

I have written previously about spoofing of legitimate domains in this article.  In short, if you receive tags composed in such a way (gooddomain.com.unusualdomain.com) you should treat whoever gave it to you with extreme caution.

“Tuned ads” (tunedads.com) have been caught supplying such advertising tags.  The tags they have supplied include "view.atdmt.com.rogloard.com/..." and another tag ending in "roxantb.com".  The campaign being sold was a Best Western advertisement.

This is a screenshot of the malvertizement supplied by Tuned ads.  It is identical to a legitimate Best Western advertisement, except for the cursor overlaid close to the”Check Rates Now” button

tunedads.com
ICANN Registrar: BIZCN.COM, INC.
Created 17 April 2010

IP: 95.143.193.252 - Gavleborgs Lan - Hudiksvall - Abuse-mailbox: Abuse@serverconnect.se

Registrant: Elizabeth Anderson, domains@tunedads.com

Interestingly, the content at tunedads.com/advertisers.html is a copy of text taken from gorillanation.com/advertisers (note that whoever edited tunedads.com/advertisers.html screwed up their edits – cite “Whether we place your ads on a site-specific, vertical or mass market basis, the big Tuned Ads delivers and exceeds the reach numbers you expect”).

rogloard.com
ICANN Registrar: BIZCN.COM
Created 18 May 2010

IP: 95.143.193.246

Registrant: Andy Barton, dns@rogloard.com

*****

roxantb.com
ICANN Registrar: BIZCN.COM, INC
Created 14 April 2010

IP: 188.72.192.52 - Hessen, Frankfurt, Netdirekt E.K

Registrant: Andi Cooperman, info@registar.com

roxantb.com has been identified as malicious - see this URL:
http://www.malwaredomainlist.com/forums/index.php?topic=4077.msg17092#msg17092

“Found the advertising server that is redirecting to the intermediary and eventually the exploit sites:
adnet.media.roxantb.com
That domain was registered last month and serves up packed/obfuscated BLOCKED SCRIPT
Code:
<snipped>
Deobfuscated:
Code:
<snipped> 2x bad URLs, reference to curves.com and driveby kit.”

*****

Moksly Digital Advertising (moksly.com) have been caught supplying tunedads.com as a credit reference.  Also, the tags they supplied started with "a123.g.togueno.com/...". 

togueno.com resides in a bad part of the Internet.  Its IP is 95.143.193.244 (note how close that IP is to tunedad.com's IP).  When asked about togueno.com, Fergie of TrendMicro responded that:

"there appears to be Russkrainians hosting crimeware in that /20".

The referees supplied by Moksly Digital Advertising were “Tuned ads” (tunedads.com), “Barkley and Davis” (barkleydavis.com) and “Awemedia” (awemedia.net)

Moksly claim to be selling a campaign for StoryofMyLife.com, and Moksly’s correspondence was extremely professional.  The correspondent has an excellent grasp of the English language, and a strong understanding of online advertising.  They also claimed to have a policy of not prepaying companies with whom they had not worked before.

Staff at the web site approached by “Moksly Digital Advertising” made the following important observations:

1. On average the response time for Trade References is 24-48 hours. All three of Moksly's trade references returned completed reference form within 3 hours.
2. Moksly claimed to have an account manager at Brookline Bank by the name of "Randy Pollak".  But, when Brookline Bank's customer service were contacted directly, the customer service representative advised that Brookline Bank do not have anyone by that name working for them.

“Tuned ads” and “Moksly Digital Advertising” not only share IP range (95.143.193.252 and 95.143.193.254 respectively) but their tags show marked similarities.  I have obscured most of the tags below, but will point out that all of the tags, starting from “?rt=”, were identical except for the “&sid=” value.

Tuned ads: view.atdmt.com.rogloard.com/cr/j/cd/?rt=**&sid=**&m=**&ts=**&d=x&ctc=**&tm=sc
Moksly:                   a123.g.togueno.com/cr/i/cd/?rt=**&sid=**&m=**&ts=**&d=x&ctc=**&tm=sc
                              a123.g.togueno.com/cr/i/cd/?rt=**&sid=**&m=**&ts=**&d=x&ctc=**&tm=sc
                              a123.g.togueno.com/cr/i/cd/?rt=**&sid=**&m=**&ts=**&d=x&ctc=**&tm=sc

*****

moksly.com - interestingly, if you call the number in the WHOIS, you do get through to a voicemail for "Mary", but no company name is mentioned is the recorded message.

ICANN Registrar: BIZCN.COM
Created 14 April 2010

IP: 95.143.193.254

Registrant: Mary Valentine (admin@moksly.com)

*****

barkleydavis.com
ICANN Registrar: BIZCN.COM
Created 12 May 2010

IP: 95.143.193.251

Registrant: Max Glasper (admin@barkleydavis.com)

*****

awemedia.net
ICANN Registrar: BIZCN.COM
Created 17 April 2010

IP: 95.143.193.253

Registrant: Mary Johnson Anderson (it@awemedia.net)

*****

togueno.com
ICANN Registrar: BIZCN.COM
Created 18 May 2010

IP: 95.143.193.244

Registrant: Bob Merlot (domain@togueno.com)

*****

I think it is worthwhile looking at more domains in the 95.143.193.* range to see what other potential problems we can identify:

ad.mediabank.smtpst.com - IP 95.143.193.228

smtpst.com
ICANN Registrar: BIZCN.COM
Created 30 January 2010

Shares IP with nmtsm.com

Registrant: Simon Simon, simon@gmail.com

*****

nmtsm.com
ICANN Registrar: BIZCN.COM
Created 30 January 2010

Registrant: "ColoradoOralSurgeons", Alice Johnson Alice Johnson, aezeihia3@gmail.com

*****

ALERT: zedoadservices.com is NOT associated with Zedo

Some basic due diligence reveals that zedoadservices.com should be treated with extreme caution.  Check out the domain’s registration details.  Once again we have a newly registered domain, a Registrant hidden behind Moniker Privacy Services, and a host that you would not expect to be hosting zedo domains.

****

zedoadservices.com
ICANN Registrar: Moniker Online Services, Inc
Created 17 March 2010

IP: 209.132.192.182 - California, Woodland Hills, Colo.com

Sharing IP with approximately 36,359 other domains.

Registrant hidden behind Moniker Privacy Services

****

Zedo have confirmed that zedoadservices.com does not belong to them.

If you visit zedoadservices.com you are immediately redirected to zedo.com.  That is because the web page at zedoadservices.com contains the following code:

If you visit the web site using FF with NoScript (or any other web browser if you have javascript disabled), you see this:

ALERT: Please treat content from vastons.com with extreme caution

A contact has alerted me that he was approached by the “VP sales Vastons Marketing”.  This “VP” was using the domain “vastons.com”.

The VP for Vastons Marketing claims that JetBlue are their client.  My contact described the deal on offer as “too good”, being $45,000 for a 500K-1million impressions budget with the campaign to run for a period of 2-4 weeks and a 1/24 frequency capping. Of course, Vastons Marketing wanted the campaign to run in the same month.

So, who are “Vastons Marketing”?  The domain being used, vastons.com, was registered just last month via the ever problematic BIZCN and is currently hosted at the also problematic Netdirekt.

vastons.com
ICANN Registrar: BIZCN.COM
Created 7 April 2010

IP: 188.72.192.13 - Netdirekt E.k

The domain was originally created back in 2005, but was left parked at parked-domains.net until last month.  The Registrant details have not changed during this time.

Registrant: Steven Davies (it@vastons.com)

The IP address of the person who approached my contact was 188.72.192.208 (another Netdirekt IP).

When we look at their web site, we see that they list their address as:

2000 Auburn Drive
One Chagrin Highlands
Suite 200
Beachwood, Ohio 44122
United States

That address is virtual offices run by Regus in Beachwood, Ohio:

http://www.regus.com/locations/US/OH/Beachwood/OhioBeachwoodChagrinHighlands.htm?product=meetingrooms

So, to summarize we have a newly activated domain, a web site is located in Europe, and a domain was registered using a very problematic registrar, and hosted by Netdirekt.  Not only that, the computer used to approach my contact was also in Europe, yet the contact phone number supplied was an Ohio number, as is the listed business address of Vastons Marketing.

In short, please treat any contact from Vastons.com with extreme caution - at the very least, get on the phone to JetBlue and ask them if they are a client of "Vastons Marketing".  Do NOT phone any contact number for a JetBlue representative that may been given to you – grab your telephone directory, phone JetBlue’s head office, and go from there – that way you will know for sure that you are talking to the real JetBlue.  And be careful of any credit references supplied – don’t forget these tricks from the past:

http://msmvps.com/blogs/spywaresucks/archive/2009/04/23/1690197.aspx – in this example, contact details for a fake “Tribalfusion” referee were supplied.

http://msmvps.com/blogs/spywaresucks/archive/2007/12/07/1383504.aspx – in this case, a forged “letter of mandate” was supplied.