Malicious advertisements and advertising fraud. What do we know?
Regards to Suzy of Spywarewarrior who grabbed the data pertaining to 190.15.73.254.
Ok, this is NOT going to be light reading, it's heavy going, but for those of you interested in seeing behind the smoke and mirrors that is internet advertising and web hosting, especially as it pertains to malicious banner advertising and scareware/fraudware software, it's worth wading through.
My regular readers know that skyauction.com allege that networkmediagroup.net used a fake "letter of mandate" to fool web sites into allowing unauthorised, maliciously coded, advertisements to be displayed on their web sites.
We also know that emusic.com allege that uniqueads.com, adtraff.com and forceup.com fraudulently purchasing advertising on eMusic's behalf.
We also know that the same names seem to appear over and over and over again when we investigate malicious banner advertisements. For example:
- soccernet - burnads.com, adtech.de, blessedads.com, performanceoptimizer.com
- allmusic - checkm8.com, newbieadguide.com, blessedads.com, prevedmarketing.com, malware-scan.com
- defsounds - r2d2adverising, newbieadguide.com, blessedads.com, prevedmarketing.com, malware-scan.com
- allmusic again - checkm8.com, adtraff.com, blessedads.com, prevedmarketing.com, shivanetworking.com, deuscleaneronline.com
- ok-magazine - r2d2adverising, newbieadguide.com, blessedads.com, prevedmarketing.com, malware-scan.com
- sensis - mysurvey4u, blessedads, prevedmarketing, malware-scan.com
- Large website - prevedmarketing, malware-scan.com
Are we seeing a pattern here? Of course we are - the same names kept popping up over and over during the recent outbreak of malicious banner advertisements. But, thing get even more interesting if we dig a little deeper. Let's concentrate on just one IP address that keeps appearing:
adtraff.com - 190.15.73.254
forceup.com - 190.15.73.254
burnads.com - 190.15.73.254
blessedads.com - 190.15.73.254
prevedmarketing.com - 190.15.73.254
r2d2adverising.com - 190.15.73.254
shivanetworking.com - 190.15.73.254
Who else is associated with the IP 190.15.73.254?
Search Results for 190.15.73.254 [reverse DNS - 190-15-73-254.securehost.com]
Ad2cash.net Ad2profit.com Adcomatoz.com Adgurman.com Adhokuspokus.com Adnetserver.com Adredired.com Adsolutio.com Adtraff.com Adverdaemon.com Adverlounge.com Adzyclon.com Antivirussecuritypro.com Astalaprofit.com B2adz.com Bestadmedia.com Bestpharmacydeals.com Bestsearchnet.com Bestshopz.com Bestwnvmovies.com Bizadverts.com Bizmarketads.com Blessedads.com Brandmarketads.com Bucksinsoft.com Burnads.com Cancerno.com Cashloanprofit.com Casinoaceking.com Casinodealsgalore.com Cheap-auto-deals.com Co-search.com Cryptdrive.com Deuscleanerpay.com Easybestdeals.com Eroticabsolute.com Fantazybill.com Favouriteshop.com Fileprotector.com Forceup.com Freepcsecure.com Freetvnow.net Friedads.com Getfreecar.com Glorymarkets.com Great4mac.com Greyhathosting.com Hebooks-service.com Iddqdmarketing.com Infyte.com Installprovider.com Internetadaultfriend.com Internetanonymizer.com Intervarioclick.com Invulnerableads.com Keywordcpv.com Libresystm.com Luckyadcoin.com Luckyadsols.com Magicsearcher.com Manage-search.com Marketingdungeon.com Mediatornado.com Megashopcity.com Mightyfaq.com Misc-search.com Mobilesoftmarketing.com Moneycometrue.com Moneypalacecash.com Myfavouritesearch.com Myhealth-life.org Myonlinefinance.com Mysurvey4u.com Mythmarketing.com Mytravelgeek.com Netmediagroup.net Netturbopro.com Onestopshopz.com Opensols.com Pcsoftw.com Pcsupercharger.com Popadprovider.com Popsmedia.com Popupnukerpro.com Prenetsearch.com Prevedmarketing.com Prizesforyou.com R2d2adverising.com Rocktheads.com Roller-search.com Rombic-search.com Searchcolours.com Sellmoresoft.com Selvascreensaver.com Sharpadverts.com Shivanetworking.com Shopshot.com Softwcs.com Stratosearch.com Swiftcleaner.com Tallgrass-seach.com Traffalo.com Traveltray.com Uniqads.com Vitecmedia.com Waytotheprofit.com Windefender.com Wontu-search.com Workhomecenter.com Yourseeker.com Yourshopz.com Yourteacheronline.com Zappinads.com Zooworld-search.com
Look at who appears in the reverse IP search of 190.15.73.254 - none other than netmediagroup.net
Yep, securehost.com hosts adtraff.com, forceup.com, networkmediagroup.net and uniqueads, all of which are accused of fraudulently claiming to represent reputable web sites, and of distributing malicious banner advertisements.
Look who else is there - mysurvey4you.com, traveltray, getfreecar, prevedmarketing, B2adz.com, blessedads, burnads, R2d2adverising.com, Shivanetworking.com - all of which have been associated, in one way or the other, with malicious banner advertisements.
Let's look at Mike On Ads' blog entry about ErrorSafe (aka Winfixer). He refers to mysurvey4you, traveltray.com and getfreecar.com. BTW, cannis.org (mentioned on Mike's blog) shares an IP address with none other than systemdoctor.com, yet another winfixer type site.
In short, securehost is a problem. But so is Limelight Networks, and Innovative Marketing. Let's go a little further afield, and check out Mike Burgess's blog. Mike, by the way, is the MVP behind the MVP Hosts File.
First, lets look at "Limenetworks serving up malware". In this article Mike shows how Limelight Networks are hosting sundry malware downloads. b2adz (190.15.73.254) pops up in relation to two scareware/fraudware sites being securityonpage.com and storageprotector.com. A reverse IP check reveals that protectroom.com, savetheinformation.com, wayforprotection.com and ieerror404.com are all at the same IP as securityonpage.com (208.96.58.52).
336 domains resolve to the same IP as storageprotector.com (87.117.252.11) many of which seem to be antivirus, antispyware, privacy protection sites and the like. I'll leave it to you to decide how many of those 336 domains are legitimate and how many are fraudware/scare (see the end of this blog for a list of domains that resolve to 87.117.252.11 as at time of writing).
Next, take a look at "LimeLight Networks and connecting the dots", which builds an association between LimeLight Networks and Innovative Marketing Group (aka Winfixer)
Finally, let's look at "More on Innovative Marketing", which briefly points out the hosting services that are affiliated with Innovative Marketing Group.
I know, there is a lot of data here, a lot of names and IP addresses, but it serves to give you a glimpse into how close the ties can be between various names associated with scareware, fraudware, malicious banner advertisements and fraudulent activity such as that reported by skyauction.com and emusic. The information shows us that malicious activities and incidents that can seem to be scattered and too prevalent and widespread to be easily shut down, can sometimes be treated as a "job lot" and that a lot of difference could be made to the safety of internet users as a whole if only we could get the primary sources/hosts to cooperate and shut things down.
Now, the question is - is securehost.com simply a stooge? An unwitting host and victim? Or a collaborator?
What about whoever is behind 87.117.252.11 - stooge and victim, or collaborator?
Over the next day or so we will take a look at how the advertising networks that we know have been infiltrated are responding to the risks - we'll focus just on the advertisements that have been discussed on this site and take a look to see if the malicious SWF files are still around, or if they have been deleted or moved.
Addendum: Sites that resolve to 87.117.252.11
Acchiappavirus.com Adiosvirus.com Ahorrememoria.com Altalimpeza.com Anonimutente.com Antiamenazas.com Antiespiamaestro.com Antievidence.com Antispionimaestro.com Antispywareconductor.com Antispywarecontrol.com Antispywaremaster.com Antispywaremeister.com Antivirusfiable.com Antivirusforall.com Antivirusforalla.com Antivirusforalle.com Antivirusfueralle.com Antivirusgenial.com Antivirusmagique.com Antivirusparatodos.com Anzentsuru.com Apagahistorico.com Apolloantivirus.com Archivosenestado.com Atemaiserro.com Atrapavirus.com Aucunchoixpourvirus.com Aucunefaute.com Aucuninfection.com Aucunmenace.com Aucunserreurs.com Avcompleto.com Avsecurityplus.com Avseguro.com Bandoaivirus.com Bandoalleinfezioni.com Barreraintegral.com Bastioneantivirus.com Beskyttelseonline.com Beskyttendevaerktoj.com Bestsellerantivirus.com Blanchdisc.com Borresuspasos.com Bossedeserreurs.com Brossedesfautes.com Bugseraser.com Caiforavirus.com Ceroamenazas.com Cerovirus.com Chasseurdeserreures.com Cleanerpotente.com Cleanpctool.com Cleanuptool.com Confidentsurf.com Confidentuser.com Contenidoseguros.com Contenteraser.com Controledemenaces.com Controlloreprivacy.com Curerrores.com Dataconfidentiality.com Defensaantivirus.com Defensecelebre.com Defensededriver.com Defensedinformation.com Defensedudisque.com Defensenetsurfage.com Defensivesystem.com Dejitarufukugen.com Dejitarukyoikira.com Dejitaruwakuchin.com Detapurotekuta.com Detaripea.com Detectaerrores.com Discoseguro.com Diskassistent.com Diskretter.com Disksaeuberung.com Disksizesaver.com Disksparare.com Disukushuri.com Doubledefender.com Driversecurise.com Einwandfreierpc.com Eliminadordeamenazas.com Elmejorantivirus.com Emperahogo.com Enmiendaerrores.com Equipoantiespia.com Eracheisa.com Erasutoppu.com Erreurchasseur.com Errorfighter.com Essentialeraser.com Expertdantispyware.com Exterminadordevirus.com Extremuclean.com Fairukyua.com Feilvakt.com Fejlfripc.com Fejlreparering.com Felfixare.com Ferramentadesolucao.com Ferramentasegura.com Festplattencleaner.com Festplattentool.com Fiksdinpc.com Filtredetraces.com Filtrototal.com Fixthemnow.com Fjernervirus.com Foutenwacht.com Geheugenredder.com Guardiandelaprivacidad.com Guardianodelpc.com Gubbishremover.com Hackerstaisaku.com Hadodoraibugado.com Harddriveguard.com Herramientasegura.com Historialout.com Hotbevakning.com Ingavirus.com Ingenmulighetforvirus.com Inhaltsaeuberung.com Inhaltspeicher.com Inmunepc.com Kakujitsutsuru.com Keinespurenlassen.com Keineviren.com Knowhowprotection.com Konsekiauto.com Kontentsufiruta.com Kurinkonseki.com Kyoiireza.com Kyoikanshi.com Kyoryokucleaner.com Largavidapc.com Laufwerkcleaner.com Limpiapc.com Limpietodo.com Lomejorenantivirus.com Longlifepc.com Lungavitapc.com Maechtigerreiniger.com Malwareschutz.com Manutencaopc.com Memorisebu.com Menacecontrole.com Menacefighter.com Menacemonitor.com Menacescrubber.com Menacesprotection.com Miavcompleto.com Mightycleaner.com Minnesparere.com Monitordeamenazas.com Moteurpcpro.com Mycontentassistant.com Netsurfageassure.com Nettoyeurdepc.com Nettoyeurdeserreures.com Nettoyeurdevirus.com Nettoyeurpuissant.com Neuerantivirus.com Neuerschild.com Nientetracce.com Nouvelantivirus.com Nurdeinpc.com Ohnespurensurfen.com Omelhorantivirus.com Onlinehelpmate.com Onlineverktyg.com Onrainpurotekuta.com Ordureffaceur.com Oruripea.com Pasderreurs.com Pasdesfautes.com Pasdesmenaces.com Pasendommagement.com Pasplusdespertes.com Pasplusdevirus.com Pcantiviruspro.com Pcassertor.com Pcbewaker.com Pcboosterpro.com Pcbunan.com Pceternel.com Pcforfender.com Pchealthkeeper.com Pchjaelper.com Pcinforedder.com Pclibredevirus.com Pcohnespuren.com Pcredskab.com Pcsansbug.com Pcsecuresystem.com Pcsecurise.com Pcsentineru.com Pcsiemprenueva.com Pctoolpro.com Pcultralimpia.com Pcveiligheidstool.com Pcvirussweeper.com Perfektantivirus.com Personalityprotector.com Poseidonantivirus.com Poupememoria.com Preservingtool.com Privacidadconductor.com Privacidadgarantizada.com Privacidadyseguridad.com Privacyredder.com Privacywaker.com Privacywarrior.com Privatsicherer.com Protecaoconfiavel.com Proteccionasegurada.com Proteccioncompleta.com Proteccionimperial.com Protecteurdinfo.com Protectionassuree.com Protectionconue.com Protectiondedriver.com Protectiondenetsurfage.com Proteggidati.com Protezioneesperta.com Protezionefidata.com Pulituraestrema.com Puraibashihosho.com Puraibashimaneja.com Puraibashitoshinrai.com Rendimientototal.com Rensanu.com Reparaerrores.com Reparateurdesysteme.com Repareja.com Reparemenaces.com Repareya.com Rimuoviciarpame.com Riparaminacce.com Riparasubito.com Riservatezzanet.com Safeharddrive.com Safepctool.com Safudaijoubu.com Salvaspaziosudisco.com Sansendommagement.com Sansinfections.com Sayonarabaggu.com Schijfbewaker.com Schijfcontroleur.com Schijfredder.com Schijfruimteredder.com Schutzderdaten.com Schutzfuerpc.com Secretissimosoft.com Secretopertutti.com Secretosasalvo.com Secretoseguro.com Securepccleaner.com Sefunahimitsu.com Sekretessforsvarare.com Senzadoppioni.com Shingaidome.com Shinraihogo.com Shinraipafomansu.com Shisutemudifensu.com Sichererantivirus.com Sichererschutz.com Sicherheitstool.com Sikkerbrukere.com Sikkerpcredskap.com Sikkersystem.com Sinataques.com Sinrrastros.com Sinsenales.com Sistemaprotegido.com Sistemupyua.com Sisutemuantei.com Sisutemuorugurin.com Skyddsprogram.com Smittfri.com Solelunaantivirus.com Speichertool.com Spyguardpro.com Spywaretaisakumaster.com Stopbedreiging.com Stopminacce.com Storageprotector.com Succesantivirus.com Superanonimo.com Surfforsure.com Surfremover.com Sutoppuwirusu.com Syssauvegarde.com Systemerrorfixer.com Systemesansfaute.com Systemesansvirus.com Systemhoover.com Systemschild.com Tackanejvirus.com Tilforlatelig.com Toolsicuro.com Topsalgantivirus.com Trasheraser.com Trusselovervagning.com Trustedantivirus.com Trustedprotection.com Tryggpcverktyg.com Trygpcbruger.com Turnkeyantivirus.com Unidadessanas.com Usuarioprotegido.com Utiledereparation.com Utilisateursur.com Vaktmotvirus.com Veiligheidsagent.com Virenvernichter.com Virusbekaemper.com Viruskrakker.com Virussperr.com Virusurimuva.com Virusvanger.com Virusvijand.com Volumformatredskap.com Wirusufinisshu.com Wirusuk.com Wirusukyua.com Wirusumuryokuka.com Wirusushattodaun.com Wirusushuryo.com Yourprivacyguard.com Yuzasefu.com Zentaiwakuchin.com