Malicious advertisement hosted by Microsoft owned adecn.com

I mentioned in my previous article that it just so happens that we can find more than one malicious advertisement thanks to www.youhide.com

 

Let's load this URL:
ad2.adecn.com/here.spot?v=2.2;time=119;spotId=10110;c=0;ms=1199702892837

We may see not only the malicious skyauction advertisement, but also a malicious dot.tunes advertisement.  The path backwards is slightly different for the malicious dot.tunes advertisement:

End target fraudware site:

scanner2.malware-scan.com/9_swp/?aid=in5t4nce_ma9_mb1&lid=intl&ax=1&ed=2&mt_info=4943_3753_12484

blessedads.com/?cmpid=in5t4nce&adid=intl

newbieadguide.com/statss.php?campaign=in5t4nce&u=23423424

Referrer:
newbieadguide.com/swf/gnida.swf?campaign=in5t4nce&u=23423424

-----

newbieadguide.com/swf/gnida.swf?campaign=in5t4nce&u=23423424

Referrer:
newbieadguide.com/statsg.php?u=23423424&campaign=in5t4nce

-----

newbieadguide.com/statsg.php?u=23423424&campaign=in5t4nce

Referrer:
cds.adecn.com/resource/ads/917_7744_1195842125.swf  (this is the malicious dottunes.swf)

-----

cds.adecn.com/resource/ads/917_7744_1195842125.swf  (this is the malicious dottunes.swf)

Referrer:
ad2.adecn.com/here.spot?v=2.2;time=119;spotId=10110;c=0;ms=1199702892837

-----

Ok, so it seems that adecn.com is involved in two malicious advertisement circulations, and is the host of a malicious SWF, but guess what - back in July 2007 adecn announced that the company was going to be acquired by none other than Microsoft!  

cite: http://www.adecn.com/assets/070727%20%20Microsoft%20Acquires%20Broker%20Of%20Ad%20Space,%20WSJ.pdf

Ok, I know *exactly* who to contact about this problem.

Screenshot of malicious dot.tunes SWF

 image

Published Mon, Jan 7 2008 21:13 by sandi
Filed under: , , ,

Comments

# re: Malicious advertisement hosted by Microsoft owned adecn.com

Tuesday, January 08, 2008 10:55 PM by mac12255

Dot.Tunes and youhide.com...   It sounds like a familiar story.  I'm curious as to how you ended up at youhide.com's website in the first place.

# re: Malicious advertisement hosted by Microsoft owned adecn.com

Tuesday, January 08, 2008 11:08 PM by mac12255

Hello, again.  I don't really see anything wrong as you seem to have supporting evidence for your article.  But if you don't rephrase "a malicious dot.tunes advertisement," a dottunes.net guy may bring another friend and threaten you to rewrite it.

# re: Malicious advertisement hosted by Microsoft owned adecn.com

Wednesday, January 09, 2008 1:12 AM by sandi

Hi mac12255

Let's just say that I received some security intelligence via email that indicated that youhide had a problem ;o)

As for the dot.tunes guy - he wouldn't be the first person to be upset - skyauction and emusic are also upset that they are the victim of malicious banner advertisements, but they handled the situation well.

Skyauction wrote to me about it, and even attached a copy of an alleged 'fake letter of mandate'. I blogged it.  emusic put up a notice on a page - I blogged it.  

If dot.tunes want to write to me and tell me that the featured advertisement is fake, I'll blog that to, but I won't rewrite my article, and I don't take kindly to threats - I expect dot.tunes to do the same as everybody else - write to me nicely, tell me that they're a victim, put their side of the story and they'll get fair air time, just like everybody else :o)

Sandi

# re: Malicious advertisement hosted by Microsoft owned adecn.com

Wednesday, January 09, 2008 11:43 AM by Phil

Actually maybe I was a bit upset when I replied, but no one threatened you.  The ad is a fake.  We did not authorize it and are not actively running that ad on ANY ad network.  So let me ask nicely, please explain to people that the ad has nothing to do with DOT.TUNES.  And I do stand by my original statement.  If this is happening to more than one website, and you are confirming this, then why not write the article to accurately reflect this?  It seems to me that you need to re-evaluate the ad network you are using, and place the blame on them, not unknowing sites.  I would also appreciate rephrasing the "malicious dot.tunes advertisment"...  This statement, knowing that it is untrue, to me seems malicious.  I'm not threatening anything, just asking you to have the same courtesy you would like shown to you.  I'm sure you would not like to have other people blogging that you make innacuate and unfounded statements that have the potential to damage someone else's credibility before thoroughly investigating a matter.  I'm not saying that is the case, but if someone said that, I am sure you would be upset.

Hoping to resolve this soon!  Thanks Phil

# re: Malicious advertisement hosted by Microsoft owned adecn.com

Wednesday, January 09, 2008 4:37 PM by sandi

@Phil,

My regular readers know, and I have said myriad times, that the malicious advertisements are invariably unauthorised.  I have highlighted this fact with regard to skyauction, and emusic, and now I have permitted your comment to publish as well.

Your complaint about my wording is, to be honest, grammatic semantics.

As for "you need to re-evaluate the ad network you are using and place the blame on them, not unknowing sites", I *always* place responsibility on the advertising networks, not the victim sites, unless the victim site refuses to act to remove the content that they are directly hosting.

I would suggest that you get to read my blog, get to know what I do and how I do it, before making unjustified comments.

And now, if I may offer some advice - a comment from an anonymous "Phil", with no surname included, holds little weight with me or my readers.  

First, I would suggest that you include your full name in your comments and correspondence (by the way, did you write to me directly?).  I can confirm the bona fides of a direct email - I cannot confirm the bona fides of an anonymous comment to my blog.

Second, I would suggest that you include a URL in your signature that my readers can click on.

Third, I repeat, do what you can to establish your bona fides.  I, and my readers, have no idea who "Phil" is.

# re: Malicious advertisement hosted by Microsoft owned adecn.com

Wednesday, January 09, 2008 8:36 PM by Stephen Chukumba

I am the Director of Business Development for DOT.TUNES.  Phil (last name Graci) is not some anonymous commenter, but one of the developers of the DOT.TUNES application.  Another one of the developers found this "malicious dottunes advertiser" comment on another site (out of Tokyo), and on that site, I responded that we were not in any way affiliated with AdECN.

I believe that the spirit of Phil's initial comment was simply that we were not in any way responsible for any malware-scan scam, and had no connection with any ad that re-directed users to any destination other than dottunes.net.

At this point, as a victim of this clearly fraudulent scheme, what advice would you give other victims similarly situated.  Obviously a cease and desist is in order, but are there other strategies you could offer your readers, who may find themselves in similar positions in the future?

I, for one, was amazed when I saw the ad, since we never created a flash ad like that one, and never authorized anyone to create it either.  Moreover, at first blush, it appeared that we were being maligned by the tone of the alert.

Reading your comments now, both in response to Phil, and your general tenor, with respect to exactly what is happening, it is clear that you are not alleging that we participated in this scam, but one cannot help but be defensive, especially when it appears that this affiliation (however erroneous) is a stain on our reputation.

I applaud you, and other individuals and sites, which alert users to these fraudulent schemes, and provide a platform for the victims (and perpetrators, although you probably don't have too many) to air their grievances.

# re: Malicious advertisement hosted by Microsoft owned adecn.com

Wednesday, January 09, 2008 8:42 PM by Phil Graci @ TriAgency / DOT.TUNES

Apologies for how I came off in my tone, there was another blog that just posted something similar, and I confused the two posts.  I thought your site was the same as his, sorry for jumping to conclusions :)

seo.mhvt.net/blog

Your report is much more accurate than the last, which insinuated that we had intentially inserted a spyware ad into our SWF file.

It does seem however that someone took a Flash ad that we had on another site, that was manually coded into a page, not through their ad network, and stolen the SWF and inserted code into it.  We have not ever ran an ad on adecn.com

We created a SWF flash ad for an promotional campaign that the ad was hardcoded into another site.  We did not place the ad with any ad networks.  At no time was any malware added to the file.  Someone has stolen our ad, and is using it in some sort of scam!

We are going after ADECN to find out what is going on.  Do you have any other advice?

Thank you, and I will read your blog, you have some good info here.

Phil Graci

TriAgency / DOT.TUNES

http://www.triagency.com

http://www.dottunes.net

# re: Malicious advertisement hosted by Microsoft owned adecn.com

Wednesday, January 09, 2008 10:50 PM by sandi

Hi Stephen,

I admit to being confused by conflicting statements from staff at dot.tunes.

First we have Phil Graci saying:

"Greetings I am the main web developor, and creator of the Flash ad in question."

cite: seo.mhvt.net/.../blog_message.gif

Then we have you saying "we have never created a flash ad like that one, and never authorised anyone to create it either".

I am sure you can understand how such conflicting statements will cause confusion amidst the internet community.

With regard to your question, the most important thing that a victim site can do is contact whoever is hosting the malicious advertisment (the web site and the advertising network), tell them formally that the advertisement is unauthorised, and demand its immediate removal and warning that failure to act will result in further action being taken.

Additional ammunition is evidence of malicious behaviour such as a network trace.

Also, a formal warning on the website alerting visitors is very important.  

Publicity is very important and the most effective tool in forcing action.  If the advertising network or web site refuses to take down a malicious and/or unauthorised advertisements, write about it - blog it - tell the world about it.  Contact me, give me evidence, and *I* will take action to make sure the world knows about what is going on.

If a particular company falsely claims to represent you, let the world know that they have no authority.  Make it is as hard as possible for the fraudsters to trick anybody into buying their wares.

Best wishes,

Sandi &c.

# re: Malicious advertisement hosted by Microsoft owned adecn.com

Thursday, January 10, 2008 1:30 AM by sandi

@Phil,

Sorry for the delay in approving your comment - it was captured as possible spam (how ironic).

My advice is to ask for assistance from acedn, rather than "go after them".  They're as much a victim as blick, and skyauction, and emusic, and now dot.tunes.  

The true crooks are those people behind the malicious domains who grabbed a copy of your SWF (which is easy enough to do), before inserting malicious code and selling the manipulated advertisement under false pretences, and the companies that continue to host the domains that are used to spread, control and track the malicious advertisements and the actions they trigger after they are warned about what is going on.

It remains to be seen how netrouting.eu (the new hosts of the malicious domains that were until less than 24 hours ago hosted by nine.ch) respond to my warning to them about their new client.  I can promise you there will be a lot of publicity if netrouting.eu facilitate the distribution of malicious banner advertisements, and the resultant hijackings, now that they have been warned about the situation.

# re: Malicious advertisement hosted by Microsoft owned adecn.com

Thursday, January 10, 2008 2:28 PM by Stephen Chukumba

Thank you for your insightful response.  You are totally on point with respect to the confusion.  Phil did legitimately believe that he created the ad, because it mimicked our design.  However, upon closer examination, he realized that it was not TriAgency's work, as it utilized a different font and a different slogan from our signature "Free Your Tunes."

In any instance, we have contacted adecn, and requested not only that they remove the ad, but assist us in determining its origin.  We are not sure how far we will get, but we are certainly intent on making sure that at a minimum, the ad is pulled.

We are also going to ad a blog post alerting our community about this issue and to be wary of any of these ads.

Thanks again.

# re: Malicious advertisement hosted by Microsoft owned adecn.com

Thursday, January 10, 2008 4:29 PM by sandi

Hi Stephen,

As you will see from other entries to this blog, acedn have already suspended the advertising campaigns in question.

I hope to blog this weekend (time permitting) about where the advertisements came from.

Sandi &c.