Wednesday, January 16, 2008 7:50 PM
sandi
Avoiding the bad guys - detecting potentially malicious advertising campaigns
The other day I wrote the following advice:
"Here are my suggestions for the checks that advertising networks should make when deciding whether to accept content from anybody.
Don't just do a credit check. Don't just run a WHOIS. Don't just make sure that they respond to emails and that the phone number is not disconnected. Check who hosts their mail servers. Check who hosts their name servers. It's amazing how often you will find a connection between a particular domain or IP address and known bad guys every single time we run an analysis of an advertising campaign. Proximogroup is one in particular that keeps on popping up, as did netmediagroup.com for a while there.
For example, let's pretend that you are contacted by somebody at wearegoodguyshonest.com - the WHOIS may look ok. They may pass a credit check. But then, when you look at the name servers for wearegoodguyshonest.com you may discover that the name server is in an IP range that is associated with many bad names. In such circumstances it would be wise to decide it is safer not to do business with wearegoodguyshonest.com."
Let's expand the above advice a little, and show you just one way to make those extra checks. I'll also highlight what may indicate that the advertising or hosting agreement we are about to enter into may be risky.
A lot comes down to experience. You have to watch the market, watch the blogs, watch the news, watch the online chatter - you need to know who is being or has been mentioned in association with unauthorised advertising campaigns and malicious advertisements. Then you can take that knowledge and use it. The following is just one example of how staying informed can save you from potential grief.
Let's have a quick look at few danger signs you may encounter when deciding whether or not to accept advertising from whoever. What we want to do is try to decide whether we trust the bona fides of a company. In this example, I am going to show you how to use a particular service, www.robtex.com, as an investigatory step.
In this example, let's take a closer look at prevedmarketing.com, proximogroup and netmediagroup, names that has appeared in association with the facilitation of malicious advertising campaigns.
A robtex search reveals that the IP address of prevedmarketing at time of writing is 190.15.73.254:
http://www.robtex.com/dns/prevedmarketing.com.html
Now that we have an IP address, we can take a look at what is hosted in the same IP range. Therefore, we use Robtex to search the (incomplete) IP range, that is, 190.15.73:
http://www.robtex.com/cnet/190.15.73.html
The IP search proves to be very revealing, and triggers very loud alarm bells for anybody who has been analysing, or reading an analysis of, malicious advertising campaign incidents.
Have a look at what is hosted at 190.15.73.221... and 222, 223, 251, 252 etc
Anybody with a historical knowledge of malicious banner advertisement incidents would look at the robtex search results and realise that the IP search reveals domain names under the list of name servers, and mail servers, and domain name hosting, that have been associated with documented incidents of malicious advertisements, and/or fraudware.
Now, what about proximogroup, which has been associated with the sale of advertising that has been proven to be unauthorised and/or malicious....
The IP address for proximogroup.com is 130.117.78.25 which seems innocent enough, but more importantly, it's name server IP addresses are 190.15.73.251, 252 and 221 which I am sure are by now familiar to you.
The list of names sharing an IP with proximogroup and prevedmarketing is impressive - many you will recognise - to highlight the significance of what we are seeing I have bolded those that I have *personal* experience of, and that I know are either fraudware sites, or domains that have been directly implicated in facilitating malicious advertising campaigns, whether it be by gathering statistics, hosting malicious content, or selling malicious content.
domains sharing nameservers
ad2cash.net
adtraff.com
adzyclon.com
bestadmedia.com
bestsearchnet.com
bucksbill.com
burnads.com
casinoaceking.com
cryptdrive.com
fileprotector.com
forceup.com
freetvnow.net
fulsearch.com
getfreecar.com
greyhathosting.com (this one has been used to send emails allegedly from "Jim Burch", who calls himself "project manager at NetMediaGroup Advertising Agency" to victim sites)
installprovider.com
libresystm.com
magicsearcher.com
moneypalacecash.com
myhealth-life.org
myonlinefinance.com
netmediagroup.net
netturbopro.com
newbieadguide.com
pcsupercharger.com
popsmedia.com
popupnukerpro.com
prizesforyou.com
searchcolours.com
searchoperation.com
sellmoresoft.net
sellmysoft.net
sharpadverts.com
softwcs.com
tallgrass-seach.com
theringtonesource.com
traffalo.com
unicsearch.com
uniqads.com
vitecmedia.com
wewillfind.com
windefender.com
workhomecenter.com
yourseeker.com
yourteacheronline.com
zappinads.com
domains sharing nameservers
ad2cash.net
adcomatoz.com
adtraff.com
adverdaemon.com
adverlounge.com
adzyclon.com
b2adz.com
bestadmedia.com
bestsearchnet.com
bizadverts.com
blessedads.com
bucksbill.com
burnads.com
candid-search.com
casinoaceking.com
cryptdrive.com
fileprotector.com
forceup.com
freetvnow.net
friedads.com
fulsearch.com
getfreecar.com
greyhathosting.com (this one has been used to send emails allegedly from "Jim Burch", who calls himself "project manager at NetMediaGroup Advertising Agency" to victim sites)
installprovider.com
libresystm.com
loffersearch.com
magicsearcher.com
manage-search.com
megashopcity.com
mightyfaq.com
misc-search.com
moneycometrue.com
moneypalacecash.com
myhealth-life.org
myonlinefinance.com
mysurvey4u.com
netmediagroup.net
netturbopro.com
newbieadguide.com
pcsupercharger.com
popadprovider.com
popsmedia.com
popupnukerpro.com
prevedmarketing.com
prizesforyou.com
r2d2adverising.com
rocktheads.com
roller-search.com
rombic-search.com
se7ensearch.com
search-expand.com
search-the-prey.com
searchcolours.com
searchmandrake.com
searchonline-ease.com
searchoperation.com
searchvirtuoso.com
sellmoresoft.net
sellmysoft.net
sharpadverts.com
shivanetworking.com
simplesamplesearch.com
softwcs.com
stratosearch.com
tallgrass-seach.com
theringtonesource.com
traffalo.com
traveltray.com
treekindsearch.com
unicsearch.com
uniqads.com
upg-soft.net
vitecmedia.com
wewillfind.com
windefender.com
wontu-search.com
workhomecenter.com
yourseeker.com
yourshopz.com
yourteacheronline.com
zappinads.com
zooworld-search.com
subdomains
*.proximogroup.com
mail.proximogroup.com
ns1.proximogroup.com
ns2.proximogroup.com
Ok, now for netmediagroup.net, accused by some web sites of selling malicious advertising campaigns:
netmediagroup.net IP = 84.243.252.91
There are some domains we recognise, again, as participating in the facilitation of malicious advertising campaigns at IP range 84.243.252:
84.243.252.84 adtraff.com
84.243.252.85 burnads.com
84.243.252.88 forceup.com
84.243.252.91 netmediagroup.net
84.243.252.94 traffalo.com
84.243.252.97 uniqads.com
Name servers and mail servers are at an IP address that, again, I am sure you will recognise...
ns1.netmediagroup.net 190.15.73.251
ns2.netmediagroup.net 190.15.73.252
mail.netmediagroup.net 190.15.73.221
Are we beginning to see a pattern here?
Let me repeat one more time...
Don't just do a credit check. Don't just run a WHOIS. Don't just make sure that they respond to emails and that the phone number is not disconnected. Check who hosts their mail servers. Check who hosts their name servers. It's amazing how often you will find a connection between a particular domain or IP address and known bad guys every single time we run an analysis of an advertising campaign. Proximogroup is one in particular that keeps on popping up, as did netmediagroup.com for a while there.
I would also say, do not trust alleged "letters of mandate". Why? Because I have an email from the from the Chief Technology Officer at skyauction.com and he has quite a story to tell. Here is a quote from his email - information shared with permission:
"We were contacted by another company today that were duped into hosting one of the fraudulent ads for a couple of days (which have since been taken down). It seems that the source of the ads is a company called NetMediaGroup (http://www.netmediagroup.net). They are claiming to represent us and even provided a fake letter of mandate" (which I can email you) to one of their targets saying that they represent us. As with our logo, they were pretty sloppy creating this fake "mandate" because there are some obvious errors. In this case, someone with the pseudonym (one can only guess) of "Jim Burch" (jim@netmediagroup.net) contacted the site claiming to represent us and asking to put up ads on the contact's site. The the ads go up and deliver the fake malcious Skyauction ads until someone complains and they are finally taken down. NetMediaGroup appears at first glance to be a real company, but they are probably a completely fraudelent one. The domain name is registered to some organization in Germany, but the contact us phone number seems to be in the Netherlands. All of the names on the web site are just generic (i.e. they don't give full names)."
The checks listed suggested above will take only moments, but may save you a lot of grief. You should also conduct a comprehensive web search of any domain that you know is associated with the sale or hosting or distribution of an advertising campaign.
Filed under: Vulnerabilities, Security, safety and privacy on the Internet, viruses and exploits