Avoiding the bad guys - detecting potentially malicious advertising campaigns

The other day I wrote the following advice:

"Here are my suggestions for the checks that advertising networks should make when deciding whether to accept content from anybody.

Don't just do a credit check. Don't just run a WHOIS. Don't just make sure that they respond to emails and that the phone number is not disconnected. Check who hosts their mail servers. Check who hosts their name servers. It's amazing how often you will find a connection between a particular domain or IP address and known bad guys every single time we run an analysis of an advertising campaign. Proximogroup is one in particular that keeps on popping up, as did netmediagroup.com for a while there.

For example, let's pretend that you are contacted by somebody at wearegoodguyshonest.com - the WHOIS may look ok. They may pass a credit check. But then, when you look at the name servers for wearegoodguyshonest.com you may discover that the name server is in an IP range that is associated with many bad names. In such circumstances it would be wise to decide it is safer not to do business with wearegoodguyshonest.com."

Let's expand the above advice a little, and show you just one way to make those extra checks. I'll also highlight what may indicate that the advertising or hosting agreement we are about to enter into may be risky.

A lot comes down to experience. You have to watch the market, watch the blogs, watch the news, watch the online chatter - you need to know who is being or has been mentioned in association with unauthorised advertising campaigns and malicious advertisements. Then you can take that knowledge and use it. The following is just one example of how staying informed can save you from potential grief.

Let's have a quick look at few danger signs you may encounter when deciding whether or not to accept advertising from whoever. What we want to do is try to decide whether we trust the bona fides of a company. In this example, I am going to show you how to use a particular service, www.robtex.com, as an investigatory step.

In this example, let's take a closer look at prevedmarketing.com, proximogroup and netmediagroup, names that has appeared in association with the facilitation of malicious advertising campaigns.

A robtex search reveals that the IP address of prevedmarketing at time of writing is 190.15.73.254:
http://www.robtex.com/dns/prevedmarketing.com.html

Now that we have an IP address, we can take a look at what is hosted in the same IP range. Therefore, we use Robtex to search the (incomplete) IP range, that is, 190.15.73:
http://www.robtex.com/cnet/190.15.73.html

The IP search proves to be very revealing, and triggers very loud alarm bells for anybody who has been analysing, or reading an analysis of, malicious advertising campaign incidents.

Have a look at what is hosted at 190.15.73.221... and 222, 223, 251, 252 etc

Anybody with a historical knowledge of malicious banner advertisement incidents would look at the robtex search results and realise that the IP search reveals domain names under the list of name servers, and mail servers, and domain name hosting, that have been associated with documented incidents of malicious advertisements, and/or fraudware.

Now, what about proximogroup, which has been associated with the sale of advertising that has been proven to be unauthorised and/or malicious....

The IP address for proximogroup.com is 130.117.78.25 which seems innocent enough, but more importantly, it's name server IP addresses are 190.15.73.251, 252 and 221 which I am sure are by now familiar to you.

The list of names sharing an IP with proximogroup and prevedmarketing is impressive - many you will recognise - to highlight the significance of what we are seeing I have bolded those that I have *personal* experience of, and that I know are either fraudware sites, or domains that have been directly implicated in facilitating malicious advertising campaigns, whether it be by gathering statistics, hosting malicious content, or selling malicious content.

domains sharing nameservers

ad2cash.net
adtraff.com
adzyclon.com
bestadmedia.com
bestsearchnet.com
bucksbill.com
burnads.com
casinoaceking.com
cryptdrive.com
fileprotector.com
forceup.com
freetvnow.net
fulsearch.com
getfreecar.com
greyhathosting.com   (this one has been used to send emails allegedly from "Jim Burch", who calls himself "project manager at NetMediaGroup Advertising Agency" to victim sites)

installprovider.com
libresystm.com
magicsearcher.com
moneypalacecash.com
myhealth-life.org
myonlinefinance.com
netmediagroup.net
netturbopro.com
newbieadguide.com
pcsupercharger.com
popsmedia.com
popupnukerpro.com
prizesforyou.com
searchcolours.com
searchoperation.com
sellmoresoft.net
sellmysoft.net
sharpadverts.com
softwcs.com
tallgrass-seach.com
theringtonesource.com
traffalo.com
unicsearch.com
uniqads.com
vitecmedia.com
wewillfind.com
windefender.com
workhomecenter.com
yourseeker.com
yourteacheronline.com
zappinads.com

domains sharing nameservers
   ad2cash.net
   adcomatoz.com
   adtraff.com
   adverdaemon.com
   adverlounge.com
   adzyclon.com
   b2adz.com
   bestadmedia.com
   bestsearchnet.com
   bizadverts.com
   blessedads.com
   bucksbill.com
   burnads.com
   candid-search.com
   casinoaceking.com
   cryptdrive.com
   fileprotector.com
   forceup.com
   freetvnow.net
   friedads.com
   fulsearch.com
   getfreecar.com
   greyhathosting.com    (this one has been used to send emails allegedly from "Jim Burch", who calls himself "project manager at NetMediaGroup Advertising Agency" to victim sites)

   installprovider.com
   libresystm.com
   loffersearch.com
   magicsearcher.com
   manage-search.com
   megashopcity.com
   mightyfaq.com
   misc-search.com
   moneycometrue.com
   moneypalacecash.com
   myhealth-life.org
   myonlinefinance.com
   mysurvey4u.com
   netmediagroup.net
   netturbopro.com
   newbieadguide.com
   pcsupercharger.com
   popadprovider.com
   popsmedia.com
   popupnukerpro.com
   prevedmarketing.com
   prizesforyou.com
   r2d2adverising.com
   rocktheads.com
   roller-search.com
   rombic-search.com
   se7ensearch.com
   search-expand.com
   search-the-prey.com
   searchcolours.com
   searchmandrake.com
   searchonline-ease.com
   searchoperation.com
   searchvirtuoso.com
   sellmoresoft.net
   sellmysoft.net
   sharpadverts.com
   shivanetworking.com
   simplesamplesearch.com
   softwcs.com
   stratosearch.com
   tallgrass-seach.com
   theringtonesource.com
   traffalo.com
   traveltray.com
   treekindsearch.com
   unicsearch.com
   uniqads.com
   upg-soft.net
   vitecmedia.com
   wewillfind.com
   windefender.com
   wontu-search.com
   workhomecenter.com
   yourseeker.com
   yourshopz.com
   yourteacheronline.com
   zappinads.com
   zooworld-search.com
subdomains
   *.proximogroup.com
   mail.proximogroup.com
   ns1.proximogroup.com
   ns2.proximogroup.com

Ok, now for netmediagroup.net, accused by some web sites of selling malicious advertising campaigns:

netmediagroup.net IP = 84.243.252.91

There are some domains we recognise, again, as participating in the facilitation of malicious advertising campaigns at IP range 84.243.252:

84.243.252.84 adtraff.com
84.243.252.85 burnads.com
84.243.252.88 forceup.com
84.243.252.91 netmediagroup.net
84.243.252.94 traffalo.com
84.243.252.97 uniqads.com

Name servers and mail servers are at an IP address that, again, I am sure you will recognise...

ns1.netmediagroup.net 190.15.73.251
ns2.netmediagroup.net 190.15.73.252
mail.netmediagroup.net 190.15.73.221

Are we beginning to see a pattern here?

Let me repeat one more time...

I would also say, do not trust alleged "letters of mandate". Why? Because I have an email from the from the Chief Technology Officer at skyauction.com and he has quite a story to tell. Here is a quote from his email - information shared with permission:

"We were contacted by another company today that were duped into hosting one of the fraudulent ads for a couple of days (which have since been taken down). It seems that the source of the ads is a company called NetMediaGroup (http://www.netmediagroup.net). They are claiming to represent us and even provided a fake letter of mandate" (which I can email you) to one of their targets saying that they represent us. As with our logo, they were pretty sloppy creating this fake "mandate" because there are some obvious errors. In this case, someone with the pseudonym (one can only guess) of "Jim Burch" (jim@netmediagroup.net) contacted the site claiming to represent us and asking to put up ads on the contact's site. The the ads go up and deliver the fake malcious Skyauction ads until someone complains and they are finally taken down. NetMediaGroup appears at first glance to be a real company, but they are probably a completely fraudelent one. The domain name is registered to some organization in Germany, but the contact us phone number seems to be in the Netherlands. All of the names on the web site are just generic (i.e. they don't give full names)."

The checks listed suggested above will take only moments, but may save you a lot of grief. You should also conduct a comprehensive web search of any domain that you know is associated with the sale or hosting or distribution of an advertising campaign.

Published Wed, Jan 16 2008 19:50 by sandi

Filed under: Vulnerabilities, Security, safety and privacy on the Internet, viruses and exploits

Comments

# re: Avoiding the bad guys - detecting potentially malicious advertising campaigns

Wednesday, January 16, 2008 6:57 PM by Doug Woodall

I remember a post you did not long ago about this. I was looking into selling a product for a company that I thought might do well in the Online Safety market.

Then I read your article and it was thru windefender.com.

You saved me some grief that day and I learned from it.

Thanks Sandi

Spyware Sucks

This Blog

Syndication

Search

Tags

Community

Archives

News