Interesting information re a QPAD advertisement and a new name, TimeTrack Media
I'm going to try a new format for this blog entry, in the hope that it will make the information easier to read and understand (and take up less space). I'll be interested to hear if you like the idea of placing information in tables, and if you like the idea of a summary at the beginning of each report.
| Victim site | |
| SWF host | |
| SWF Source | TimeTrack Media |
| Target fraudware domain | |
| Banned cities, countries and IPs | |
| SWF URL | |
| Special notes | In this case the malicious advertisement was supplied to the victim site, but did not go live. An analysis of the SWF supplied reveals the same code that we have seen in previous malicious SWF. |
| Incident reported to | Various advertising networks |
I received an interesting email from a party responsible for negotiating and accepting advertising for a particular web site. Having been caught once before by a malicious advertisement they are now more careful with what they accept, and it seems that they caution has paid off.
This is the email that I received from the person in question:
"After being tricked by proximogroup.com, we received an email from TimeTrack Media overseas. The emails we received were a little weird, so I wanted to investigate a little- lo and behold, what ad had they send us- QPad! Thanks so much for posting it on your site. I'm not sure if you're familiar with TimeTrack, but it seems like they might be another culprit."
Preliminary investigations do raise some concerns about TimeTrack Media and the SWF that was supplied.
Strike 1:
TimeTrack Media (timetrackmedia.com - IP 66.235.160.203) is registered using ESTDOMAINS, a Registrar with a strong association with various fraudware/malware web sites. So, that is a strike against TimeTrack Media right there.
Strike 2:
The WHOIS information for TimeTrack Media is hidden behind PrivacyProtect.org, another well-known, oft used tactic used by malware/fraudware pushers.
Strike 3:
The only contact provided at the web site is a web form - no names, no email addresses.
Let's have a look at the domain itself:
http://www.robtex.com/dns/timetrackmedia.com.html
DomainCrawler has different information:
http://www.domaincrawler.com/pages/infolookup/timetrackmedia.com
So, let's have a look at TimeTrack Media's IP addresses. As noted above, their IP is 66.235.160.203 (hosted by Cogent Electric Lightwave Inc, reverse clickopt.info), BUT, their nameservers are different:
NS managedns1.estboxes.com 69.50.182.20
NS managedns2.estboxes.com 69.50.183.26
NS managedns3.estboxes.com 69.50.182.22
NS managedns4.estboxes.com 69.50.183.30
Next, we look at the IPs
66.235.160.*
http://www.robtex.com/cnet/66.235.160.html
69.50.182.*
http://www.robtex.com/cnet/69.50.182.html
69.150.183.*
http://www.robtex.com/cnet/69.50.183.html
The analysis of risk for TimeTrack Media is not as cut and dried as, for example, ProximoGroup and its stable of friends. I do see several domain names that raise concerns for me, and a few mentions of known fraudware names that I recognise. To try and draw a conclusion purely from associated domains is tenuous at this time. That being said, an analysis of the SWF reveals the same code that we have seen in previous malicious SWF.
Ok, so now the question is, how comfortable would *you* feel when dealing with TimeTrack Media. Personally I would not have anything to do with an advertising company registered via ESTDOMAINS, with WHOIS hidden behind privacyprotect.org, and with a minimalistic website with no names, no contact information, and no way to contact the site except for via a online form.