Malicious advertisement source - 4cetera.com

I received new intelligence overnight about a malicious advertising campaign (that has since been shut down).  I was advised that the content for the campaign in question was provided by 4cetera.com.  I haven't received permission yet to link the incident with a particular website, so will simply tell you that it happened.

So, who are 4cetera.com?  Well, I'm sure you won't be surprised by the ties that I am about to highlight.

4cetera.com's IP address, at time of writing, is 130.117.78.25 (Cogent).

It's WHOIS reveals that the registrar is YESNIC CO LTD.

First of all, 4cetera.com, at time of writing, share an IP address with none other than the now infamous proximogroup, a name that I am sure you all recognise.

But that is only the start of it.  It's when we start digging deeper that things start getting really interesting:
http://www.robtex.com/dns/4cetera.com.html

What I have done here is simply pull names that I personally recognise as having sold, or been involved in facilitating the distribution of, malicious advertising creatives and campaigns, and the fraudware domains themselves.  I *know* that my regular readers are going to recognise these names as well.

Hostnames sharing ip with a-records

proximogroup.com, adtraff.com, bucksbill.com, burnads.com, forceup.com, freetvnow.com, getfreecar.com, greyhathosting.com, netmediagroup.net, netturbopro.com, newbieadguide.com, performanceoptimizer.com, popupnukerpro.com, prizesforyou.com, traffalo.com, uniqads.com, windefender.com, workhomecentre.com, zappinads.com

Domains sharing mailservers

adtraff.com, bucksbill.com, burnads.com, forceup.com, freetvnow.com, getfreecar.com, greyhathosting.com, netmediagroup.net, netturbopro.com, newbieadguide.com, performanceoptimizer.com, popupnukerpro.com, prizesforyou.com, traffalo.com, uniqads.com, windefender.com, workhomecentre.com, zappinads.com

Domains sharing nameservers

adtraff.com, bucksbill.com, burnads.com, forceup.com, freetvnow.com, getfreecar.com, greyhathosting.com, netmediagroup.net, netturbopro.com, newbieadguide.com, performanceoptimizer.com, popupnukerpro.com, prizesforyou.com, traffalo.com, uniqads.com, windefender.com, workhomecentre.com, zappinads.com

So we see, once again, that if we do a bit of digging some familiar names appear.

My next task will be to take another look at TimeTrack Media who I mentioned on my blog the other day.

 

Published Tue, Jan 22 2008 7:40 by sandi

Comments

# re: Malicious advertisement source - 4cetera.com

Tuesday, January 22, 2008 1:01 PM by K

I want to comment on this because I was tricked by 4cetera.com as well. They approached us very professionally. We setup the ad campaign really quickly. After a while, I began receiving emails that people were getting some spyware. I didn't know what it was at first until I did a search on 4cetera.com and found this post.

# re: Malicious advertisement source - 4cetera.com

Tuesday, January 29, 2008 3:24 PM by Sjarel

Great to see someone confirming my suspicions : soccerproject.wordpress.com/.../trojansoccerproject

# re: Malicious advertisement source - 4cetera.com

Saturday, February 16, 2008 9:18 AM by Joel Teo

This sucks, affiliate marketers being scammed to promote spyware related programs...

I wonder what next is in store for us.

# re: Malicious advertisement source - 4cetera.com

Wednesday, September 24, 2008 7:14 AM by WGilbert

I would appreaciate it if you would stop NOW breaking into my computer and advertising WINDEFENDER.  If I wanted to take this out I can read your stuff and I would buy it BUT I dont want it.  Once I can understand but to keep on and on.  I dont want your stuff so please quit sending it to me.  It is annoying and I would like it if you stopped now.  I do know how to contact you if I change my mind, but please stop ASAP.  Thank You.

# re: Malicious advertisement source - 4cetera.com

Wednesday, September 24, 2008 10:25 PM by sandi

@WGilbert,

You do realise that this web site (Spyware Sucks) has got nothing to do with the distribution of WinDefender, yes?  You're complaining to/asking the wrong person.

Sandi