Let's have a look at who is behind malicious Flash advertisements...
Let's have another look at incidents reported on this blog over time so that we can take a closer look at the inter-relationships we find between each incident. We will look at just three incidents.
INCIDENT 1: Malicious advertisement source - 4cetera.com
INCIDENT 2: Press Release by Emusic about unauthorised malicious advertisements featuring Emusic - uniqads.com, adtraff.com and forceup.com
INCIDENT 3: Unauthorised malicious advertisements featuring Skyauction including a fake letter of mandate - netmediagroup.net...
A check of the 5 domains using www.robtex.com reveals several identical IP addresses:
|
4cetera.com |
(A=130.177.78.25 NS=190.15.73.251, 190.15.73.252 MX=190.15.73.221) |
| uniqads.com |
(A=84.243.252.97 NS=190.15.73.251, 190.15.73.252 MX=190.15.73.221) |
| adtraff.com |
(A=84.243.252.84 NS=190.15.73.251, 190.15.73.252 MX=190.15.73.221) |
| forceup.com |
(A=84.243.252.88 NS=190.15.73.251, 190.15.73.252 MX=190.15.73.221) |
| netmediagroup.net |
(A=84.243.252.91 NS=190.15.73.251, 190.15.73.252 MX=190.15.73.221) |
Going forward I am going to be reporting on not only the advertising network hosting malicious content, but also will be trying to identify, and expose, those who are providing the advertising creatives to web sites and ad networks in the first place so that you can do what you can to avoid them.
Please read my article "Avoiding the bad guys - detecting potentially malicious advertising campaigns". As you can see from the examples I have highlighted above, it is critically important when you are approached by an advertiser that you not only complete standard background checks (credit check, WHOIS, referees etc), but that you also check out who is using the same infrastructure using a service such as www.robtex.com. If you see any mention of Securehost.com be extremely cautious.
You should also be cautious about any referees provided. For example, you may be approached by an advertiser, and that advertiser may provide referees with several different @domain email addresses. But, if you dig a little deeper, once again using a service such as www.robtex.com, you may discover that the apparently independent referees may be closely related. You may even discover a connection between the advertiser itself and the referees.
Be careful everybody, and do your research. I know for a fact that the criminals are still actively selling their malicious advertisements, using domain names that have been featured on this blog over and over and over again.