Further information regarding the byronadvertising.eu incident
As I warned yesterday, byronadvertising.eu and 3gigabytes.com have been caught facilitating browser hijackings and the distribution of fraudware. The malicious activity was discovered after Vomba accepted advertising from Byron Advertising (byronadvertising.eu) for display via Vomba's AdVantage application (AdVantage is an application that has been certified by the TRUSTe TDP Program). We know of two different advertisements - one targeting Australia and New Zealand, and the other targeting the United Kingdom.
The advertisement displayed by AdVantage redirected viewers to “ad.byronadvertising.eu/drive/click.php?id=443”. Then, if the viewer's computer was in the targeted region, byronadvertising.eu redirected the user to “3gigabytes.com/soft.php?aid=000425&d=3&product=XPA”. 3gigabytes.com then pushed the user to a fraudware page that used various dialogue boxes and warning to try and trick the user into downloading and installing the fraudware (screenshots at end of article). If the user was not in a targeted region, he or she was redirected to a legitimate commercial web site.
The end result of this incident is that AdVantage has been suspended by the TDP Program and removed from the Trusted Downloads Whitelist of Certified Applications.
This is not the first time that Byron Advertising (EU) have been caught doing the wrong thing. Kimberley blogged about an incident implicating Byron Advertising back on 23 July 2008.
The incident Kimberley refers to is a malvertizement that appeared on uploadjockey.com. On that occasion, uploadjockey.com was using Clicksor for advertising content. Clicksor in turn were using byronadvertising.eu. Interestingly, Clicksor were also involved in yet another incident, this time involving click fraud, that led to Miva terminating their relationship with Clicksor after a click fraud incident involving a TRUSTe TDP certified application - details here.
BTW, a word of warning - don't be too quick to assume that there is a connection between byronadvertising.eu and byronadvertising.com (or byronadvertising.co.uk or their parent Integrated Marketing). Although the .eu and .com and uk web sites are visually identical, byronadvertising.eu is nothing more than a copy of byronadvertising.com.
You'll notice in the page source in the screenshots below that the byronadvertising.eu page source has "tppabs" tags. tppabs tags are inserted into the source code of a web page by Teleport Webspiders (in this case, Teleport Pro) when it is used to download a web site for offline viewing. It is very interesting that such tags are appearing in the source code of a page when viewed online using Internet Explorer and Firefox (let's be honest, whoever it was that downloaded an offline copy of the byronadvertising.com site, and then left the tppabs tags there when they uploaded the pages to a new destination, was very amateurish and lazy).
Also, note the domains that are/have shared byronadvertising.eu’s IP address – another indication that something may be askew:
byronadvertising.eu (hosted at 88.214.204.40 since registration)
prn8.com (currently no A record but hosted on 88.214.204.40 from 20 February 2008 to 15 June 2008)
showitbaby.com (hosted on 88.214.204.40 from 14 February 2008 to 6 April 2008)
teen-sex-free.com (88.214.204.40)
Note that there is no cancel button:
