ALERT: Please treat content from adservdb.com with extreme caution
Malicious destination URL: security-scan-pc.com
Malicious campaign URL: adservdb.com/ads/?id=d3
The id=d3 URL completes various checks (browser version mostly) and then redirects to this URL: adservdb.com/tmp01.asp
The tmp01.asp URL sets a cookie, and completes various checks (Year, Month, Date, Hours, Minutes, Milliseconds, browser version) and, if the PC passes the test, we are redirected to this URL: adservdb.com/tmp02.asp (more country and time zone checks) (there is also a tmp03.asp)
We also see:
j.maxmind.com/app/geoip.js (reports county code, country name, city, region, region name, latitude, longitude, postal code)
j.maxmind.com/app/geoip_city (ditto)
adservdb.com/stats.asp?...<<removed>>
adservdb.com/tmp03.asp?...<<removed>>
adservdb.com/redirect/redir.asp...<<removed>> <--- it is this URL that redirects to security-scan-pc.com
----------------------------------------------
adservdb.com - IP: 74.217.128.234
Registrar: Netfirms, Inc
Created 23 June 2008
WHOIS: Hidden behind Domain Privacy Group
No obvious fraudware connections are found via Reverse IP, shared IP etc.
IP, NS and WHOIS history also unrevealing.
Nothing untoward is revealed by a web search (until I send this article live, that is...).
At time of writing, www.adservdb.com, which you would assume is the most logical "home page" for adservdbcom, contained little more than Google Analytics javascript.
This is the first time I have not been able to find definitive evidence of past bad behavior, or a connection with known bad actors, when investigating a malvertizing incident. That being said, adservdb.com is definitely the source of the malvertizement that I saw today.
