ALERT: Please treat content from adservdb.com with extreme caution
Malicious destination URL: security-scan-pc.com
Malicious campaign URL: adservdb.com/ads/?id=d3
The id=d3 URL completes various checks (browser version mostly) and then redirects to this URL: adservdb.com/tmp01.asp
The tmp01.asp URL sets a cookie, and completes various checks (Year, Month, Date, Hours, Minutes, Milliseconds, browser version) and, if the PC passes the test, we are redirected to this URL: adservdb.com/tmp02.asp (more country and time zone checks) (there is also a tmp03.asp)
We also see:
j.maxmind.com/app/geoip.js (reports county code, country name, city, region, region name, latitude, longitude, postal code)
adservdb.com/redirect/redir.asp...<<removed>> <--- it is this URL that redirects to security-scan-pc.com
adservdb.com - IP: 22.214.171.124
Registrar: Netfirms, Inc
Created 23 June 2008
WHOIS: Hidden behind Domain Privacy Group
No obvious fraudware connections are found via Reverse IP, shared IP etc.
IP, NS and WHOIS history also unrevealing.
Nothing untoward is revealed by a web search (until I send this article live, that is...).
This is the first time I have not been able to find definitive evidence of past bad behavior, or a connection with known bad actors, when investigating a malvertizing incident. That being said, adservdb.com is definitely the source of the malvertizement that I saw today.