Spot the similarities
What I am trying to do is show my readers not only where malvertizements are coming from and what they look like, what they do and how they work, but also reveal the ties that bind between the various domains associated with the facilitation of malvertizing. You would be surprised how often the same names, the same Registrars, the same IP addresses (or IP range) are used, and even how often the same words are repeated on web pages at different web sites. The bad guys have always been, to put it bluntly, lazy ... and they were lazy because we let them get away with it.
Below is an example of duplicate content on just two web sites for domains that have been associated with facilitating the distribution of malware via malvertizement. Don't get me wrong - the people behind sites such as this one are not quite as lazy as they used to be, and their grasp of the English language is certainly improved...
| || |
Note: "Sunwell Corporation" appears elsewhere on the site, quoted as a "client" of Zappinads. Perhaps coincidentally, there is a Sunwell Corporation website at sunwellcorp.com that was registered via Yesnic (just like Zappinads).
| || |
|zappinads.com || |
ICANN Registrar: YESNIC CO. LTD
Created: 29 March 2007
NS1.ZAPPINADS.COM (has 1 domains)
IP: 18.104.22.168 - Canada - Iweb Dedicated Cl
Registrant details: Zappinads Inc (email@example.com)
bestadmedia.com, elanads.com, favouriteshop.com, infyte.com, keywordcpv.com, zappinads.com
|adtraff.com || |
ICANN Registrar: TUCOWS INC
Created: 13 April 2007
NS1.ADTRAFF.COM (has 1 domains)
IP: 22.214.171.124 - Netherlands - Gfx-cust-worldstream
Registrant details: Adtraff Inc, firstname.lastname@example.org
Note: A check of the IP range reveals Onlinepromostats.com at IP 126.96.36.199 - that domain was implicated in a malvertizement at photobucket.com
Cite: malvertizing at photobucket.