ALERT: Treat all content from Servedad with extreme caution
I have said it before, but I'll say it again - PLEASE TREAT ALL CONTENT FROM SERVEDAD WITH EXTREME CAUTION!!
They look innocent enough *today* if you check their WHOIS. The ICANN Registrar is listed as Regtime, the domain created in June 2007, Registrar is a "Tom Reber" (tomasreber@yahoo.com) and the name is not associated with any other domains, but I can tell you without a doubt that Servedad are bad.
Putting aside the fact that they have been caught doing bad things before, more than once, it becomes obvious that they should be treated with caution when we look at the history of the domain. Back in May of this year, these were the WHOIS details:
ICANN Registrar: Estdomains
Name servers: managedns4.estboxes.com (and managedns.3, .2 and .1)
In May, other WHOIS details were hidden behind privacyprotect, but then the domain lost its protection and a "Javier Vega" (softjoda@yahoo.com) was exposed (yes, the name and email address are familiar).
Then, in about September of this year, servedad.net moved their nameservers away from estboxes to ns2.3fn.net and dns164.3fn.net.
Then, in November, the ICANN Registrar became Regtime, and the listed Registrant became Tom Reber (tomasreber@yahoo.com)
Don't be fooled by the changes. Servedad are bad. They have been caught distributing malvertizements several times in the past and it seems they are still doing so. I am seeing samples of just one of their malvertizements coming in from all over the place - you can see a screenshot to the left. It is one of their newer malvertizements, created using Fuse and using encrypted "dynamic text" to try and hide the malicious code:
Regular readers of this blog know that the bad guys are doing what they can to hide who and what they are - just look at the changes "Serg Moon" is making to hide domains associated with the pseudonym - creating a new pseudonym, hiding WHOIS information behind a privacy protection service - just looking at the current WHOIS of a domain is not enough when completing due diligence - you need to look at the historical data as well.
But, let's be honest, a simple web search would have made it obvious that there is a problem, even if you don't have access to historical information about a domain - note that I warned about that agency back in August! I admit to feeling some concern because I am seeing an upswing in the number of large websites being hit by malvertizing. I don't think it is complacency, because some of the malvertizements are very difficult, if not impossible, to detect using publicly available tools, but I do think that perhaps some have started to depend too much on detection tools; they also may not have realized that the bad guys are trying to counter the more comprehensive background checks that are happening by manipulating WHOIS data and changing hosts and Registrars. But still, just how much negative press does a rogue ad network need to have before people notice??
BTW, Gemini Interactive, which has been mentioned in association with servedad.net, where are they nowadays? Let's see...
Previously:
ICANN Registrar: Estdomains
Name servers: managedns4.estboxes.com (and managedns.3, .2 and .1)
WHOIS: Hidden behind privacyprotect
Then privacyprotect was removed, revealing (yes, you guessed it) Javier Vega (softjoda@yahoo.com)
Now:
ICANN Registrar: Regtime Limited
Name servers: ns1, 2.geminiinteractive.net
WHOIS: Andrew Brodour (andygrodo@gmail.com)
Are we noticing a pattern here?
