ALERT: Please treat any content from these domains with suspicion, and be very careful about any credit reference you receive that refers to:
yourdirectmedia.com, atlantmedia, traffichunters, olympicmedia.net ads2revenue, adsrepublic, truemedian.com, readadsolutions.com, adsmanagement.com
ALERT: Watch out for the impersonation of legitimate businesses in credit reference checks. Details below.
-----
It is fascinating to watch the way that the people behind malvertizing do business. It wasn't that long ago that they were inherently lazy, using the same Registrars over and over, hosting myriad malicious web sites at the same IP address, using the same name servers for multiple domains, using different combinations of the same names and email addresses over and over for WHOIS purposes, using the same templates for their fake 'advertising network' websites... redundancy was a foreign concept to them.
Even the credit references that they supplied were easy to spot as dodgy if you knew what to look for. There was often an obvious association between different domains used by referees if we bothered to take even a cursory look at the Registrant and hosting details.
That being said, the bad guys have been changing their modus operandi with regards to trade references and it is getting harder to spot problems. Let's have a look at some recent examples that have crossed my desk.
YOURDIRECTMEDIA.COM SHENANIGANS:
Yourdirectmedia.com have been caught supplying AtlantMedia as a credit referee – a referee that is easy to discredit - atlantmedia is a known bad actor.
Cite: http://msmvps.com/blogs/spywaresucks/archive/2008/12/10/1656329.aspx
atlantmedia.net used to have IP address 89.149.235.24 - Lithuania Kaunas Netdirect-uab-retrogarsas (web site currently not resolving).
A connection has been discovered between atlantmedia.net and olympicmedia.net (also offline) – its last IP was 212.95.53.164 and it used to be at IP 216.195.54.212 (atlantmedia.net used to have the IP 216.195.57.40)
Let's not forget that a connection has been drawn between traffichunters, olympicmedia and the now infamous Innovative Marketing, thanks to an email slip-up.
Cite: http://msmvps.com/blogs/spywaresucks/archive/2009/03/27/1682054.aspx
IMPERSONATION OF LEGITIMATE COMPANIES
When I first saw the name Tribalfusion listed as a referee for yourdirectmedia, my immediate reaction was "what the hell is tribalfusion doing being a referee for these guys?" A bit of digging revealed the truth.
The referee given was "Tribalfusion, Mike Carter, 215 789 9793". But, it just so happens that that phone number belongs to "ads2revenue", not "tribalfusion" - we know this because the number used to be on the ads2revenue web site (although the phone number has since been removed from the ads2revenue site).
ads2revenue
ICANN REGISTRAR: ENOM, INC
Date created: 12 November 2008
NS1.ADS2REVENUE.COM - 93.190.141.36
NS2.ADS2REVENUE.COM - 93.190.141.37
NS3.ADS2REVENUE.COM - 212.95.32.48
MAIL.ADS2REVENUE.COM - 212.95.32.48
IP: 212.95.32.48 - Hessen, Frankfurt Am Main - Netdirekt E.k
Dedicated Hosting
Registrant: Hidden behind WHOISGUARD
Already mentioned on spywaresucks once before - cite: http://msmvps.com/blogs/spywaresucks/archive/2009/02/28/1674707.aspx
Another referee supplied by yourdirectmedia.com was "Classmatesmedia, Rick Harris, 619 949 8952". In this case there was nothing definitive to be discovered about the phone number, but we still have cause for concern. As far as I know, classmatesmedia does not directly sells advertising - rather, United Online Advertising Solutions does that (uolmediagroup.com)
THE USE OF EXECUTIVE (AKA MANAGED, AKA SERVICED) OFFICES
Many of us are careful to check things like phone numbers and addresses when researching potential advertisers and credit references, and that good habit is becoming more common. Because of this it has become harder for the bad guys to use fake phone numbers and addresses.
To get around this, the bad guys are sometimes using executive offices as the contact address and phone number for credit references (and their own web sites).
ADSREPUBLIC SHENANIGANS
adsrepublic has been trying to sell advertising under pretty typical “red flag” circumstances (lots of urgency, please run ads as soon as possible etc).
Their email message headers revealed that the email was coming from Latvia (despite the advertiser claiming to be based in Atlanta, Georgia - specifically Suite 1500, 3500 Lenox Road). That address in Atlanta is a "virtual office":
Cite: http://www.interactiveoffices.com/search.php?id_country=1&id_state=2&id_city=3
The referees supplied by adsrepublic were:
truemedian.com, realadsolutions.com and adsmanagement.com
Let's look at the referee addresses – all are Executive/Virtual Offices:
truemedian.com - suite 300, 1800 John F Kennedy Boulevard
cite: http://jfk.yourofficeusa.com/
realadsolutions.com - Suite 700 210 Interstate North Pkwy
cite: http://www.interactiveoffices.com/officescanada.php?id_state=2&id=37
adsmanagement.com - Suite 1500, 121 south orange avenue
cite: http://orlando.youroffice.com/
truemedian.com
ICANN Registrar: 1 & 1 INTERNET AG
Created 30 January 2009
NS1.PANELBOXMANAGER.COM
NS2.PANELBOXMANAGER.COM
IP: 72.55.186.42 - Quebec, Montreal, Panelbox
IP shared with 506 other sites
Registrant details hidden behind 1&1 Private Registration
-----
realadsolutions.com
ICANN Registrar: 1 & 1 INTERNET AG
Created 30 January 2009
NS1.PANELBOXMANAGER.COM
NS2.PANELBOXMANAGER.COM
IP: 72.55.186.42 - Quebec, Montreal, Panelbox
IP shared with 506 other sites
Registrant details hidden behind 1&1 Private Registration
-----
adsmanagement.com
ICANN Registrar: NAMEVIEW, INC
Created 29 September 2003 <!>
NS1.HITFARM.COM
NS2.HITFARM.COM
IP: 208.87.33.150 - New Providence, Nassau, Secure Hosting Ltd
IP shared with 488,707 other sites
Registrant details currently hidden behind Whois Identity Shield
Now let’s look at the advertisement itself.
adsrepublic.com was offering advertising using the domain lorentrio.com - a domain that is interesting in and of itself.
lorentrio.com was registered via Directi on the 29th of March. With WHOIS details hidden behind privacyprotect, the domain is immediately suspicious. At time of writing, the IP address for lorentrio.com is 94.75.216.152 (Amsterdam, Leaseweb). It shares IP with the following domains:
alitasis.com, idatrinity.com, junstring.com, kernerlane.com, lacoste-ads.com, mosdao.com, namlean.com, nokia-corp.com, tornadomb.com
lacoste-ads.com and nokia-corp.com are immediate causes for concern, and make me wonder if there are (or will be) malvertizing campaigns circulated that pretend to represent Lacoste or Nokia.
nokia-corp.com was created on 14 April 2009, registered via Directi and with Registrant information again hidden behind privacyprotect.
lacoste-ads.com was created on 2 March 2009, registered via Directi and with Registrant information again hidden behind a privacy service.