ALERT: Please treat advertising content from checkm8.com with extreme caution

Reported to checkm8.com over 9 hours ago.

Checkm8.com is serving several malicious advertisements that hijack web site visitors and redirect them to various fraudware web sites as follows.

logiagroup.checkm8.com/data/478089/HP_728x90.swf
logiagroup.checkm8.com/data/478091/HP_468x60.swf
logiagroup.checkm8.com/data/479231/HP_300x250.swf
logiagroup.checkm8.com/data/479237/HP_728x90.swf

SWF analysis via Adopstools:

adopstools.com/index.asp?section=quicklink&id=950rk4Ik9bh3WaWF
adopstools.com/index.asp?section=quicklink&id=I7c2TVDD2X6zf9I7
adopstools.com/index.asp?section=quicklink&id=1bB5k3GOLOvb5iSN
adopstools.com/index.asp?section=quicklink&id=aD6g49HnzyF8anGV

Further information:

logiagroup.checkm8.com/data/478089/HP_728x90.swf touches the following URLs:

hitoptimist.com/c/index.php?id=<<redacted>>
measurehits.com/?cmpid=<<redacted>>

logiagroup.checkm8.com/data/478091/HP_468x60.swf touches the following URLs:

hit-detect.com/c/index.php?id=<<redacted>>
measurehits.com/?cmpid=<<redacted>>

logiagroup.checkm8.com/data/479231/HP_300x250.swf touches the following URLs:

hitoptimist.com/c/index.php?id=<<redacted>>
measurehits.com/?cmpid=<<redacted>>

logiagroup.checkm8.com/data/479237/HP_728x90.swf touches the following URLs:

hitoptimist.com/c/index.php?id=<<redacted>>
measurehits.com/?cmpid=<<redacted>>

Domain details:

hitoptimist.com:
ICANN Registrar - COMMUNIGAL COMMUNICATIONS LTD
Created 10 March 2009
DNS1.COMMUNIGAL.NET
DNS2.COMMUNIGAL.NET

IP: 88.198.8.15 - Bayern - Gunzenhausen - Hetzner-rz-nbg-net

Sharing IP address with cosmotraf.net, hit-detect.com, statisticsishere.com and ydmstats.com (all domains should be treated with extreme caution)

Registrant details hiden behind WHOIS privacy service

hit-detect.com:
ICANN REGISTRAR - YESNIC CO. LTD
Created 10 March 2009
NS1.HIT-DETECT.COM (116.50.15.1 - previously HostFresh AS23898, now AS10026 - ANC Asia Netcom Corporation)
NS2.HIT-DETECT.COM (116.50.15.1 - previously HostFresh AS23898, now AS10026 - ANC Asia Netcom Corporation)
NS3.HIT-DETECT.COM (89.149.226.121 - Netdirekt)
NS4.HIT-DETECT.COM (212.117.162.90 - AS root eSolutions)

IP: 88.198.8.15 - Bayern - Gunzenhausen - Hetzner-rz-nbg-net (see above)
Previously at 195.62.37.14 - Sardegna - Olbia - Geonic.net Ltd

Registrant: Gabriel Jenks (gabrielcjenks17@mail.com) - email address associated with 3 other domains.
3515 Cooks Mine Road, NM 88101
1-505-763-5453

IMPORTANT: Let's not forget that the postcode (88101) and phone number (505-763-5453) map to Clovis, New Mexico.  I cannot find a "Cooks Mine Road" in Clovis.  Not only that, the phone number listed in the WHOIS is apparently owned by a Brian A Jones and Delinda K Jones, not a Gabriel Jenks.

Historical information re hit-detect.com:
http://msmvps.com/blogs/spywaresucks/archive/2009/03/13/1677837.aspx

measurehits.com:

Already mentioned on this blog here:
http://msmvps.com/blogs/spywaresucks/archive/2009/03/09/1676761.aspx

Now sharing IP with the following domains:

enterprisestat.net, givemystats.com, pleaselinkmeto.com, statsnclick.com, waytotheprofit.com, welovesandi.com

Published Tue, Apr 14 2009 22:16 by sandi
Filed under: ,

Comments

# re: ALERT: Please treat advertising content from checkm8.com with extreme caution

Sunday, May 17, 2009 2:42 PM by Rhett

Please add reviews to their SiteAdvisor page at:

www.siteadvisor.com/.../checkm8.com